Campaign Cybersecruity

How to Avoid an Email Phishing Attack to Your Campaign

November 21, 2017 By Patrick L. Burns Leave a Comment

7 Ways to Keep Your Campaign Safe from an Email Phishing Attack

Cyber security is an issue of critical importance to political campaigns at all levels in the wake of the hackings of the 2016 election. Both the Republican and Democratic parties have faced challenges and are making significant investments to help prevent hacking in the 2018 election cycle. Some of the most significant recent cyber security failures in politics were a result of an email phishing attack. These include the hacking of the Hilary Clinton Campaign’s Chief of Staff John Podesta’s emails during the 2016 election and the hacking of the Marcon campaign before the French Presidential Election.

While we’ve written about the importance of political campaigns securing their websites and provided tips for how to keep social media accounts safe, we think it important to provide tips on how to avoid an email phishing attack to your campaign.

What is phishing? Phishing involves the use of fraudulent emails and copy-cat websites to trick you into revealing valuable personal and organizational information — such as account numbers for banking, credit card and donation platform accounts and the key login IDs and passwords you use when accessing these accounts. When hackers go on phishing expeditions, they lure their targets into a false sense of security by hijacking the familiar, trusted logos of established, legitimate companies such as Google, Facebook and Apple. A typical phishing scam starts with a fraudster sending out millions of emails that appear to come from a high-profile company in the hopes of getting folks to inadvertently click. In some cases they are specifically targeting your campaign. Phishing is one of the most popular methods of attack for cyber criminals. There has been a tenfold increase in phishing campaigns over the past decade reported to the Anti-Phishing Working Group (APWG).

Here are some tips for how to avoid email phishing attacks:

Learn Common Traits of Phishing Emails: There are some common content traits to phishing emails that can help you in recognizing them. Many are poorly written and contain spelling errors. Phishing emails often use spammy words such as “free’, ‘profits’, ‘no fees’ to promote offers. Many contain urgent in the subject line and threaten the loss of an existing account. These emails often have no personalization field for the recipient and contain no email signature for the sender. Finally, phishing emails often contain fake logos and poor structure. Be weary of logos of poor quality or an email message whose header and footer content looks different from the usual content you receive from a company.

Pick Up the Phone to Verify: If you receive a request for personal or financial information over email do not respond. Pick up the phone and call the company yourself using a number in your rolodex, not the one the email provides. Hackers use pressure tactics and prey on people’s fears by noting the urgency of the matter. If you have reason to believe that a company needs personal information about you right away, pick up the phone and confirm it. As a general rule, you should never share personal or financially sensitive information over the internet.

Do Not Click : Do not click on the link provided in an email provided by a company requesting personal or financial information. Type the URL into your web browser yourself or use a bookmark you previously created. Hackers can mask the true destination of a URL, even though a URL may look real in an email.

Verify a Site’s Security: Before ever submitting any personal or financial information to a website make sure the site’s URL begins with “https” and there is a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cyber criminals. Be wary of pop-ups. Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts.

Keep Your Browser Up to Date: Security patches are released for popular browsers in response to security loopholes that phishers and other hackers discover. When an update for your browser is available, download and install it.

Keep Anti-virus Software Updated: Use antivirus software and be sure to keep your software up to date and enable spam filters. Antivirus software guards against known technology workarounds and loopholes. Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update the programs regularly as these updates are made to counter new scams. Firewall protection stops access to malicious files by blocking the attacks. Antivirus software scans every file which comes through the internet to your computer and prevents damage to your system.

Periodically Check Your Accounts: Be sure that you are reviewing campaign banking, credit card and donation platform accounts daily to check for irregularities in your online transactions.

Need more help?

How to Secure Your Campaign Social Media Accounts Immediately

October 23, 2017 By Patrick L. Burns Leave a Comment

4 Ways to Keep Your Campaign Social Media Accounts Safe

In the wake of hackings in the last election cycle of 2016, the issue of cyber security and political campaigns has come to the forefront. Both the Republican National Committee and the Democratic National Committees are making significant investments to help prevent hacking in the 2018 election cycle. However, every day new data breaches and hackings are announced. Just recently a Republican phone polling firm announced a hacking that involved the compromise of hundreds of thousands of GOP donors personal information. The hacking of the Democratic National Committee in the 2016 election is well documented in the media. Cyber security is an urgent issue for campaigns, parties and candidates at all levels. We’ve written about the importance of a WordPress Maintenance program for campaign websites. But equally important is the securing of campaign social media accounts which are often the gateway upon which hackers enter campaigns and cause havoc.

