Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

U.S. Election Administrators Failed to Implement Phishing Protections: Study

A majority of election administrators in the United States have yet to implement cybersecurity controls designed to provide protection against phishing attacks, a new Area 1 Security report reveals.

A majority of election administrators in the United States have yet to implement cybersecurity controls designed to provide protection against phishing attacks, a new Area 1 Security report reveals.

Phishing, a type of cyber-attack where the victim is tricked into performing an action that eventually results in malware infection, data loss, or theft of credentials or money, has reportedly been involved in over ninety percent of the data breaches worldwide.

The U.S. elections have been targeted by phishing as well, with examples including attacks against election-sensitive organizations in 2016 and 2018, and phishing attempts targeting the current 2020 election cycle.

Looking to evaluate the email protections and controls that election administrators have implemented, Area 1 Security has analyzed 10,000 state and local election administrators’ susceptibility to phishing, and it has discovered that more than half of them use rudimentary or non-standard technologies for phishing protection.

The study also discovered that roughly a third (28.14%) of election administrators have basic controls to prevent phishing and that less than one-fifth of them (18.61%) use advanced anti-phishing controls.

According to the report, 5.42% of the election administrators use personal email addresses. Others independently manage their own custom email infrastructure, some using versions of the Exim mail server that are known to have been targeted in cyber-attacks.

Area 1 Security rates the implemented anti-phishing controls as advanced (when an independent email security service is used on top of cloud email controls), basic (cloud provider’s email controls only), limited (rudimentary cyber-security controls), non-standard (own email control based on open source software), and non-standard personal (use personal email/controls for personal email).

The rating system only takes into consideration publicly observable email security controls, but not additional internal controls that improve security but do not prevent phishing, business email compromise (BEC), or credential harvesting attacks. SPF, DKIM and DMARC policies are not taken into consideration either.

“Having robust DMARC policies ensures that organizations are protecting their brand and domain for outbound emails; but is insufficient and ineffective against inbound phishing attacks. We recommend that all organizations widely adopt and enforce DMARC policies as a matter of cyber-security hygiene,” the security firm notes.

In its report, which includes security ratings for election administrators in every U.S. county, Area 1 Security recommends that election administrators cease using Exim, especially in light of recently targeted vulnerabilities, or at least ensure that it is up to date. It also recommends the use of cloud email infrastructure and refraining from using personal emails for the administration of elections.

Related: U.S. Government Warns of Continuous Election Meddling Efforts

Related: Democrats ‘Gravely Concerned’ Over Foreign Interference in US Vote

Related: Threat to US Elections Not Limited to Russia in 2020

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...