Phishing emails impersonating the Election Assistance Commission (EAC) and using firstname.lastname@example.org as the spoofed sender have been recently reported. The email uses EAC graphics in an attempt to trick recipients into providing their name, date of birth, and other personal information into a malicious web form that impersonates an Arizona state government website. The EAC does not store voter personally identifiable information or track individual voter registrations and is not sending out emails warning that your voter registration information may be incomplete.
The EAC implements several safeguards in order to counter phishing email attempts like this one. One of those safeguards allows email servers to work behind the scenes to prevent fraudulent messages from reaching users’ inboxes. This is known as DMARC (Domain-based Message Authentication, Reporting and Conformance). The EAC implements a strict configuration of DMARC for emails that means unauthenticated messages are rejected at the email server and reports of the attempted impersonation are reported to cybersecurity staff for investigation. In this instance, the malicious actors used an email address spoofing the usa.gov domain, which is not under EAC control.
Unfortunately, the use of strict DMARC configurations is not yet widespread. Until then, voters who receive election-related messages asking for personally identifiable information should continue to carefully examine links before clicking and report suspicious messages to their local election officials or the EAC.
The EAC is monitoring this ongoing issue and, in partnership with federal law enforcement, will continue to update our website and social media with information to help protect voters. If you suspect an email was delivered to you under suspicious circumstances, you may also submit it anonymously to the U.S. Computer Emergency Readiness Team’s analysis website: https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf