Phishing test emails impersonating the U.S. Election Assistance Commission (EAC) as the spoofed sender have been recently reported. The email prompted users to review and confirm their voter registration application to complete the process. The EAC does not store voter personally identifiable information or track individual voter registrations and is not sending out emails warning that voter registration information may be incomplete or need to be verified. As a reminder, any official correspondence from the EAC would be sent from the email domain eac.gov.
The EAC implements several safeguards to counter phishing email attempts like this one. One of those safeguards allows email servers to work behind the scenes to prevent fraudulent messages from reaching users’ inboxes. This is known as DMARC (Domain-based Message Authentication, Reporting and Conformance). The EAC implements a strict configuration of DMARC for emails. That means unauthenticated messages are rejected at the email server and reports of the attempted impersonation are reported to cybersecurity staff for investigation. In this instance, the actors used an email address including the email domains gov.court-notices.com and court-notices.com, which is not under EAC control. In 2020, malicious actors used an email address spoofing the usa.gov domain, which is also not under EAC control.
Unfortunately, the use of strict DMARC configurations is not yet widespread. Until then, voters who receive election-related messages asking for personally identifiable information should continue to carefully examine links before clicking and report suspicious messages to their local election officials or the EAC.
The EAC is monitoring this issue and, in partnership with federal law enforcement, will continue to update our website and social media with information to help protect voters. If you suspect an email was delivered to you under suspicious circumstances, you may also submit it anonymously to the U.S. Computer Emergency Readiness Team’s analysis website: https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf