Election Security Spotlight – Social Engineering

What is it

Social engineering is the use of deception to manipulate individuals into providing a particular response, generally for a fraudulent or malicious purpose. This can occur via all forms of communication, including email, text message, phone call, social media, and in-person. Prior to targeting, social engineers typically gather information about an individual or organization using publicly available resources. Offices and officials that regularly interface with the public are uniquely susceptible to social engineering due to the expectation of quality customer service.

Why does it matter

Strategic targeting of a particular individual or small group often includes multiple social engineering components and is hard to distinguish from legitimate activity. For instance, a socially engineered email to an election official might appear to come from an organization the official works closely with, such as a vendor, the EI-ISAC, or a state or local officials association. Social engineers may also reference a current event the official will likely care about, such as recent Congressional testimony on securing the elections. Another common social engineering tactic is to convey a sense of urgency to distract targets from potential inconsistencies in the threat actor’s request. Emails to election officials that use this technique might indicate a deadline for response, such as providing comments before a meeting.

Threat actors also routinely use telephone calls to collect or change information in order to gain access to online accounts and remote networks. This technique has been used to gain access to government executives’ personal and professional email and social media accounts, as well as to trick employees into falling for tech support call scams.

From a cyber perspective, the goal of social engineering could be to get the target to respond to an email and engage in a dialogue with the threat actor, download malware, transfer money, or go to a website and provide login credentials. All of these actions could lead to a compromise of professional or personal accounts, as well as computer networks. From a physical perspective, social engineers could attempt to gain access to restricted areas or documents to access or modify sensitive information and systems.

What can you do

Due to their public-facing role, election officials must be especially vigilant for potential social engineering. Election offices should have policies in place to prevent social engineering and all staff should participate in social engineering training that includes information about all forms of social engineering, including in-person and telephone-based attempts. Additionally, use caution when providing information online and to outside entities, including social media posts, as cyber threat actors can gather this information to learn more about you and craft social engineered lures tailored to you. As a general rule of thumb, if an email, text message, phone call, or other interaction seems unexpected or out of the norm, review it for cues that might indicate it was from a threat actor and be sure to verify to identity of the individual.

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].