Online crooks, Russian spies or maybe both are using fake voter-registration emails to cajole personal details such as names, addresses, dates of birth and Social Security numbers out of American voters eager to take part in the upcoming U.S. general election.
That's the word from KnowBe4, a firm that provides awareness training against phishing attacks and other security issues.
- Windows 10 scam promises free upgrade — avoid this now
- The best identity theft protection to keep your personal data safe
- New: Google Pixel 5 just got a lot more appealing — here's why
"Your Arizona voter's registration application submited has been reviewed by your County Clerk and some few details couldnt be comfirmed," reads a sample email included inn a KnowBe4 blog posting. "Please recomfirm details to allow for processing which may take up to two days to reflect in the system."
That's followed by a helpful link stating "You may reconfirm application here."
Lindsey O'Donnell at Threatpost pointed out that the lousy spelling, grammar and punctuation ought to be a tip-off that this is a phishing email. But sometimes that just helps phishers weed out the smart people.
The email looks like it's coming from the U.S. Election Assistance Commission, a real federal agency set up to help states administer elections in the wake of the 2000 Florida hanging-chad debacle.
Yet the link goes to a fake version of Service Arizona, the official website of the Arizona motor vehicle department, which does have a voter-registration section.
The fake site asks for everything an identity thief would need to steal your identity: your name, mailing address, date of birth and Social Security number, plus your email address and driver's-license information. (The real Service Arizona site asks only for the last four digits of your SSN.)
How to avoid this phishing scam
Needless to say, if you get a similar email that seems to come from the U.S. Election Assistance Commission or a related agency, be very careful. Call the agency in question to confirm it's real instead of clicking on the embedded link.
If you do click on the link, check the website address, and don't carry out this business on a phone or tablet. And don't ever give out your full Social Security number to anyone who asks — only your employer and the IRS needs to know that.
Oddly enough, KnowBe4's Eric Howes wrote, the email sample was submitted by a KnowBe4 user in Kenosha, Wisconsin, "a locality that has been in the news recently due to widely reported civil unrest in the area."
Like Arizona, Wisconsin is a "battleground" state that the presidential candidates are fighting to win. That fact led Howes to speculate that this might not just be a mere phishing email.
"Given the election angle," he wrote, "we cannot ignore the possibility that this phish may be part of an attempt by parties unknown to intervene in the election, either by seeding confusion and chaos in the election process or engaging in some form of election fraud."
