Three separate “coordinated” phishing attempts targeted elected officials across at least nine states in October, the FBI said Tuesday. The first event came on Oct. 5 when unidentified attackers used two email addresses, one from the compromised account of a government official, in an attempt to collect the login credentials of elected officials. Less than two weeks later, two similar phishing attempts appeared from email addresses linked to US businesses.
In each case, the cyberattackers sent an email posing as an invoice with an attachment disguised as a PDF or Microsoft Word document that, once opened, would redirect users to a credential-harvesting website. Clicking the bogus links could have resulted in malware attacks or given hackers access to private data.
The FBI didn’t disclose which states or officials were targeted, or whether any of the cyberattacks were successful or sensitive information was compromised. Though the cyberattacks occurred nearly six months ago, the FBI is warning state and local government officials that the threat is still very real heading into the 2022 election season.
In response to the threat, the FBI recommends companies and government officials implement a number of preventative security measures, including educating employees on how to identify phishing attempts, creating protocols for employees to report suspicious emails and requiring all accounts with password logins to have strong, unique passphrases.
The FBI didn’t immediately respond to a request for comment.