Don’t Take the Bait: Steps to Tackle Phishing Attacks
In world ruled by innovative and online technology, cyberattacks are an unfortunate consequence that require constant diligence and preventative measures. Following proper cybersecurity protocols is especially important in order to keep voter registration information and sensitive election data secure. In the history of U.S. elections, there were no more well-publicized attempts of hacking and phishing schemes than in the recent 2016 presidential election. Social attacks like phishing are typically easier and less expensive to execute than technological attacks, and thus must be mitigated in order to safeguard the integrity of elections.
Phishing or spear-phishing tactics are conniving and delivered in a well-disguised manner. Something as trivial as an email disguised with a company logo, sent as a staff memo could easily jeopardize election information with just one click of the mouse from one single employee.
This past summer, cyberattacks were launched against a Florida-based voter registration system provider, in an attempt to get employees to reveal their user credentials. Using data gathered in that attack, hackers then launched a phishing attempt targeting 122 election officials who use that VR system. The hackers sent county officials an email appearing to be from the VR vendor, encouraging them to open an attachment that would let malware infect the system; potentially leaving highly sensitive voter information accessible and vulnerable. These types of attacks can be prevented when focusing on three areas of coverage: staff education and training, policies and requirements, and proactive tools and resources.
1. Staff Education and Training
Whether it’s an email, text, or pop-up window on a website, recognizing key markers in a phishing scam are paramount to prevention. Staff education, training, and simulated activities help employees instinctively become aware of common warning signs.
- Email Links – Cyber criminals now have the ability to replicate company letterhead, logos, or website appearances to near perfection to fool recipients. A good practice to develop with staff early on is to hover the mouse over any link prior to clicking, to ensure that the destination is not spoofed and leads to a secure website.
- Phishing Simulation - Phishing simulator programs such as PhishingBox and Sophos Phish Threat are available and readily used by companies to train and regularly audit employees’ email habits. After all, sometimes the best way of learning is to see things action.
2. Policies and Requirements
Have employees read and sign off on written company policies regarding email and Internet use on the job. These policies should include the following requirements:
Teach the dangers of shared passwords—never use the same password between accounts. Use a password management tool.
Turn on email filters and apply enterprise filters- use third party services for email like Gmail when possible, who have applied a significant amount of resources to solving this problem
Implement multi-factor authentication login when available
Ensure workstations are equipped with antivirus software scans and updates regularly
- Update passwords with random combinations of words that are hard for computers to guess but easy for a human to remember.
3. Proactive Tools and Resources
Identifying and establishing policies against phishing are the first steps to stopping cyber criminals, but many companies and organizations aren’t aware of the additional resources readily available to them. The following resources can help stop phishing in the workplace:
- Anti-Spam Techniques – The use of Sender Policy Framework (SPF) detects email spoofs by only allowing incoming mail from hosts authorized by the domain administrators. Similarly, DomainKey Identified Mail (DKIM) works by allowing the receiver of suspicious mail to check the domain origin of said mail.
- Implementing the External Feature Within Your Email Client – Transport rules and transport rule actions can manually be set to include an “EXTERNAL” preface to subject lines of emails sent from anyone outside of the jurisdiction. This tactic clearly lets employees know to use caution when reading or interacting with emails sent from an external source.
- Minimize Email for Internal Communications – While email is still a necessary platform, other tools like Slack can be used for internal collaboration and provide a closed ecosystem that is much harder for an external thread to penetrate.
- Anti-Phishing Organizations – If a phishing scheme has been recognized, forward the email to The Federal Trade Commission at email@example.com or The Anti-Phishing Working Group at firstname.lastname@example.org in addition to reporting it to the company being mimicked. Diligent proactivity helps lessen the chance of an organization to fall victim to exploitation.
While the consequences of phishing can be immeasurable and detrimental to an individual or a company as a whole, the precautions that can be taken to prevent falling victim to a phishing scheme are simple, and readily available. Bottom line: Know your mail, know your sender, and slow your role hackers.
Voter Registration Vulnerability Assessment
Check to see if your jurisdiction and voter registration system are using the latest security standards and practices. This checklist will guide you through questions to analyze your application security, encryption, infrastructure, and process security.
To receive the free Voter Registration Vulnerability Assessment, complete the form below.