Advisory on Cybersecurity for General Election 2025 for Voters

Introduction

With increased digitalisation, many activities that were traditionally conducted in person have shifted to the digital space or transformed into a hybrid format. Election campaigning in Singapore is one such example, with election candidates conducting campaigning activities online to expand their reach to the electorate. These include the use of social media platforms to provide real-time updates and hold virtual rallies, use of fundraising websites, or use of web conferencing tools to host question-and-answer sessions.

However, this shift to the digital space provides cyber threat actors with more opportunities to attack unsuspecting voters. This advisory provides voters with information on potential cyber threats and the measures that can be taken to mitigate or reduce the risk of falling victim.

Potential Cyber Threats

During an election, threat actors may take advantage of election fervour and incorporate election-based themes in their attacks to increase their chances of success. Some of these cyber threats targeting members of the public include:

1. Phishing

Phishing is a type of cyberattack where the attacker impersonates a trustworthy entity to trick individuals into revealing sensitive information or perform actions for malicious purposes. In the context of the General Elections, it can come in many different forms.

For example, threat actors may compromise the social media accounts of election candidates and political parties or create fake social media accounts to launch phishing attacks. Phishing attacks can also come as fraudulent emails, text messages, and phone calls impersonating election candidates or political parties. Through impersonation, threat actors can spread false or misleading information to manipulate voter behaviour or influence opinions.

Threat actors may create websites that mimic the content of official campaign websites to carry out social engineering attacks. Financially motivated threat actors may also impersonate election candidates or political parties to seek donations from members of public. Threat actors have in recent years used AI to craft highly personalised and convincing phishing emails, messages or voice clones, increasing the likelihood of a successful attack. Thus, unsuspecting victims may inadvertently provide sensitive information like passwords and banking credentials or perform financial transactions thinking that they are supporting a legitimate cause.

2. Scams

There has been a rising trend in scams and the resulting financial loss from it. Historically, the context of General Elections has been used to conduct financial related scams such as the examples given above. Therefore, it is important to be vigilant against General Elections related scams.

AI may also be leveraged to develop messages and create images/videos/voice recordings for scam purposes. It can also be used to analyse the victim’s background to develop a targeted scam tactic that aligns with the victim’s political ideologies, consequently leading them to perform financial transactions at the behest of the scammer.

3. Malware Distribution/Infection

Threat actors may attempt to trick voters or members of public into downloading malware by masquerading as legitimate software widely used during the election campaign. Such software may include video conferencing applications (apps) that election candidates and political parties may use to conduct their campaign activities online. When downloaded and installed onto the victim’s device, the malware could potentially allow the threat actor to access and steal data, leading to data breaches or other malicious activities.

Cybercriminals may also send emails or SMS messages that contain links to fake websites or malicious attachments to install malware on voters’ devices. For example, an email claiming that the voter’s registration has encountered a problem may contain a link for the recipient to click to verify their details. This link may lead to a fake website where malware is then installed on the voter’s device. 

4. Manipulation, Misinformation and Disinformation

Manipulation, misinformation or disinformation can significantly impact the integrity and fairness of elections. Manipulation refers to unauthorised changes to official documents often done by controlling official accounts of the candidates or parties. Misinformation is the publication of inaccurate information stemming from mistakes or misunderstandings without the intent to deceive. Disinformation is the intentional spread of falsified information to deceive or harm the candidates or parties.

Threat actors may also compromise social media accounts belonging to election candidates or political parties to spread false or misleading information. Misinformation can also come in the form of deepfakes to spread false narratives. Deepfakes refer to multimedia (images, videos, and audio) that are synthetically created or manipulated by AI and can be used to convincingly depict election candidates saying or doing things they never did. They are designed to quickly go viral, creating the illusion of widespread support and impacting public perception, which could then damage the credibility or reputation of the party or candidate.

Cyber Hygiene Measures for Voters

To better defend against such cyber threats, voters should adopt the following cyber hygiene measures:

1. Beware of Phishing Attempts and Scams

When receiving unsolicited emails and messages, particularly those asking for sensitive information or financial payments, voters should be vigilant, take a pause and do further checks. This stance should not change even if the purported sender of the email or message is from an election candidate or political party. To check if the email or message is authentic, voters and members of public should:

• Closely examine the URL link(s), if any, to check that any link to a website is legitimate before clicking on the link. Verify that the website domains are genuine by cross-checking with the domains used by political party websites.

• Refrain from clicking on URL links in unsolicited emails and messages.

• Always verify the authenticity of the information with official websites or sources.

• Rely on verified and reputable news outlets, official government websites, and the Elections Department (ELD) for election information.

• Never disclose any sensitive or financial information such as banking credentials and passwords.

• Report suspicious phishing or scam activity through the ScamShield app.

It is crucial for voters and other members of the public to exercise caution and discernment when encountering information requests on social media platforms, messaging platforms and websites during the election period. By being more careful and critically assessing the information received, you can safeguard yourself from potential monetary losses or spreading misinformation. 

2. Download Apps and Software from Official Sources

Download apps and software only from official sources (e.g. Google Play Store, Apple App Store, Microsoft Store, etc) and pay attention to the security permissions required by the app and/or its privacy policy. Be particularly wary of apps that request for unnecessary permissions on your device such as access to your call logs or camera functions that may not be necessary for the proposed function of the app.

3. Be Vigilant against Disinformation/Misinformation

Always check where the information is coming from and ensure the source is trustworthy. Only rely on official election websites, trusted news outlets, and verified social media accounts. Watch for visual anomalies in deepfakes as these videos can have subtle distortions, like inconsistent lighting, strange facial expression, or unnatural blinks. Deepfake videos also often have unnatural audio. Pay attention to mismatched lip-syncing or audio that sounds unnatural. Avoid sharing unverified information as it can contribute to spread of inaccurate information.

Useful References

For more information on potential cyber threats and possible preventive measures you can take to secure your devices, please visit the following websites

Ransomware

• https://www.csa.gov.sg/alerts-and-advisories/advisories/ad-2021-009

• https://www.csa.gov.sg/docs/default-source/publications/singcert/pdfs/ransomware-response-checklist.pdf

• https://www.police.gov.sg/Advisories/Crime/Cybercrime/Ransomware

• https://www.nomoreransom.org/en/index.html

Data Theft / Breaches

• https://isomer-user-content.by.gov.sg/36/02db9352-fbea-4699-98d2-b6213ed1c0f2/protecting-yourself-from-data-breaches.pdf

• https://isomer-user-content.by.gov.sg/36/08913a84-f490-48f7-a115-9cd03de55a36/protecting-your-organisation-from-data-breaches.pdf

Compromised/Fake Social Media Accounts

• https://www.ncsc.gov.uk/guidance/social-media-how-to-use-it-safely

• https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Social_Media_Account_Protection_508.pdf

Deepfakes/Disinformation Campaigns

• https://www.csa.gov.sg/alerts-advisories/Advisories/2024/ad-2024-006

Phishing / Social Engineering

• https://www.csa.gov.sg/our-programmes/cybersecurity-outreach/cybersecurity-campaigns/the-unseen-enemy-campaign/beware-of-phishing-scams

• https://www.csa.gov.sg/News-Events/Press-Releases/2024/csa-releases-playbooks-for-the-conduct-of-simulated-phishing-exercises-to-encourage-organisations-to-improve-their-cyber-defences

Recommended Security Apps

• https://www.csa.gov.sg/resources/tips-and-resources/recommended-security-apps-list