Phishing refers to a type of cyber attack that seeks to trick a user into thinking an email is from someone else. With this confusion, the target may compromise passwords with fake login pages or download malicious programs on their device.
Its one of the more common, targeted attacks against political candidates and campaigns. The hack that damaged Hilary Clintons 2016 campaign was a successful phishing attack.
The good news is its also one of the easier attacks to avoid, recognize and thwart. Here are some simple steps to stay safe.
Use Separate Campaign & Personal Emails
Using a personal email address, while convenient, can expose your campaign to added risks. For example, if your personal email is compromised in an unrelated data breach, an attacker might have access to sensitive campaign communications.
Campaigns also have advanced email protection from Microsoft and Google that aren't available to personal accounts.
Beware Unexpected Emails
Phishing attacks are made to look like an email you would click. They may have looked at your social media profiles, LinkedIn, or company website to find names of people you know. If you dont typically correspond with a contact via email or you werent expecting to hear from them much less receive a link or an attachment avoid the email.
Some phishing emails may look like messages youd receive from common services like social media or banks. If you didnt request to reset a password, that password reset email may be an attack.
Double Check Email Addresses
If you arent expecting an email from someone or the tone of the message seems off, check the actual email address. The display name could be someone you know, but the email address is likely false or made to appear similar. This is especially true for emails claiming to be from a company or perhaps spomeone saying they are emailing from their personal account instead of their typical work account. Everything about the email could appear legitimate but they cant fake the domain name.
Dont Click Links Or Attachments
If youre not sure the message is legitimate dont click links or attachments. The link may take you to a fake login page to steal your password or the file could insert malicious code onto your device.
Instead, contact the alleged sender through a trusted channel, like a phone call or text to confirm that it was them.
Use A Password Manager
If you do mistakenly click on a link to a fraudulent site trying to get your password, having a password manager like LastPass can save you. It will see the URL does not match and wont have a password for that site. Web browsers including Chrome, Edge and Firefox have built in password managers. Look for a little key in the URL bar the next time you log into a site.
Qualified campaigns and state parties can get LastPass Teams for free through Defending Digital Campaigns.
Enable Multi-Factor Authentication
Having a security key (a device that plugs into a USB port), like those offered by Google or Yubico (or an authenticator app) gives you an extra layer of protection. If you are tricked into entering a password on a false login page, the attacker wont have access to your second, temporary password or security key. Security keys make accounts un-phishable. Someone trying to log in from a new device wont get into the account unless they have the physical key and plug it in.
Defending Digital Campaigns has free security keys from Google and Yubico.
Conclusion
Theres no doubt campaigns are prime targets for phishing attacks. You cant prevent them from reaching you, but with some simple precautions and good judgment, you can keep them from working.
This post was sponsored by Defending Digital Campaigns. Their support helps keep Best Practice Digital free for our readers.