You likely know that traditional phishing attempts use several techniques, such as replicating official notices from the government or financial institutions, or creating a need for rapid action by claiming there are problems with an order or a shipment, which encourages you to click on a link or open an attachment. They are sent via email, social posts, text messages, and/or auto-dialing programs (making actual calls).
When the bad actors directly target a person or organization, they use very specific methods and content. This is known as spear phishing.
When a bad actor is focused on gaining access to a specific campaign or organization, they are likely going to target individual people and accounts. This is known as spear phishing. There's a lot of publicly available information for bad actors to identify staffers, volunteers, or other people associated with the candidate (family members, confidants) and a campaign . AI speeds up the process of collecting that information and hyper personalization making attempts harder to discern and likely more effective.
Once an account is compromised, bad actors may have broad access to key documents and personal information on donors and staffers. This account and data access makes launching targeted, highly effective attacks easier.
All phishing is psychological.
Campaigns are fast-paced, with lots of moving parts, and always trying to beat the clock as election day draws near making campaigns susceptible to phishing attacks.
Here are some examples (Note, these are just examples, and bad actors are very smart and continuously evolve techniques):
- You get an email that comes from what looks like the campaign email account of a supervisor or colleague (It could even be a legitimate account- if they have been hacked, or have created a lookalike account. Something like [theirname]4780@email.com). The email is personalized and reads: "[Your Name], I need your help ASAP. Can you forward me a list with the name, address, email address, and phone number of all staff and volunteers on the campaign? Need it for a report I am working on."
- You work in operations and receive what looks like (or could be from) a legitimate account (phone number or email) of the candidate or campaign manager. It reads: “[Your Name], I promised payment on the attached invoice a few weeks ago and it fell through the cracks. I committed to the vendor we would pay by noon today.” This is an example of what’s known as the Business Executive Compromise (BEC) (For more information on the Business Exec. Compromise, see the Rochester Institute of Technology's information page, here).
- You receive outreach via an email of even a social network from someone who claims a degree or two of separation, such as a mutual friend or contact, graduating from the same school or living in your same hometown, or articulates strong support for your candidate and even quote some policy positions. By creating familiarity it may break down your defenses.
- You are a comms person or social media manager for a campaign and you get a message on a social platform or via email or text that reads: “Hello, I am a reporter for ( and they have inserted a real journalist at the most important media outlet in the state). I am working on a deadline and have been trying to reach the campaign to comment on a very important story that impacts your candidate. Please click on my calendar (or somewhere else) to set up a call ASAP.”
- You get a text message that looks like it comes from one of your most avid volunteers. It reads: “Just saw this website (link) that has numerous lies and other misinformation about the candidate. Thought you should know.”
- You get an email that looks like it comes from your campaign donations processor, and it reads: “[Your Name], There have been a number, greater than average, of rejected credit cards from your donors. We ran a report. See attached list.”
Here is a simple example of a phishing email:
The best defense is, if unsure, don't click the link! Ask your team leader or advisor, when in doubt.
Learn more: What is Phishing?
How To: Defending Against Phishing
Comments
0 comments
Please sign in to leave a comment.