Research by the email threat protection firm Agari revealed that the 2020 US presidential campaigns are following poor email security practices. It was found that several major party candidates contending in the 2020 elections are failing to implement proper DMARC policies and are putting their donors and voters in jeopardy.
DMARC (Domain-based Authentication, Reporting, and Conformance) policies are used to protect users by enabling policies that protect users from potential phishing and fraud attacks. According to the Department of Homeland Security, setting a DMARC policy of ‘REJECT' can help in enhancing overall email security and will provide immunity against spoofed emails.
“It is our full expectation that the cyber attacks against the 2020 U.S. presidential candidates will be more aggressive than we've seen before because these attackers continue to move away from content-based techniques and towards identity-based attacks, which many cybersecurity technologies cannot detect,” said Armen Najarian, Agari's Chief Marketing Officer.
The research by Agari found that only 4 out of the 13 presidential candidates were employing the REJECT policy in DMARC; this meant that remaining 9 candidates' supporters and donors were now vulnerable to phishing attacks. Also, it was found that advanced email security measures such as Advanced Threat Protection and Secure Email Gateways for both Google Suite and Microsoft office 365 weren't being implemented by the candidates.
Elizabeth Warren and Bill Weld were the only presidential candidates to employ the advanced email protection for their campaign emails. It was revealed that Warren had the right configuration of advanced safety measures and stood out as the most secure one out of the 13 candidates.
Ironically, despite having advanced email protection, Bill Weld's campaign does not have a DMARC Reject Policy in place making his donors and voters prone to email spoofing and phishing attacks.
“Only one candidate has completely secured her campaign against the types of email threats that will harm campaign staff, potential donors, and the public. Other candidates should also implement these controls to protect themselves against data breaches and impersonation scams,” said Agari.
However, there's good news as the new ruling by the US Federal Election commission gave a green signal to privately-held email security companies to offer their services to election campaigns at little to zero cost.