It’s election season, and those in security know that with every season, there is a reason for criminals to create new lures to fool end users. The next week is sure to bring us many phishing emails and social networking ploys that seek to pry sensitive information from unsuspecting people.
Here are a few common election-related ruses that criminals favor. Share this information with employees to keep them on guard for social engineers who use election headlines for nefarious purposes.
Politically Focused Phishing Emails
Email continues to be the gift that keeps on giving for criminals. Decades after its creation, it is still a useful and pervasive tool, and therefore still a hot target for hackers.
According to Symantec’s 2018 Internet Security Threat Report (ISTR), 54.6 percent of all email is spam, and the average user receives 16 malicious spam emails per month. That volume adds up, and it is only a matter of time before someone falls prey to a bad message.
Election season is, of course, prime time for political-related phishing lures. Even campaigns themselves have been victimized by phishing schemes. A phishing attack against the Democratic National Committee in 2016 led to the leak of thousands of internal emails, and was the result of just one malicious message opened by a campaign insider.
Educate end users about the risk they take when opening messages that ask them to click on a link for political news or information, even if it appears to be from a trusted source.
“Just because a ‘friend’ shares it doesn’t make it safe,” said Dan Nadir, vice president of the Digital Risk business unit at Proofpoint. “Malicious links are not less dangerous because you know the person who shared the content.”
Social Media Scams
Social media sites such as Facebook and Twitter are now where millions of readers head for news and information daily. Facebook has received plenty of negative press in the last year due to its role in an alleged Russian campaign to use social media to influence the 2016 presidential election. The site continues to work to prevent fake news and propaganda from continuing to spread on the site in the run up to the U.S. midterm elections, but some say not enough is being done.
Facebook itself announced last week that it would remove 559 pages, all public profiles of celebrities and businesses, and 251 accounts because officials said the pages were engaging in “inauthentic behavior,” and spreading misleading information and spam.
But fake news and propaganda is only one of many risks to warn your employees about this election season. Like phishing emails, misleading headlines promising information are rampant on social media and can lead to a malware infection, and that is the bigger concern for security leaders who are trying to protect their network.
“Social media or browser apps and plug-ins that claim to offer real-time polling or election results may be dangerous, as they can potentially install ransomware or other malware,” said Nadir.
Another area to warn users about: direct messages—the one-to-one private messages between Twitter and Facebook users.
“Do not ever click on unsolicited DMs or Facebook Messenger links, as they might contain malware or direct you to credential phishing sites that will attempt to steal your passwords or financial information,” said Nadir, who noted malicious direct messages can take the form of auto-replies after following some accounts on Twitter and can even come from one of your followers/friends who have been hacked.
Reducing exposure to malicious Twitter messages is possible by disabling “precise location” and “receive messages from anyone” options.
Election Calls from Criminals
Not all scams are high tech. The phone scam is still alive and well in election season.
Criminals posing as campaign volunteers, or pollsters, for example, can use the election as a cover to steal information or pretext a victim to pull off the so-called “long con”—a crime that takes place at a later date.
A scammer often calls pretending to be from a campaign or polling organization and will ask for information such as a name and date of birth under the guise of conducting a survey. But users should be warned never to provide personal information over the phone. Even providing seemingly innocuous information could be detrimental to corporate privacy or intellectual property.
According to social-engineer.org, an education site that aims to provide examples of common scams, users should be told that if they receive a suspected social engineering phone call, ask the caller for their name, company and phone number. In almost every case, the caller will disconnect when asked questions or placed on hold.
New Tech Makes Scamming Even Easier
Election season will be over soon, but the election scams will then be replaced with other contemporary threats, such as holiday-related cons in your employees’ inboxes.
According to a recent article from CBS News, security industry experts are concerned that emerging technology including artificial intelligence and automation powered by big data and the internet of things (IoT) will only make it easier for hackers to find an open target and take advantage of their vulnerability.
“If a human being were walking down the street trying to break into the car, they might try all the doors,” said Mark Risher, Google’s director of Product Management for Security and Privacy, in the article. Risher believes AI speeds up an attacker’s ability to find those so-called “doors” and exploit them.
Google has AI technology to detect bot behavior and limit the rate of login attempts to thwart automated attacks.
User Education is Still Your Best Defense
A robust awareness program and consistent user education are still the best defenses for an organization working to avoid being targeted in a social engineering or phishing scam. Sharing these kinds of regular reminders with your employees and providing them with examples of what to look for will help them stay protected this midterm election season.