Best Practices

How To Avoid, Recognize And Thwart Phishing Attacks

They're the most common, targeted cyberattacks against campaigns, but also the easiest to avoid and thwart.

Phishing refers to a type of cyber attack that seeks to trick a user into thinking an email is from someone else. With this confusion, the target may compromise passwords with fake login pages or download malicious programs on their device.

It’s one of the more common, targeted attacks against political candidates and campaigns. The hack that damaged Hilary Clinton’s 2016 campaign was a successful phishing attack.

The good news is it’s also one of the easier attacks to avoid, recognize and thwart. Here are some simple steps to stay safe.

Use Separate Campaign & Personal Emails

Using a personal email address, while convenient, can expose your campaign to added risks. For example, if your personal email is compromised in an unrelated data breach, an attacker might have access to sensitive campaign communications.

Campaigns also have advanced email protection from Microsoft and Google that aren't available to personal accounts.

Beware Unexpected Emails

Phishing attacks are made to look like an email you would click. They may have looked at your social media profiles, LinkedIn, or company website to find names of people you know. If you don’t typically correspond with a contact via email or you weren’t expecting to hear from them – much less receive a link or an attachment – avoid the email.

Some phishing emails may look like messages you’d receive from common services like social media or banks. If you didn’t request to reset a password, that password reset email may be an attack.

Double Check Email Addresses

If you aren’t expecting an email from someone or the tone of the message seems off, check the actual email address. The display name could be someone you know, but the email address is likely false or made to appear similar. This is especially true for emails claiming to be from a company or perhaps spomeone saying they are emailing from their personal account instead of their typical work account. Everything about the email could appear legitimate but they can’t fake the domain name.

Don’t Click Links Or Attachments

If you’re not sure the message is legitimate don’t click links or attachments. The link may take you to a fake login page to steal your password or the file could insert malicious code onto your device.

Instead, contact the alleged sender through a trusted channel, like a phone call or text to confirm that it was them.

Use A Password Manager

If you do mistakenly click on a link to a fraudulent site trying to get your password, having a password manager like LastPass can save you. It will see the URL does not match and won’t have a password for that site. Web browsers including Chrome, Edge and Firefox have built in password managers. Look for a little key in the URL bar the next time you log into a site.

Qualified campaigns and state parties can get LastPass Teams for free through Defending Digital Campaigns.

Enable Multi-Factor Authentication

Having a security key (a device that plugs into a USB port), like those offered by Google or Yubico (or an authenticator app) gives you an extra layer of protection. If you are tricked into entering a password on a false login page, the attacker won’t have access to your second, temporary password or security key. Security keys make accounts un-phishable. Someone trying to log in from a new device won’t get into the account unless they have the physical key and plug it in.

Defending Digital Campaigns has free security keys from Google and Yubico.

Conclusion

There’s no doubt – campaigns are prime targets for phishing attacks. You can’t prevent them from reaching you, but with some simple precautions and good judgment, you can keep them from working.

This post was sponsored by Defending Digital Campaigns. Their support helps keep Best Practice Digital free for our readers.

Continue Reading