With the 2020 US presidential election only 12 months away, a new survey of registered voters suggests email security against phishing attacks could be a make-or-break issue for candidates—and for our democracy.
The online survey of 803 registered voters in the United States was conducted from October 10-16 by our internal research team, the Agari Cyber Intelligence Division (ACID). Its goal was to gain insights into voter awareness, trust, and perceptions of campaign email communications and related phishing attacks.
Recent reports that North Korea, Iran and Russia have launched more than 2,700 phishing attacks against presidential campaigns and other high-value targets have made one thing abundantly clear. Cybercriminals and state-sponsored threat actors are actively seeking to derail political enemies, defraud voters, and undermine US democracy. Again.
What the survey reveals about voter sentiment suggests that achieving those goals may be far easier than many in the US may imagine.
The damage done by hackers who infiltrated the Democratic National Committee’s email servers cannot be overstated. According to our survey, 30% of registered voters believe the impact of weaponized emails stolen from those servers was enough to change the outcome of the 2016 election.
What’s more, just over seven in ten registered voters are either somewhat or very concerned about this kind of foreign interference in the 2020 election. That includes 90% of registered Democratic voters, as well as 55% of registered Republican voters.
More troubling is that over two-thirds (69%) of all voters—including 91% of registered Democrats and 44% of registered Republicans—see such transgressions as a threat to our democracy. Even the whiff of campaign email breaches could undercut faith in the entire electoral process and delegitimize the outcome.
Consternation over 2016 may also dampen campaign fundraising and voter turnout efforts. Threat actors who successfully infiltrate or spoof campaign email accounts, for instance, can impersonate candidates or key staff members in fraudulent emails targeting donors, voters, or the press.
Sixty-one percent of voters in our survey say that receiving a phishing email would prevent them from donating to a presidential candidate’s campaign, while another 18% said they’d have to reconsider. With an average ROI of $38 for every $1 spent, email is a digital channel no campaign can afford to see hobbled due to drops in deliverability rates or recipient apprehension about opening, much less acting on, what purport to be appeals made by campaigns.
Factor in the dissemination of fake news or policy positions from spoofed or hijacked email accounts, or successful breaches of state election systems, and the threat grows more pronounced.
The only thing that seems to have changed since 2016 is the sophistication of new email attacks.
Russia and North Korea are targeting organizations that work closely with presidential candidates instead of just the campaigns themselves according to The New York Times. In addition to gaining access to sensitive emails, polling data, or other sensitive information, launching phishing attacks from the email accounts of known and trusted individuals and organizations only increases the likelihood a campaign will be breached or defrauded.
Yet this year’s presidential campaigns continue to struggle with woefully inadequate email security. This is mostly due to the fact that few candidates have dedicated staff or resources to deploy the defenses this critically important communications channel requires. But even despite stepped-up support from the FBI, Homeland Security, and other federal agencies in beefing up security against phishing and other cyberattacks, not enough progress has been made.
In fact, only one of the 13 candidates currently polling above 1%—Senator Elizabeth Warren (D, MA)— has implemented the necessary precautions to prevent attacks on campaign staff, donors, voters, the press and others, according to our 2020 Election Security Tracker.
Four others, including former Vice President Joe Biden and Senators Corry Booker (D, NJ), Tulsi Gabbard (D, HI), and Kamala Harris (D, CA) have implemented protections against email scams impersonating the candidate or their campaigns. And former Massachusetts governor William Weld (R) is the only other candidate to implement solutions to protect campaign staff from inbound email attacks.
The other seven top presidential contenders, including incumbent Donald J. Trump, remain wide open to attacks targeting campaign workers, donors, voters, news media, and foreign governments against fraud. In the event of another razor-thin election, insufficient email security could cost candidates big.
And forget victim or beneficiary here—simply being hacked could be a deal-breaker in this election cycle.
A staggering 60% of voters in our survey say that a successful email attack would lead them to not vote for a candidate, or question doing so. This is particularly the case for younger Democratic and non-affiliated voters, who have been a crucial voting bloc for the party’s candidates. Those least likely to change voting behavior over a successful phishing attack are Republican men over the age of 44.
Across all demographic cohorts, 8% report they would not vote for a candidate who falls prey to phishing, while 18% say they’re unsure. Another 34% say they might still vote for the candidate, but only after doing more research about the impact of the hack.
So far at least, the Warren campaign deserves kudos for taking email security seriously. Considering the stakes for their presidential ambitions, their campaigns, and their country, we’d all better hope the remaining candidates start doing the same.
For full results from our survey on email security, phishing, and Election 2020, download the full report 2020 Election Security: How Confident Are Voters?.