Checklist 204: Cybercrime and the 2020 Election

The 2020 U.S. elections are just days away, and cybercriminals — some motivated by politics, others by financial gain — are stepping up their attacks. We’ll let you know what’s happening on this edition of the Checklist.

Voter intimidation emails attributed to Iran

We’ve talked before about the issue of foreign adversaries attempting to interfere with the upcoming U.S. elections, but this week a disturbing new development came to light. 

According to the FBI and Director of National Intelligence John Ratcliffe, Russia and Iran have obtained the voter registration data of American citizens, and Iran is actively using this information to send spoof emails to voters attempting to intimidate them into voting for incumbent presidential candidate Donald Trump. Media outlets reported last week that cybersecurity analysts think the targets of the email intimidation campaign were Democratic voters in several U.S. states. The end goal of the bad actors, according to Ratcliffe, is to “cause confusion, sow chaos, and undermine [citizens’] confidence in American democracy”.

You may be wondering how intelligence agencies or APT groups overseas are able to obtain Americans’ voter information. The answer is that in many states, this information is publicly accessible — and that there have also been data breaches that have exposed voter information in the past.

While such attacks on democratic institutions are troubling, FBI Director Christopher Wray issued a statement seeking to reassure the public that despite these efforts at coercion and the public availability of voter data, this doesn’t mean that foreign adversaries will be able to alter any actual votes. As Wray put it, “We’ve been working for years as a community to build resilience in our election infrastructure and today that infrastructure remains resilient. You should be confident that your vote counts.”

In terms of what you can do to protect yourself, the answer is fairly straightforward: Just know that these intimidation attacks are ongoing, and don’t take threatening emails that you receive at face value. If you’d like to take steps to help keep others safe, consider sharing this information with friends and relatives (especially older or less tech-savvy folks who may be more easily deceived by a fraudulent email). Finally, if you do receive one of these voter intimidation emails, be aware you can report it to your local FBI field office.

Phishing scams and the 2020 election

The topic of phishing and phishing awareness is probably quite familiar to longtime Checklist listeners. But one thing that we’ve never talked about before is bad actors using an election as a pretext for a phishing campaign! Security experts and law enforcement agencies warn that they’re seeing a rise in election related online fraud, and say that two factors may be contributing to this.

First, there is intense public interest over the upcoming election, as we are all no doubt aware! Whenever a news story dominates the public conversation, whether it’s a data breach, COVID-19, or an election, that’s “good news” for cybercriminals, because they know that they have a surefire way of getting people’s attention with their phishing emails.

Secondly, due to the pandemic, many of us are working or studying from home, and thus handling our own cybersecurity for the first time ever. We don’t have the safety of corporate firewalls or intrusion detection systems like we used to at the office, nor can we take that simple precaution of walking over to the IT person’s desk and asking them for help.

The bad guys are clearly having success in these unusual conditions: Analysts at Baltimore-based cybersecurity firm ZeroFOX said that they discovered a treasure trove of personal data for sale online over the summer, including the party affiliation of the thousands of individuals whose personal identifiable information was also found in the data cache. 

So how can you stay safe? There are a number of things you can do

1. 1

   Be skeptical

   Be skeptical of any email asking for personal information, or for you to confirm personal information — especially if that email is purportedly from an organization that should already have this info. If you’ve donated to the same non-profit for years, rest assured that you’re in their database already!

2. 2

   Follow your own rules

   You know the dos and don’ts of sharing sensitive data, so stick to your best practices, especially during these turbulent times. Don’t ever give out banking details, Social Security numbers, or login credentials online. And remember that legitimate organizations (especially security-conscious ones like banks and tech companies) will never ask you for this via email anyway.

3. 3

   Don’t click, don’t call

   If you think a link in an email may be legit, don’t click on it. Instead, open up your web browser, search for the organization in question, and find the info you’re looking for on their website directly. Similarly, if you get an email telling you to call some phone number to resolve an issue, remember that scammers can easily set up fake numbers and include them in phishing emails, so search for the organization’s main customer service line and call that instead.

4. 4

   Look for red flags

   Some phishing emails are hard to spot, but others have glaring red flags that should alert you to the fact that something is very wrong. Poor spelling, grammar mistakes, or nonstandard domains (e.g. pay-pal.com or apple.com.loan) are sure signs that something is off, and that you should be very wary of the email and its sender.

5. 5

   Handle attachments carefully

   Yes, many file attachments are legitimate, but others can contain malicious links or malware. Don’t open attachments from unknown senders, and remember that even people you know can get hacked and have their accounts turned into malware delivery vectors. As such, make sure you always use a reliable anti-malware tool to scan any attachment before downloading.

6. 6

   Take a breath

   Phishing emails — especially ones centered around such charged events as the upcoming election — often play psychological tricks to manipulate people. Watch out for this! If an email seems as if it’s trying to incite panic, fear, or anger, this could be a tactic designed to get you to click before you think. Take a step back, and try to analyze the message dispassionately. Is what you’re being asked reasonable? Are there any red flags in the email? If you think the email may be genuine, use the aforementioned advice and search for the organization online so that you can reach out to them directly, instead of using the links or contact info in the email.

7. 7

   Verify before donating

   If someone contacts you to solicit a donation, remember that scammers sometimes set up fake charities and bogus political action organizations. If someone is asking you for money, they’ll still need the cash in 15 minutes, so stop and do your due diligence first. Check to see if the organization has been around for a while. Look to see if they list a physical address and phone number on their website (many fake ones don’t). Do a quick web search to see if there are any complaints about them online. Bottom line: If you’re not sure about the organization, consider donating your money to another one that supports the same cause, but is better established.

8. 8

   Spread the word

   Consider sharing this information with other people in your life. As always, it’s best to talk about cybersecurity in a low-key, friendly way — no need to lecture or frighten anyone — and just let them know that you want to make sure they’re aware of some of the dangers out there so they can stay safe. One easy way to do that is to share this show and these notes!

That brings us to the end of this Checklist, but we’ll return next week with another episode. In the meantime, take a second to write to us if you have a question or an idea for a future show, and stop by our archives if you’d like to check out some of our past episodes.