How can you keep your campaign social media accounts safe? Here are 4 security tips to implement now.

Strong Password Management

In analysis of passwords by security companies, “1234” and “password” remain the two most popular passwords. Strong passwords are one of the only things that stand between your campaign’s social media accounts and hackers. Weak passwords are often created and unchanged in order that they are easily remembered by staff. While this is understandable, investing in a password manager such as Last Pass or 1Password is critical to keeping your passwords strong, safe and secure. These tools make it easy to create strong passwords through a random password generator and stores them in an encrypted vault. They also take away the hassle of continuously logging in. A password manager ensures your passwords are strong and changed frequently and not misplaced. You want to keep the hackers guessing, and managing your passwords on a consistent basis is the best way to do it.

In addition to proper management of your passwords in a password manager, be sure that you use different emails than your campaign email to sign up and manage your social media accounts. If possible utilizing different emails for different accounts ensures, that if one email is hacked into, not all of your social media accounts are compromised.

Limit Access to Your Social Media Accounts

Controlling access to your campaign social media accounts is vital. Limit access to your social media accounts to as few people as possible. Manage your social media accounts through a management system like HootSuite or Buffer. These systems allow you to grant access to social media accounts to staff without disclosing sensitive account information such as security and privacy settings. You can also limit which social media accounts that they have access too.

If you have a large team posting for you, consider narrowing it down. Consider asking your social media team to send posts, written text and graphics to a special inbox or Dropbox and let one person have access to the actual accounts. In the rough and tumble word of politics and campaigns, don’t give full access to accounts to anyone without great consideration. Unfortunately, hackers don’t always come from the outside, but can be a rogue or disgruntled former staff member.

Be sure that you have a software such as LogDog that alerts you before a social media account is compromised through its scanning for a variety of unauthorized-access indicators. Its alerts allow you to take back control of your social media accounts quickly.

Two-step Authentication

Two-step (two-factor) authentication protects your accounts by requiring users to provide an additional piece of information after they enter the password to get into your social media account. The most common method of two- step authentication occurs over text messaging via cell phone. After putting in the password correctly, the social media platform will send out a specific code to the cell phone number on file. That code is then entered to log into the social media account. By enabling two-step authentication and having a particular code and cell phone number on file for your social media account, it is less likely to be hacked even in the event that someone gains access to your password. When two-step authentication is in place, if a social media account is accessed from an unknown device or IP address, the administrator will automatically get an alert notifying them of an unauthorized attempt to access the account.

The most popular social media platforms such as Facebook and Twitter offer two-step authentication and instructions for locking down the accounts. Most of the other social media platforms work basically the same way with a little nuance to each.

Two-step authentication is one of the best ways to make sure your accounts aren’t compromised.

Manage Your Privacy Settings

Be sure that you check the security and privacy settings for all of your social media accounts on a routine basis. These settings help you to manage your online experience on these platforms. For example, Facebook’s privacy settings allows you to control who sees what you post from your account and customize your default settings for posts. As a campaign, there may be posts you would prefer you weren’t tagged in. With Facebook’s Tag Review and Timeline Review options, you can decide if you want a post to be published prior to it showing up on your timeline.

Facebook, Twitter, Instagram, and other social networks adjust their privacy policies and security settings frequently. The platforms update these policies to keep your profiles secure. Keep up to date and follow all the new privacy and security policy changes on a regular basis. Enabling these policy changes may make life more difficult for the next person who tries to hack your campaign.

Need more help?

We offer social media training for candidates and campaigns, including in the area of security. Contact us here or via Facebook Messenger. Or sign up for our newsletter to get the latest tips here.

