While threats and intimidation of election workers in the United States have grown dramatically since the 2020 US election, one threat these workers face is flying under the radar: cyber attack.

Researchers at Trellix detected a spike in phishing attacks aimed at election workers in the key battleground states of Arizona and Pennsylvania ahead of primary elections earlier this year. They warn that election workers may face similar attacks in the run-up to the 2022 US midterm elections.

Though cyber security experts have hailed 2020 as “the most secure in American history,” these cyber attacks risk compromising critical electoral infrastructure and casting doubt on the results of the 2022 election.

Election Workers Targeted

Trellix has identified attempts targeting county-level election workers with password theft phishing schemes and new phishing schemes aimed at the absentee ballot administration process.

These attacks target county-level officials because their cyber security posture is relatively vulnerable, which is surprising given that they are essential on-the-ground frontline workers conducting free and fair elections across the country.

Trellix detected two primary attacks in the lead-up to the 2022 primaries:

Password theft phishing email

In this first attack, a bogus password expiration alert email attempted to lure election workers to a fake landing page. There they were asked to input their current username and password and select a (fake) new password.

Example of a phishing email sent to county election workers with a password admin lure

Source: Trellix

Highjacked email chain attack

While more complicated for the hacker to pull off, this attack has the advantage of being much harder to detect.

Here, hackers obtain either a compromised email thread or a convincing-looking forged email thread. The thread helps overwhelm recipients, so they don’t remember checking for suspicious details.

Example phishing email thread targeting a county election worker through a trusted email thread

Source: Trellix

The thread portrays a back-and-forth with a presumably trusted correspondent, making election workers less likely to view it as a threat.

The hacker also sends a Microsoft OneDrive link for election workers to download completed absentee ballot applications. The download contains malware capable of infecting the election worker’s entire organization.

Example phishing email thread targeting a county election employee with an Absentee Application lure

Source: Trellix

In both attacks, the dangers are clear: with access to electoral systems, a malicious actor can access voter records, contact lists, and various other highly sensitive documents and forms. Attackers could misdirect voters into voiding their ballots or send them to the wrong polling station on election day.

Working their way up the food chain within local election boards, hackers could use stolen credentials to target those individuals with higher access and more say over the vote-counting process.

Attackers could then sell the stolen credentials to nation-state actors for nefarious purposes or to ransomware gangs who might hold critical election systems hostage on the eve of the election.

How to Spot a Phishing Attempt

While phishing attempts are designed to be challenging to detect, there are some signs to watch out for that should alert you to the possibility you are a target.

  • Sender: Just because you know the person whose name is on the email doesn’t make it safe. Check the email address carefully to confirm that the email is from that person. Look for transposed characters or email addresses that seem almost right, like a .co domain rather than a .com domain.
  • Salutation: Take a good look at the salutation. How are you being greeted? If it says something generic like “Dear client,” “Dear Customer,” or “Dear Valued Customer” instead of your name, beware!
  • Content: Scammers try to create a sense of urgency so that you act rather than think (e.g., your account will be blocked!) Poor grammar and spelling mistakes? No legitimate organization would ever let such errors get by it. They ask you for personal or financial information. They ask you to update your account or change your password. But you won’t fall for that! Report red flags or anything that seems suspicious to your IT service desk.
  • Link or button: Phishing emails usually try to get you to click a link or button, which takes you to a fake website or installs malware. Unless you can confirm the sender’s identity, don’t click.
  • Attachment: When you open a scammer’s attachment, you open the door to malware. Malware can wreak havoc on your computer or your organization’s entire network.
  • Contact information: Legitimate organizations want you to contact them if necessary. They show their contact information in their email so you can call them and verify that they are who they say they are.

Remember: trust your instincts and report the matter to IT when you get an email that feels off.

Your best defense is an educated team

Educating election workers on the dangers of phishing attacks and cyber threats is crucial to safeguarding democratic elections.

Of all the threats that election workers face in the United States face, their risk of being targeted in a compromising cyber attack gets the least attention. With signs of attempted attacks already during the primary season, election workers must be vigilant in the run-up to the 2022 midterms.

The good news, however, is that with proper security awareness training, you can help ensure your staff continues to be your first line of defense against cyber attacks.

The more knowledge and real-world context your team has, the easier it is for them to identify emails, text messages, and other social engineering tactics used to steal confidential information.



Cybersecurity Hub

Cyber Security Hub: Access Exclusive Cyber Security Content

Visit our free Cyber Security Hub to learn more about phishing, social engineering, and how to defend yourself against cyber threats.