The final sprint of the campaign is underway! Campaign managers, staff, and volunteers are bracing for the intense days ahead, with all eyes on the countdown clock as Election Day approaches. The singular focus now is on securing a victory.

As we approach the final stretch of the election season, it's not just campaigns pushing hard toward the finish line. Bad actors seeking to interfere with or disrupt our elections are also ramping up their efforts. While campaign staff are understandably focused on the goal ahead, it's crucial they don't lose sight of potential cybersecurity risks. Campaign managers, staff, and anyone associated with the campaign need to stay vigilant and take basic protective measures now to safeguard against these threats. 

Risk #1 Bad Actors Compromising Accounts via Phishing and Spear Phishing

The recent spear phishing attack on Trump's campaign and the attempted attacks on Biden's campaign (before Harris became the nominee) serve as stark reminders that nation-states are actively on the prowl this election season. Every campaign faces the significant risk of infiltration aimed at stealing information for potential release or conducting espionage. While most computer users have become savvy about broad-based phishing attempts, like emails claiming "your package is delayed," spear phishing poses a more insidious threat. Spear phishing is a targeted approach that exploits compromised accounts of individuals known to the email recipient. These could be vendors, family members, donors, close advisors, or associates of the candidate – people the recipient trusts as legitimate sources. Such emails might contain malicious links or attachments, or request sensitive information. The familiarity of the sender often lowers the recipient's guard, making these attacks particularly dangerous.

Prevention: Implement the strongest available multifactor authentication methods. This includes using security keys (available free to DDC-eligible campaigns), enrolling in Google's Advanced Protection Program (which can also be activated with a Passkey), or utilizing Microsoft Account Guard. These robust security measures are offered at no cost to campaigns and high-risk users, providing an essential defense against sophisticated phishing attempts.

Risk #2 Campaign Funds Stolen 

American political campaigns are lucrative targets for cybercriminals, who are well aware of the substantial funds involved. While some incidents like the $2.3 million theft from the Wisconsin GOP in 2020 have been publicized, many others go unreported. 

These criminals exploit the fast-paced nature of campaign environments, often using spear phishing tactics to execute their schemes. They typically compromise a third party (usually a vendor) or create a convincing fake email that closely resembles one from a campaign leader, sometimes even spoofing a personal account. Their approach often involves a fraudulent invoice demanding immediate action. 

If the email appears to come from a vendor, it might claim that payment is overdue and threaten to halt essential services like radio ads or mailers, or offer an enticing discount for quick payment. When masquerading as campaign leadership, the message might urgently request payment, stating something like, "I promised we'd pay this today, please pay ASAP!" These tactics capitalize on the pressure and quick decision-making inherent in campaign operations.

Prevention: Ensure campaign staff are trained to be vigilant about any communications requesting payments. Establish a protocol to always verify directly with the source of the email through a separate, known email address or via phone call. Instruct staff processing payments to consistently double-check routing numbers to prevent misdirection of funds. As emphasized previously, implementing strong authentication measures across all systems is crucial. These practices create a robust defense against financial fraud attempts.

Risk #3 Website Attacks

Websites are easy targets for hacktivists and nation-states. There is clear evidence that candidates and committees are highly targeted around elections. A recent blog published by one of DDC's partners, Cloudflare, shows the increase in attacks around elections in France and the Netherlands just this past July. Similar increases in attacks have happened around US elections as well. Bad actors look to deny access to websites (Distributed Denial of Service Attacks or DDoS), make content changes, or deface websites with objectionable content. If you get complaints from supporters about your site being down or content that doesn’t make sense, you have been compromised.

Prevention: Cloudflare offers Cloudflare for Campaigns for DDC eligible campaigns and free protection from DDoS attacks for any website. Google offers Project Shield, similar DDoS protection for high-risk organizations and campaigns. Use the strongest multifactor authentication available on all content management systems.

Risk #4 Social Media Hijacked

Social media presents multiple risks for campaigns in the 2024 election cycle. Key concerns include the spread of inauthentic content about candidates or their stances, and impersonation of candidates or campaigns to phish supporters, potentially leading to financial or personal data theft. Recent reports have also highlighted the circulation of fake celebrity endorsements. Additionally, there's a significant risk of compromising social media accounts belonging to campaign staff, vendors, or others who manage the campaign's online presence, potentially leading to account hijacking.

Prevention: DDC eligible campaigns can implement Doppel to safeguard their social media presence. Meta offers Facebook Protect at no cost, providing advanced security measures for high-risk users in the political sector (contact DDC for assistance). It's crucial to employ the most robust forms of multifactor authentication across all accounts to prevent unauthorized access by malicious actors.

It’s never too late to address your concerns about risk and strengthen your cybersecurity posture. Learn more about DDC eligibility and information on free tools for every campaign and organization.

Michal Kaiser
President and CEO
Defending Digital Campaigns