Election Security Spotlight — The Evolution of Phishing

What It Is

Phishing is a cyber attack that preys on victims using email, text messages, phone calls, or voicemails to deceive the victim and gain sensitive information such as login credentials, access to critical election infrastructure, credit card numbers, and bank account information. Phishing has been around since the mid-1990s, and over the years, the targets and tactics have changed, but the goal remains the same. Since 2020, we continue to battle with certain types of phishing, such as spear phishing, vishing, and smishing, not to mention the rise of generative artificial intelligence (AI), which amplifies threats of phishing. 

Why It Matters

Over 90% of successful cyber attacks can be attributed to phishing, so it is important to understand that phishing is constantly evolving and that your actions can either help or hinder cyber threat actors. Election officials must be very cognizant of phishing considering the large number of emails they receive with links and attachments, as a cyber attack could compromise their election infrastructure and operations for an extended time.

Today, email is essential and the perfect vehicle for phishing. However, phishing campaigns have evolved to use attack vectors beyond email. With the increased use of smartphones and other mobile devices, modes of communication such as text messaging, phone calls, and voicemails are also vehicles for attack. In addition, we as a society are putting more information than ever on the internet by means of social media. For cyber threat actors (CTAs), social media is a gold mine of information. CTAs can use AI in combination with information collected from social media to better target their phishing campaigns and make their lures more enticing.

What You Can Do

We recommend that election officials implement the following best practices in their offices to combat the risk posed by phishing:

• Educate your employees, including seasonal or temporary workers. Provide training for your employees to recognize the signs of phishing.
  • Traditionally, guidance on phishing includes checking for spelling or grammatical errors. However, this may not necessarily be true anymore. Phishing emails are of much higher quality now. Large language models, such as ChatGPT, can be used to refine phishing attacks to correct spelling errors, grammar, etc., which makes them more difficult to recognize.   
  • Election officials receive email attachments every day, whether it be a voter registration application, absentee application, or documents from military and overseas voters. Since voters move, you likely are not familiar with every email sender, and you are always expecting voter registration applications and documents from voters. However, always use caution when opening attachments or clicking on links in emails. If it seems suspicious, trust your gut and use caution.
  • Consider the sender of the email. If you are familiar with the sender of the email, be cautious if the language or tone in the email is not consistent with past emails with the same individual. However, be aware of the thread hijacking tactic, which is when a CTA uses correspondence from previous emails on a compromised account and adds it to a phishing email to make it appear more legitimate. To see examples of thread hijacking, please visit https://www.cisecurity.org/insights/blog/a-short-guide-for-spotting-phishing-attempts. 
  • Hover over the sender’s name to reveal the address from which the email was sent. If this is inconsistent with past emails or it does not seem legitimate, it may be a phishing email.
  • Ask yourself if the email is requesting something normal or outside the realm of a normal request you process.
  • The email requests login credentials, payment information, etc.
  • The email expresses a sense of urgency to comply with the demand.
• Ensure your email system is filtering malicious emails before they reach your inbox. Artificial intelligence makes it more difficult for users to detect phishing emails. Election officials should consider using technology such as email filtering to categorize emails suspected to contain malicious content. They should then quarantine or reject the email before it reaches their inboxes.
• Create strong passwords. Strong passwords are long, complex, have no personal information, and are not easy to guess.
• Make sure your network and devices such as computers and mobile devices that connect to your network are protected from cyber threats.
• Make sure your email is secure. Secure your email by using a strong password, implementing multi-factor authentication, and monitoring any security-related information released from your email provider.

Don't go it alone. No-cost cybersecurity solutions specifically for elections offices are available. Request more information by reaching out to Elections Infrastructure Information Sharing and Analysis Center^® (EI-ISAC^®) at [email protected]. 

Other Resources

• CISA provides a service called Malware Next-Generation Analysis (MNG) that scans links and attachments for malware. For more information, please visit https://www.cisa.gov/resources-tools/services/malware-next-generation-analysis or contact the MNG Support Team at [email protected]. 
• Please review CISA’s publication “2024 General Election Cycle: Voluntary Incident Reporting Guidance for Election Infrastructure Stakeholders,” which provides contact information for whom you should notify in the event of a cyber or physical security incident. For more information, please visit https://www.cisa.gov/resources-tools/resources/2024-general-election-cycle-voluntary-incident-reporting-guidance-election-infrastructure.

Please contact us at [email protected] if you have any questions.