Election scams get creative and voters take the bait
The upcoming US presidential election is wrought with emotions. That makes it the perfect ruse for email scams targeting citizens, politicians, and government organizations. While election phishing is the top concern, there are a host of other scams that are making the rounds.
Your favorite politician -- or the one you’re most likely to vote for -- needs money to successfully run their campaign. Hackers are relying on our devotion not only to politicians but to our affiliated political party to lure us into a trap.
As email attacks become more targeted, hackers can discover how and when we are most vulnerable to clicking on phishing links. As an example of how email campaigns go into overdrive after a highly publicized political event, Twilio found that campaign fundraising emails peaked after the Democratic debates in July 2019, capitalizing on our emotions -- good and bad -- after the debates.
Conversely, when a political scandal, or at least a manufactured one, rises in the news, political campaigns send emails -- almost immediately -- to their databases to capitalize on the outrage. Voters are more likely to respond to fundraising emails pushed by the political party on the other side of the scandal. A 2019 report from the Wall Street Journal revealed that although these emails are increasing in volume, they work beautifully.
The kicker is the subject line, with doomsday language and, in the case of the Trump campaign, all caps, lending to the urgency of the emails. Hackers know these tricks well, and they use them to great effect in phishing emails. The more alarming the subject line, the higher the open rate.
Unlike traditional phishing emails, the purpose of a campaign fundraising scam isn’t to steal account credentials but money. Scam PACs do this to great effect. Passing themselves off as committees affiliated with political parties and campaigns, Scam PACs like the Tea Party Majority Fund and Conservative Majority Fund raised millions in 2018 but didn’t give a cent to their supposed affiliates.
According to AARP, Scam PACs are specifically targeting retirees, who are more likely to be taken in by such scams. And it’s not only happening via email. Text messages and phone calls seeking donations are also on the rise.
While Scam PACs are looking for money, phishers operating under the ruse of a PAC are interested in personally identifiable information, such as social security numbers and birthdates, which they can mine both over the phone and through forms on phishing pages.
Survey and voting scams
Delivered by both email and telephone, fake political surveys have become a successful way for hackers to elicit personally identifiable information from voters. This scam also works well with fake polls, which invite citizens to participate in political polling.
With voter registration scams, criminals rely on the emotions of voters to entice them to "register to vote" over the phone -- even though doing so isn’t possible -- before it’s too late. The thought of not being able to vote in the upcoming election might prove too much for voters who are emotionally invested in politics.
Voter registration phishing, both by text and email, is rampant during election season. In 2018, Indiana voters were inundated with text messages purporting to come from President Trump, warning them they weren’t on the voter rolls and were running out of precious time. The link in the text message went to a fake Republican National Committee (RNC) website. To make the texts and calls more believable, phishers spoof the phone number of legitimate organizations, much like they do with email spoofing in phishing attacks.
While highly sophisticated disinformation campaigns made an impact on the 2016 presidential election, the most notorious and politically devastating attack came via a simple phishing email. The hack on the Democratic National Committee (DNC) and the resulting Wikileaks leak resulted from a staffer clicking on a link in a phishing email sent to Clinton campaign chairman John Podesta. The leak was disastrous for the DNC and the party as a whole. According to a report by the Associated Press, 29 phishing emails bounced back during the start of the phishing campaign. One managed to get through, and the rest is history.
The current election is already seeing signs of similar campaigns, namely the recent phishing attack against Burisma, the Ukranian gas company of recent notoriety, and an October phishing attack against an "unknown" presidential candidate. The warning came from Microsoft, which identified the phishing campaign. It’s widely speculated that the Trump campaign, known to use Office 365, was the target. Although Microsoft says the campaign was not successful, 2,700 other phishing attacks were launched against current and former US officials, along with others, and at least four accounts were compromised.
While successfully phishing a presidential candidate or major political party might be the goal of well-coordinated and funded hacking campaigns, they also occur on a smaller scale, targeting lesser known politicians and state government offices. Government offices are home to a treasure of personally identifiable information on its citizens. Breaching one has proven to be simple, and shutting down an entire city is as easy as clicking "send".
Data leaks add fuel to the fire
More than 122 cyberattacks against government offices were reported in 2019. The City of Baltimore shuttered for months and lost $18 million to a ransomware attack. New Orleans declared a state of emergency -- twice -- for the same reason, losing $7 million as of this writing.
Although collecting a ransom payment was the goal of both the Baltimore and New Orleans ransomware attacks, each resulted in compromised data. In the hands of hackers, there’s no doubt the data will be either sold on the black market or directly used for future attacks.
Data leaks provide ammunition for email attacks of all types. With personally identifiable information in hand, including usernames and passwords, hackers can retrieve the credit card number you use to pay your local taxes, send you a phishing email from your favorite political candidate, and convince you that they know all about what you’ve been doing online.
Leaked data, whether from massive breach like the DNC or lesser known breaches, are the driving force behind many of today’s phishing campaigns. It provides authenticity and authority to the emails. A recent sextortion scam, for example, leverage leaked usernames, passwords, and even personal "preferences" to convince victims that hackers have the goods on them.
What this means for citizens is that the Equifax data leak from 2017 that thankfully didn’t result in your credit score taking a dip could actually come back to haunt you some day. And if you’re considering going to the well-publicized Equifax website to receive your settlement check, be careful, because it might be an Equifax phishing page.
As Vade Secure's Chief Solution Architect and CEO of Vade Secure North America, Adrien Gendre owns all aspects of the business that directly impact customer experience. His responsibilities include formulating the company's product strategy and roadmap, overseeing integration with security vendors, and managing the global Solutions Architect, Training, Documentation, and Customer Support Teams