Phishing, an attempt to gain access to accounts, personal information, or devices, to infect or steal data, occurs by luring users to click on a link and directly provide personal information, or open a document infected with malware.
Phishing remains one of the most common types of attacks, and campaigns can be subjected to many different kinds of phishing attempts.
Many attempts to educate people to prevent being susceptible to phishing involve trying to parse or identify faulty URLs (web addresses) or trying to understand the tactics phishers use to lure us in. No doubt having our antenna up when reviewing what comes through our email boxes and social feeds is extremely important. However, some of these tactics are not effective.
Some organizations find it helpful to engage in active training of staff to defend against phishing by conducting phishing simulations. They send fake phishing emails to staff and track clicks by staff members. These efforts are not designed to be punitive. Rather they have been developed to help staff understand the risk and identify staff who may need some additional training.
Do campaigns need to do phishing simulations?
It depends. Larger campaigns and organizations, such as Presidential Campaigns and State Parties, may want to consider the possibility of such an effort. The larger the staff, the more possible opportunities for phishing to be successful. Other campaigns need to evaluate the overall risk to the campaign and determine if they are heightened risk for phishing efforts.
All campaigns should alert staff and volunteers to the risks associated with phishing while on a campaign, the ways the attempts may manifest themselves, and how and when to report suspicious communications or if they mistakenly click on a link.
Learn More: What is Phishing?
How To: Defending Against Phishing