This time, it’s personal.
Campaign managers and staff for politicians watch vigilantly over their business email, monitoring their accounts for phishing attacks from potential hackers. But security experts say their personal accounts pose an even bigger risk.
Consider 2016 presidential election cyberattacks. John Podesta, Hillary Clinton’s campaign chairman, had 50,000 emails stolen from his personal Gmail account, not his campaign staff email.
Attacks over email are one of the most common methods hackers use to infiltrate an organization. Phishing attacks are designed to trick victims into clicking on malicious links and giving up their account passwords. The attacks are much more sophisticated when hackers target high-profile people, such as politicians and candidates running for public office.
Campaign hacking has continued despite mounting awareness. Sen. Claire McCaskill, a Democrat from Missouri, was the target of a phishing attack in July. And Microsoft said it stopped phishing campaigns targeting three unnamed election candidates.
Guemmy Kim, Google’s head of Account Security Initiatives said Google often warns political candidates if it believes they are being targeted by hackers. She declined to name specific individuals, but indicated the search giant’s warnings have gone to politicians and candidates in Washington, DC.
Kim says campaign members often think their personal accounts are safe because they aren’t used for work purposes. But Kim says those accounts hold a lot of important information, like social media passwords and financial information.
“They tell us, ‘I don’t need it, I don’t use my Gmail,'” Kim said. “And we ask, ‘What is the email that is associated with your Twitter and Facebook accounts?'”
Maciej Ceglowski, the founder of Tech Solidarity, stresses the same point when he briefs campaigns on security measures.
Ceglowski found that campaign security trainings often stress making sure their professional email accounts are safe, but rarely mention securing personal accounts.
“The way government is structured, they have very bright lines between what is campaign related and what is personal,” he said in an interview last month. “And the security training needs to cross those boundaries.”
Kim noted several vulnerabilities that personal email accounts have but professional ones don’t. Professional accounts often have an organization tied to them, which usually means resources, like an IT staff and built-n protection.
With personal accounts, you’re more likely to be on your own, she said.
“Everyone expects that your professional account is the one that’s going to be attacked. But that’s the one that’s going to be more protected,” Kim said. “The more vulnerable account is your personal account because nobody is watching out for it.”
Google has several tools for protecting personal accounts, like artificial intelligence to tell if someone suspicious is logged on. For example, if someone logs on and immediately starts searching up sensitive information, like social security numbers and credit card records, Google will log it as suspicious activity and warn the account holder.
Kim recommends signing up for Google’s Advanced Protection Program if you believe your account is at risk for phishing attacks. You have to sign up for it separately for your personal account.