BEC and phishing targets local election candidate (me!)

Thursday 3 October 16:30 - 17:00, Red room

Andrew Brandt (Sophos)

During the so-called "off-year" 2023 election cycle in the United States, I ran for elected office in my hometown. In the month prior to the election – about one year to the date prior to this conference – my election campaign was targeted with a very unsophisticated BEC attack, followed by a quite sophisticated phishing attack. Other candidates who were running in the same election also received BEC emails, but fortunately, none were victimized.

So, of course, I began an investigation into the attacks against my own campaign.

This presentation will focus on both attacks as examples of the kinds of phishing that target election campaigns at all levels. BEC attacks targeting election campaigns have resulted in dramatic losses – according to Defending Digital Campaigns, one candidate for office in 2022 had more than $300,000 stolen from their accounts as a result of a BEC attack.

In many ways, political campaign operations are akin to small startup businesses: they move fast, and often have to communicate with a variety of outside organizations for the first time. Campaigns move quickly, and few candidates have cybersecurity chops, so urgent calls for action that would set off a red flag in a large enterprise might elude a candidate or campaign staffer's Spidey Sense.

I will dissect the attacks in order to determine a set of general principles that candidates everywhere should apply to protect themselves and their campaigns from phishing attacks. The phishing campaign, in particular, used some sophisticated new tools that made the attack quite convincing. I will drill down into how that attack worked, and what I did to prevent the attackers from leveraging the same tools in future phishing attacks.

Back to VB2024 Programme page

Back to VB2024 conference page

Register for VB2024

Other VB2024 papers