WordPress Maintenance Is Important for A Secure Campaign Website

July 22, 2017 By Patrick L. Burns Leave a Comment

Reliable WordPress Maintenance Keeps Your Site Safe

Since even before the movie War Games in 1983 with Matthew Broderick, cyber security has long been a concern for governments, corporations and small businesses. However, in the last election cycle of 2016, the issue of cyber security and political campaigns came to the forefront. With hacking of the Democratic National Committee in the 2016 election, the hacking of the Marcon campaign and release of emails days before the French Presidential Election, and the breach of millions of voters’ data by a contractor for the National GOP, cyber security has become a critical, timely and urgent issue for campaigns, parties and candidates at all levels. While education and training for staff regarding two-step authentication of third-party systems and avoiding phishing attacks are all important for a campaign’s cyber security, a WordPress Maintenance program is a vitally important way to keep local campaigns and county political parties from being hacked and is often overlooked usually to the peril of those organizations involved.

The majority of local campaign and party websites are built on the WordPress platform. In fact, over 28% of the world’s websites are built on WordPress. This includes big brands like Disney, Sony, and The New York Times just to name a few. There’s a reason for this – WordPress is simply the best content management system out there. Its ease of use, functionality and affordability make it of one of the best CMS systems for the fast paced world of campaigns and elections. There are so many themes and plugins for WordPress that enable folks to create awesome websites with little or no hard coding involved. The open source community of WordPress, which includes the developers of the many themes and plugins for WordPress websites, is a treasure trove of resourceful information and can serve as a guide for web designers through any questions and problems that they may encounter in creating a WordPress website.

However, new versions of WordPress and the plugins and themes integrated with the platform are constantly being issued. For busy political operatives, state legislators, and county party officers, finding the time to do routine WordPress website maintenance is not easy. In a preliminary analysis of local campaign and county party sites across the country, it was found that many have outdated WordPress versions and are vulnerable.

Outdated versions of WordPress core, themes, and plugins can result in potential hacking. According to quarterly reports from the security company, Sucuri, three out of four websites hacked in 2016 ran the WordPress platform with 25% of these sites having the plugins TimThumb, GravityForms, and RevSlider. According to Sucuri, a majority of these hacked sites were running outdated versions of WordPress and the popular plugins. The majority of Word Press core, theme and plugin updates have to do with patching security vulnerabilities. WordPress and theme and plugin developers are always striving to make their products better and improve their features with new versions, but security is a paramount issue and dominates new releases.

Political hacking is on the upswing and WordPress sites are the most vulnerable when not updated. A WordPress maintenance program that provides updates to your site on a routine basis is affordable and the best way to avoid hacking. A WordPress maintenance program is proactive, smart and provides peace of mind.

A safe, secure, and fast performing campaign website is vital to being able to raise awareness about your campaign’s message to voters, donors, and potential volunteers and grassroots supporters. It is crucial in achieving your subscriber, volunteer, fundraising and electoral goals. In today’s new paradigm of electoral hacking, a WordPress maintenance program is an easy way to keep your site intact, free from danger and a quick read for viewers.

What should a WordPress maintenance program entail? A couple of key things should be provided by your vendor. First and foremost your agency should be accessible by phone and email and provide customer service that answers technical questions, provides prompt bug fixes and enhancements, and is willing to communicate with your website’s hosting provider when there is an issue. The agency should also do daily backups of your website files and database that are independent of the back ups that are done by your hosting provider. WordPress core and your site’s plugins and themes should be regularly updated to the latest version. Real time up-time monitoring and security scanning should also be provided along with regular site speed and performance testing. Your vendor should also do regular site optimization through the cleaning of your database and any post revisions. Finally, a monthly analytics and performance report that includes minor design and content update recommendations to help you achieve your subscriber, volunteer, fundraising and electoral goals should be provided.

Interesting in learning about our WordPress website maintenance program for campaign websites? We have experts who have been tested in the crucible of political campaigns, public service, technology and digital. Our passion and experience in WordPress website development and maintenance makes us the right choice for any political campaign. Contact us here or via Facebook Messenger now.

How to Avoid an Email Phishing Attack to Your Campaign

7 Ways to Keep Your Campaign Safe from an Email Phishing Attack

WordPress Maintenance Is Important for A Secure Campaign Website

Reliable WordPress Maintenance Keeps Your Site Safe

Our Location

Let’s Work Together

Connect with Us