You likely know that traditional phishing attempts use several techniques, such as replicating official notices from the government or financial institutions, or creating a need for rapid action by claiming there are problems with an order or a shipment, which encourages you to click on a link or open an attachment. They are sent via email, social posts, text messages, and/or auto-dialing programs (making actual calls).
When the bad actors directly target a person or organization, they use very specific methods and content. This is known as spear phishing.
Bad actors focused on gaining access to a specific campaign or organization is likely going to spear phish. They may have already collected enough information publicly available about the campaign to know the names and emails of staffers, volunteers, or others associated with the candidate (family members, confidants) or campaign. If they have compromised a campaign email account, they're now able to send emails from that account that other people inside and outside campaign.
All phishing is psychological.
The bad actors are looking to capitalize on a moment and get you to act. In a campaign where time is of the essence, a million things are going at once, and with lots of people and moving parts, bad actors will look to create ways to try to get you to do something on the fly that you shouldn’t.
Here are some examples (Note, these are examples, bad actors are very smart and continuously evolve techniques):
- You get an email that comes from what looks like the campaign email account of a supervisor or colleague (It could even be a legitimate account- if they have been hacked, or have created a lookalike account. Something like [theirname]email@example.com). The email is personalized and reads: "[Your Name], I need your help ASAP. Can you forward me a list with the name, address, email address, and phone number of all staff and volunteers on the campaign? Need it for a report I am working on."
- You work in operations and receive what looks like (or could be from) a legitimate account of the candidate or campaign manager. It reads: “[Your Name], I promised payment on the attached invoice a few weeks ago and it fell through the cracks. I committed to the vendor we would pay by noon today.” This is an example of what’s known as the Business Executive Compromise (BEC) (For more information on the Business Exec. Compromise, see the Rochester Institute of Technology's information page, here).
- You are a comms person or social media manager for a campaign and you get a message on a social platform that reads: “Hello, I am a reporter for (insert the name of the most important media outlet in the state). I am working on a deadline and have been trying to reach the campaign to comment on a very important story that impacts your candidate. Please click on my calendar to set up a call ASAP.”
- You get a text message that looks like it comes from one of your most avid volunteers. It reads: “Just saw this website (link) that has numerous lies and other misinformation about the candidate. Thought you should know.”
- You get an email that looks like it comes from your campaign donations processor, and it reads: “[Your Name], There have been a number, greater than average, of rejected credit cards from your donors. We ran a report. See attached list.”
Learn more: What is Phishing?
How To: Defending Against Phishing