In the weeks leading up to the midterm elections, two public service announcements issued by the FBI and CISA warned of potential threats to election integrity and attempts to undermine faith in election results.
One alert aimed to instill confidence in the election process, stating that “cyber activity against election infrastructure is unlikely to disrupt or prevent voting.” The second warned of attempts to “spread disinformation in the lead up to and after the 2022 midterm elections” in order to “influence public opinion on the elections’ legitimacy.”
We saw these warnings of misinformation come to fruition as rumors of election fraud skyrocketed on Twitter in the days before and after the election, largely parroted by bots. And now, as the votes are still being counted in Arizona and Nevada, conspiracies relayed on right-wing platforms like Truth Social and Gab are making their way into the mainstream discourse. Former President Trump is also vocalizing his belief in such conspiracies, equating minor technical mishaps involving printer ink in Arizona to election fraud.
The FBI and CISA were attempting to be proactive in their announcements, building confidence in election integrity before disinformation could gain traction. Their primary piece of advice, which will be familiar to any reader of CPO Magazine, was the recommendation to “seek information from trustworthy and reputable media and social media sources.”
Good advice, but doesn’t it seem like circular reasoning? If trustworthy, reputable information is what you seek, then find a source of trustworthy, reputable information. Who’s the arbiter of repute here, and, anyway, is the public really looking for an official referee? Maybe not, considering the short-lived tenure of Homeland Security’s Disinformation Governance Board. Regardless, the U.S. government is confident that no attack could have compromised election infrastructure without being detected.
However, we still saw attempts to tarnish the reputation of the midterm election results.
The sphere of control in cybersecurity
The FBI and CISA say that attempts to manipulate votes at scale would be difficult to conduct without these efforts being detected. Of course, no system can be 100% secure, and the agencies are not making any such claim. There are numerous factors that, unfortunately, no election organization can control. These include:
- Desire on the part of nefarious individuals to create false information with the intent to deceive
- The susceptibility of the intended audience to disinformation
- Efforts by people to spread disinformation, with or without malicious intent
You probably can’t control the first two items, although efforts to provide more media literacy education for grades K through 12 might help with number two. And of course, once disinformation is recognized as such, action can be taken to slow its spread. Though when and how to take that action can be fraught with difficulty.
Readers of this magazine have no doubt heard now for years that the “perimeter” for cybersecurity has been shifting, perhaps even dissolving. This is not only true for election security but for general enterprise cybersecurity as well. Deliberate attempts to mislead, to engage in social engineering, and to impersonate people and organizations with malicious intent are on the rise, whether the goal is to interfere with elections or attack specific businesses.
What does this mean for your brand?
I recently participated in a panel discussion with a CISO at an investment company that manages $13 billion in assets. The CISO described a rash of impersonations of the company’s brand across social media and the web. According to this CISO, the most significant vector of attack was aimed at the trust and confidence in the company’s brand.
Criminals targeted this organization through fake social media accounts impersonating the company’s individual investment advisors. Using their names, professional details, and pictures, criminals created a fraudulent website impersonating the individual broker. These sites also included falsified information from the FINRA BrokerCheck system to lend additional credibility to the deceptive site.
Just as a scammer might purport to be fundraising for a political action committee then pocket any donations, bad actors impersonate brokers from a respected investment firm. The disguised fraudster reaches out to targets with investment opportunities that will never pay out. They direct the victim to a fake website where the attackers will seek to steal credentials, identity information, and ultimately money.
The CISO continued: “If your brand is being used in a scam that steals from people, then those people are associating that activity with your brand, even if it’s beyond your control. And that’s huge. Suddenly your brand name is being ruined.”
Ensure your trademarks are in order
Political candidates need to register their campaigns with election officials, primarily to ensure compliance with campaign finance laws. However, it also lends credibility to the campaign. Even so, citizens shouldn’t simply hand over money to just any person or organization that claims to be running for office or supporting someone who is.
For example “scam PACs” pose as legitimate political action committees, but actually simply pocket victims’ donations. It makes sense to check that the requester is “official,” that they’ve registered themselves with the proper federal, state, or local authorities. Donors should also check that any solicitations are actually from the campaigns they claim to be from.
Companies should similarly register any trademarks for their brand names and logos. Failure to do so makes enforcement against spoofs and infringements more difficult and time-intensive. Some content hosts have overly lenient policies surrounding impersonation and infringement, which means that trademark enforcement actions can be your only method to spur their action. On the extreme end, if someone else registers your trademark before you can, it’s especially difficult to protect your brand assets online.
Own your social media
Social media has transformed political campaigns. Social media can empower candidates to speak directly to the electorate and vice versa; we’ve seen the effectiveness of this strategy with the rise of millennial, tech-savvy politicians like Alexandria Ocasio Cortez. But social media platforms also facilitate the spread of disinformation. A fake social media account impersonating a candidate while spouting embarrassing or misleading information can seriously harm the candidate’s reputation. For evidence, consider the hit Ely Lilly’s stock took after a Twitter account impersonating the brand posted a fake tweet announcing free insulin.
Just as political candidates should register social media accounts – and educate supporters about which is their official account – so too should brands. If you don’t claim accounts relevant to your brand name on various social media platforms, it’s possible that fraudsters will. Or, if it’s not clear which is your official, monitored account on social media, it’s easier for scammers to deceive your customers with claims of legitimacy.
Even if your marketing department doesn’t plan on investing time and effort in a particular social media platform, creating an official account and communicating that official account in other channels can help discourage imposters.
Increase and automate monitoring
Political campaigns are bare-bones, temporary operations. Candidates and their campaigns have finite resources and must weigh the benefits and drawbacks of, for example, investing in another fundraising event versus security training for campaign volunteers. So, in many cases, campaigns don’t have a cybersecurity expert on staff.
In the business world, it can be difficult to recruit and retain cyber talent. And existing cybersecurity teams have no shortage of things to do. Asking your teams to manually monitor the entire Internet for potential impersonations or disinformation is a losing proposition.
But the longer a brand impersonation attack lives on the internet, the more of your prospects, customers, and employees it victimizes. Tens-of-thousands of fake websites go live each day, and ideally, you want to identify scam websites within seconds of them going live.
Manual routines of the past such as searching for misspellings of your domain name once a quarter no longer cut it. A more modern approach to online brand protection uses artificial intelligence to automate the inspection of websites and social media accounts. With modern online brand protection approaches, websites can be inspected as soon as they’re visible on the Internet
Protect your brand online
In closing, consider a popular marketing maxim: your company’s brand isn’t what you say it is, it’s what they say it is. Candidates for office and their campaigns need to constantly monitor the news as it happens in order to try to “control the message.” Similarly, you can control key aspects of your IT security.
You can’t control bad actors targeting your brand and customers. Whether you’re to blame or not, this activity does tarnish your reputation, leading to lost revenue, customer churn, incident response costs, and more. What’s most important is to ensure that you’re monitoring for the abuse of your brand online so that you can take action as quickly as possible to disrupt impersonation attacks before your brand falls victim.
Remember: just as voters are imbued with disinformation, so are your customers. So perhaps it’s time to take a page or two out of the politicians’ playbook to protect your brand’s integrity and stop disinformation in its tracks.