This year brings many advancements in the cyber realm. It also brings on an election year. While many opinions and stances exist, we should all be aware of the effect election years can have on our security. Rather than looking at the technical side of voter registration systems, IT infrastructure, or polling places, let us narrow in on the human side of security. I want to talk about how social engineering can be leveraged during this year specifically. Peering into this side enables us to focus on key strategies for organizations to safeguard against and educate employees about election-themed social engineering attacks. So, what should companies and employees be vigilant about?
Well, this topic is really an expansive one! Because of that, today we will look at how the election year can influence the creation/spread of misinformation, deepfakes, and social engineering attacks.
Misinformation, Disinformation, and Deepfakes
Merriam-webster defines misinformation as incorrect or misleading information. Disinformation is the intentional spread of false information with a malicious intent. Certainly, we can agree that this type of information abounds today. This is partly due to the quick access we have to information as well as the ability to spread it. The spread of mis/disinformation continues to increase due to these and other factors. Mis/disinformation has certainly been seen surrounding elections in the past.
One form this information can take is deepfakes. Deepfakes are primarily fake videos or audio that appear to be legitimate. In 2023 there were elections in Slovakia, and they experienced this attack in a real way. An audio recording appeared on Facebook, “allegedly capturing a conversation between a candidate and a media representative discussing plans to manipulate the election, including buying votes.” The audio was quickly found to be a fake, yet the damage had already been done. This disinformation campaign quickly turned to misinformation, and swiftly affected people’s decisions.
This issue is not one that will be isolated or confined to other countries alone. It demonstrates how misinformation, disinformation, and deepfakes, can be a real threat. Because of this, employees should be educated to always verify sources, and especially during election seasons. Remember that not everything one sees or hears may be real, so do some verification before trusting it.
Social Engineering Attacks Leveraging Political Themes
In the past we have seen many different social engineering attacks that leverage various political themes. Any time there is a large event, disaster, or holiday, the malicious actors come out to take advantage. Knowing this brings organizations and their employees one step closer to safety, as they know when to be extra cautious. Let us look to the past to see the what, and finally, we will give you the how.
Stay Secure: The What
- Voter Registration Attacks:
A common attack during election years are voter registration attacks. These involve an attacker emailing (phishing), calling (vishing), or texting (SMiShing) and sending you a link to a fake voter registration form. Those forms contain spaces for personally identifiable information, in the hopes you will fill it out and send it back. - Donation Attacks: Donation attacks can take many forms. In some instances, a fake audio message of a candidate may ask for a donation and instruct you to push a number on your phone, which would then direct you to a “representative.” Or you may receive a call from a real person, who is encouraging you to donate. You may also get an email with links to “donation sites.”
- Fake Surveys, Petitions, and Polls: Surveys, petitions, and polls are common during the election season. Attackers may create fake ones in order to collect personally identifiable information. They may seek a contribution or offer a gift card or other incentive to encourage you to participate in the survey.
Stay Secure: The How
With mis/disinformation, deepfakes, and social engineering attacks abounding, organizations must remain vigilant and educate their staff on how to stay safe. But what are some specific things your employees should be on the lookout for?? AARP gives the following tips:
Voter Registration Attacks
- If someone claims you are not registered to vote and offers to register you by phone, hang up. You cannot register by phone, email, or text. In all 50 states, you can only register to vote online, by mail, or in person at a local election office.
- “If you receive a suspicious call from someone trying to influence your vote, the best thing to do is just hang up,” notes a consumer alert from North Carolina Attorney General Josh Stein.
Donation Attacks
- Be skeptical of unexpected calls from someone claiming to be a politician or a celebrity. In recent months, scammers have released deepfake videos of famous people such as Tom Hanks, Elon Musk, and Dolly Parton, for fraudulent product endorsements.
- If you want to donate to candidates, go to their certified site. “Don’t answer any phone calls, don’t click on any links in an email or text, even if it’s from somebody you recognize or you might think is reputable,” Bruemmer says. “Someone could have taken over their account and started spamming you.”
- Do not rely on Caller ID: Scammers can impersonate a political campaign phone number through a tactic known as spoofing.
Fake Surveys, Petitions, and Polls
- A legitimate survey may ask how you plan to vote along with your political affiliation, and surveyors may request demographic information, such as age or race, notes Equifax’s ID Watchdog. But do not share more specific information. Age is one thing; your birth date is another. Decline to provide your name, address, email address, Social Security number, or driver’s license number.
- If someone conducting a survey or poll offers a prize, do not participate. “Real political polls rarely offer prizes for participation, and none would ask for a credit card number,” ID Watchdog states.
For more tips, visit AARP’s article directly, here. Applying these tips will help you protect your organization and your staff from election-themed social engineering attacks.
Written by
Shelby Dacko
Human Risk Analyst
Social-Engineer, LLC