Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

U.S. Election Administrators Failed to Implement Phishing Protections: Study

A majority of election administrators in the United States have yet to implement cybersecurity controls designed to provide protection against phishing attacks, a new Area 1 Security report reveals.

A majority of election administrators in the United States have yet to implement cybersecurity controls designed to provide protection against phishing attacks, a new Area 1 Security report reveals.

Phishing, a type of cyber-attack where the victim is tricked into performing an action that eventually results in malware infection, data loss, or theft of credentials or money, has reportedly been involved in over ninety percent of the data breaches worldwide.

The U.S. elections have been targeted by phishing as well, with examples including attacks against election-sensitive organizations in 2016 and 2018, and phishing attempts targeting the current 2020 election cycle.

Looking to evaluate the email protections and controls that election administrators have implemented, Area 1 Security has analyzed 10,000 state and local election administrators’ susceptibility to phishing, and it has discovered that more than half of them use rudimentary or non-standard technologies for phishing protection.

The study also discovered that roughly a third (28.14%) of election administrators have basic controls to prevent phishing and that less than one-fifth of them (18.61%) use advanced anti-phishing controls.

According to the report, 5.42% of the election administrators use personal email addresses. Others independently manage their own custom email infrastructure, some using versions of the Exim mail server that are known to have been targeted in cyber-attacks.

Area 1 Security rates the implemented anti-phishing controls as advanced (when an independent email security service is used on top of cloud email controls), basic (cloud provider’s email controls only), limited (rudimentary cyber-security controls), non-standard (own email control based on open source software), and non-standard personal (use personal email/controls for personal email).

The rating system only takes into consideration publicly observable email security controls, but not additional internal controls that improve security but do not prevent phishing, business email compromise (BEC), or credential harvesting attacks. SPF, DKIM and DMARC policies are not taken into consideration either.

“Having robust DMARC policies ensures that organizations are protecting their brand and domain for outbound emails; but is insufficient and ineffective against inbound phishing attacks. We recommend that all organizations widely adopt and enforce DMARC policies as a matter of cyber-security hygiene,” the security firm notes.

In its report, which includes security ratings for election administrators in every U.S. county, Area 1 Security recommends that election administrators cease using Exim, especially in light of recently targeted vulnerabilities, or at least ensure that it is up to date. It also recommends the use of cloud email infrastructure and refraining from using personal emails for the administration of elections.

Related: U.S. Government Warns of Continuous Election Meddling Efforts

Related: Democrats ‘Gravely Concerned’ Over Foreign Interference in US Vote

Related: Threat to US Elections Not Limited to Russia in 2020

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...