Email Scams: Phishing for Victims in Election Year

The 2020 election is closely approaching in the US. That means continuing cybersecurity concerns for both citizens and governments. While election interference from foreign actors is a forgone conclusion, there are numerous other reasons for hackers to attack. One thing is certain, it is happening already, and there are no shortage of email scams for hackers to choose from.

Campaign fundraising email scams

Hackers love to exploit our emotions, and fundraising email scams are the perfect ruse for them to cash in. Elections and politics in general have created both political polarization and frenzy. We’re more involved in politics than ever. For those who don’t get directly involved, contributing to a political campaign is a quick, easy, and even cheap way to do it.

Scam PACS dupe citizens out of millions, but most are simply money-making schemes. With fraudulent websites and emails purporting to originate from political candidates and organizations, scammers prey on citizens’ emotions and get them to contribute to political candidates and social causes, although the money never reaches the advertised recipients. While they aren’t true phishing scams designed to steal credentials, scam PAC organizations have certainly learned a few tricks from phishers.

Like any phishing email, success starts with the subject line. Emotionally driven subject lines work particularly well after a highly publicized event or tragedy. The Notre Dame fire that nearly destroyed the famed cathedral in Paris sparked a global outbreak in phony fundraising websites. Criminals directed victims to the phony websites through URLs in article comments and via paid ads.

Subject lines in campaign fundraising emails are bent toward inciting anger and fear in citizens who are keeping a close eye on political campaigns and an even closer eye on those they view as political foes: the other side.

Adding to the effectiveness of subject lines is that they are often tied to the news cycle. A 2019 report by Twilio found that campaign emails in the US peaked after the second Democratic debate.

The party involved in the debate wants to capitalize on citizens who are excited and hopeful after a debate, ready and willing to contribute anything to the candidate who inspired them. The opposing party will use soundbites from the debate to incite the emotions of their voters.

While apocalyptic subject lines contribute to the open rate of email scams, they can also increase the likelihood of the email going to spam. This is primarily due to flag words that connote urgency or overly promotional language, like those that warn citizens or voters that the time to respond is running out or that the deadline to add their names to a petition or donate funds is approaching.

Around 21 percent of campaign emails go to spam, according to Twilio. However, opening the email is a sign that you know and trust the sender, and so the emails will keep coming. The same is true of spear phishing emails.

Also notable in the Twilio report is the high number of emails sent from accounts that fail to use email authentication tools, which would protect candidates and organizations from email spoofing. In total, less than 50 percent of campaign emails passed or used email authentication.

Election phishing

Local and state governments were targeted in more than 122 cyberattacks in 2019. Most attacks involved ransomware, and many cities paid large ransoms to get systems back online. Recently, the city of New Orleans declared a state of emergency—its second declaration in six months—due to a ransomware attack. In many cases, hackers infiltrated government systems via MSPs.

During the 2016 US presidential election, Hillary Clinton’s campaign chairman John Podesta received a phishing email impersonating Google, his personal email provider. The phishing email, which told Podesta that his Gmail account was compromised and required a password change, wasn’t particularly sophisticated. Still, it was believable enough that Podesta’s own help desk encouraged a staffer to change Podesta’s Gmail password. But rather than clicking on the legitimate Gmail link provided by the help desk, the staffer clicked on the phishing link, which had been shortened with Bitly. The result of the phishing campaign was the massive Wikileaks data leak that reverberates to this day.

Also in 2016, five Florida counties were targeted in phishing emails originating from Russia. One county election supervisor reported that his office receives around 3,500 phishing or spam emails per day—not an unusual number, but an alarming one for an office responsible for voter registration and results.

In 2016, North Carolina state voting officials were targeted with a phishing email impersonating an e-voting vendor in Florida. The email itself was unsophisticated, at least to the naked eye. A spelling error in the email should have been a clear sign that the email was illegitimate, but according to the firm that identified the attack, the simplicity of the email made it “blend into the noise” and made it believable.

Although it’s not clear if the malware-laden email compromised any single individual or account, the Intercept reports that North Carolina experienced “widely reported software glitches on election day.”

Extortion

Sextortion emails are once again making the rounds—they’re more sophisticated than in the past and made more lethal due to the relentless data leaks of 2019. A hacker who has access to a user’s password for a certain website, or any other identifying information, is in a good position to convince the user that they have other dirt on them. Whether it’s true or not is irrelevant.

The emails are particularly hard to catch due to new phishing techniques, including using QR codes in place of phishing links and screenshots, rather than body text, as the email message. Apocalyptic subject lines contribute to the open rate, but it’s the targeted nature of the email, supported by leaked data, that makes them successful.

Sextortion isn’t the only way to shame or scare victims into paying up or divulging sensitive information, but it’s a shame not quite like any other and one bound to get big headlines if a politician or government worker is involved. This makes state, local, and federal government workers highly susceptible to sextortion and other forms of extortion and blackmail.

The MSP connection

MSPs should be on high alert for email scams targeting government clients. In some cases, the MSP is the target because of their access to government client systems, while in others, cybercriminals attack the government client directly.  

From phishing to ransomware, attacks affect not only government offices but also the citizens who rely on them to protect their data and keep critical services up and running. Headlines about compromised MSPs have been relentless in 2019. In many of those cases, it was the MSPs’ vendors, and not the MSPs, who owned the responsibility for the breaches.

In either case, MSPs have both clients and reputations to protect. Investing in predictive email security that blocks targeted attacks greatly reduces your chances of you or your clients being a victim of an attack, but it also presents an opportunity.

State and local governments are highly reliant on third-party IT support. A recent court ruling in California made it possible for a security vendor with 11 channel partners to offer discounted security services to US political campaigns. While the ruling has yet to spark a similar nationwide rule, it hints to a potential opening for MSPs who are looking to break into the public sector. Educating prospective government clients about the latest threats and providing a solution built to block those threats provides that competitive advantage.