Election Security Spotlight – What Is Smishing?

An Overview of Smishing

Smishing is a phishing attempt via Short Message Service (SMS), text messages, or non-SMS messaging apps. Attackers use smishing to steal victim information, communicate erroneous information, deploy malware, or socially engineer the victim into simply engaging with the sender. Like phishing, smishing messages can convey a sense of urgency to socially engineer the victim into responding without fully evaluating the request. The most common smishing scams relate to user credentials for businesses or financial institutions, gift offers, invoices, package delivery confirmations, and overdue payments. Messages may also feature inaccurate information about elections related to polling locations/hours and campaign material.

Why It Matters

Attackers can use smishing to compromise systems and networks, compel recipients to act on erroneous information, or obtain information they will later use to launch more sophisticated attacks. Unwitting senders may also send smishing messages with incorrect information, fueling suspicions the message is a purposeful attack or eliciting wrongful actions. A cybercriminal’s unauthorized access to an election network, official social media accounts, or email accounts may disrupt the election process. Sensitive information could be compromised, or misinformation could be distributed to the public. Similarly, messages may be mistakenly distributed with errors, causing recipients to carry out misguided action, such as attempting to vote on the wrong day or location. These scenarios may lead to a decline in public confidence in the election process.

Train full-time elections staff and seasonal employees on detecting and reporting smishing. Some protective measures follow:

  • Avoid clicking and forwarding links or text messages from unknown sources.
  • Report suspected smishing to internal organizational contacts and the EI-ISAC for analysis.
  • Implement Mobile Device Management and applicable antimalware solutions to protect critical systems accessible via work phones.
  • Avoid providing information about offices or processes to unauthorized personnel.
  • If it is believed account credentials were compromised, change passwords immediately.
    • Report all suspected compromises to internal organizational contacts and the EI-ISAC.

For additional information about preventing social engineering attacks, please review the DHS’s Security Tips 04-014, CISA’s Cybersecurity Toolkit to Protect Elections, and EI-ISAC’s phishing Spotlight.