Election Security Spotlight – Phishing

What is it

Phishing occurs when malicious actors masquerade as legitimate entities during electronic communication in an attempt to compromise systems and networks or to gain unauthorized access to private, sensitive, or restricted content. Phishing is designed to socially engineer a response from the recipient, such as going to a malicious actor controlled website and entering login credentials. Phishing emails often entail a sense of urgency to exploit time constraints and cloud a victim’s initial judgment. For example, phishing may indicate an immediate need to correct an error, meet a deadline, or transmit sensitive information for a high-profile request. This can help to maximize the sense of urgency and increase the success of the phishing campaign. Phishing emails are known for including grammatical or other errors, such as the wrong logo or tone of voice, but from a sophisticated actor they often look and read as if legitimate.

Generally, phishing refers to broad email communications, but it can target senior executives or other high profile individuals (whaling). When any of these attempts involve strategic targeting of one or a small number of people, it is referred to as Spear Phishing. Phishing can also be accomplished over text messages (smishing) or a telephone (vishing).

Note: Phishing emails are often confused with spam, which is unsolicited commercial emails, or malspam (malware spam), which contain malware, link to malware on malicious or compromised websites, or attempt to trick the user into opening malware hidden in an attachment.

Why does it matter

Email continues to be one of the chief distribution methods used by malicious actors to opportunistically or strategically target their victims. For instance, since early 2017, email has ranked as the most common initial infection vector among the Top 10 Malware. Victims of phishing may divulge sensitive election information or associated login credentials, which can then be used to alter records or otherwise access sensitive databases. This malicious access can also be leveraged to spear phish other election offices by using the initial victim’s email account.

What can you do

Consider implementing a standardized protocol for handling suspicious emails that include a reporting mechanism and a designated point of contact. In addition, training employees to recognize and avoid phishing techniques is critical. This can be done by using resources such as the MS-ISAC’s June 2018 newsletter on How to Spot Phishing Messages Like a Pro. After training employees, conduct organized phishing exercises to test and reinforce the concepts using services such as those provided through DHS’s Phishing Campaign Assessment.

On the technical side, election offices can implement filters at the email gateway to filter out emails with phishing indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall. The principle of least privilege is also important because by restricting users from having access to resources they do not need, it restricts the harm if the user is successfully phished.

For a more comprehensive list of recommendations on how to identify and handle phishing incidents, please see US-CERT’s Security Tip on Avoiding Social Engineering and Phishing Attacks.

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to election infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the election community, please contact [email protected].