Phishing Threats Essentials for Safeguarding Election Infrastructure

Don’t take the bait! Phishing Threats from the Election Security Exchange is a plain-language guide for election officials on one of the most persistent cybersecurity threats they face, which is getting harder to spot. 

Election offices are unfortunately frequent targets of phishing. Opening emails from external sources is part of the job, and what those can look like varies tremendously. For example, outreach regularly includes emails from other countries from military or overseas voters; from vendors of all kinds; from citizens with open records requests; and from political committees or candidates. Adversaries know this and attempt to exploit it. Phishing is certainly not going away, and AI is making it much easier for bad-actors to create polished messages with none of the telltale typos or clumsy phrasing of the past. Consequently, extra vigilance is more important than ever.

This guide begins by laying out how phishing extends beyond email:

• Spearphishing and Whaling are targeted attacks using your name, title, or recent activity to look legitimate, and whaling targets senior officials specifically.
• Vishing is voice phishing over the phone, where attackers work to build trust and then exploit by requesting access or information.
• Smishing is phishing via text message, often with malicious links or app download requests, and often looking like they are from a familiar person.
• Quishing is phishing through QR codes that redirect to fake sites or install malware.

This guide outlines red flags that help train staff to detect these types of attacks, including sender addresses that are slightly off, unexpected attachments, generic greetings, and links that don’t match the URL displayed. The guide gives concrete recommendations your team can act on now:

• Check file extension and hover over links before clicking, if the destination doesn’t match, don’t click. 
• Verify the sender, as display names can be faked; confirm the actual sending domain
• Pause when urgency is conveyed – bad actors manufacture pressure to short-circuit your judgment.
• Use an alternative means of communication to verify whether a suspicious-looking email is legitimate by calling the sender directly.
• When possible, submit unknown files to your IT team before opening. 

And the easiest recommendation? Share this guide at your next staff meeting. Every member of your team who interacts with external parties, whether vendors or voters, should become familiar with these fundamental practices.

To access the full guide, visit the Election Security Exchange resource page.