August 28, 2024

Multiple media reports this week warned Americans to be on guard against a new phishing scam that arrives in a text message informing recipients they are not yet registered to vote. A bit of digging reveals the missives were sent by a California political consulting firm as part of a well-meaning but potentially counterproductive get-out-the-vote effort that had all the hallmarks of a phishing campaign.

Image: WDIV Detroit on Youtube.

On Aug. 27, the local Channel 4 affiliate WDIV in Detroit warned about a new SMS message wave that they said could prevent registered voters from casting their ballot. The story didn’t explain how or why the scam could block eligible voters from casting ballots, but it did show one of the related text messages, which linked to the site all-vote.com.

“We have you in our records as not registered to vote,” the unbidden SMS advised. “Check your registration status & register in 2 minutes.”

Similar warnings came from an ABC station in Arizona, and from an NBC affiliate in Pennsylvania, where election officials just issued an alert to be on the lookout for scam messages coming from all-vote.com. Some people interviewed who received the messages said they figured it was a scam because they knew for a fact they were registered to vote in their state. WDIV even interviewed a seventh-grader from Canada who said he also got the SMS saying he wasn’t registered to vote.

Someone trying to determine whether all-vote.com was legitimate might visit the main URL first (as opposed to just clicking the link in the SMS) to find out more about the organization. But visiting all-vote.com directly presents one with a login page to an online service called bl.ink. DomainTools.com finds all-vote.com was registered on July 10, 2024. Red flag #1.

The information requested from people who visited votewin.org via the SMS campaign.

Another version of this SMS campaign told recipients to check their voter status at a site called votewin.org, which DomainTools says was registered July 9, 2024. There is little information about who runs votewin.org on its website, and the contact page leads to generic contact form. Red Flag #2.

What’s more, Votewin.org asks visitors to supply their name, address, email address, date of birth, mobile phone number, while pre-checking options to sign the visitor up for more notifications. Big Red Flag #3.

Votewin.org’s Terms of Service referenced a California-based voter engagement platform called VoteAmerica LLC. The same voter registration query form advertised in the SMS messages is available if one clicks the “check your registration status” link on voteamerica.org.

VoteAmerica founder Debra Cleaver told KrebsOnSecurity the entity responsible for the SMS campaigns telling people they weren’t registered is Movement Labs, a political consulting firm in San Francisco.

Cleaver said her office had received several inquiries about the messages, which violate a key tenet of election outreach: Never tell the recipient what their voter status may be.

“That’s one of the worst practices,” Cleaver said. “You never tell someone what the voter file says because voter files are not reliable, and are often out of date.”

Reached via email, Movement Labs founder Yoni Landau said the SMS campaigns targeted “underrepresented groups in the electorate, young people, folks who are moving, low income households and the like, who are unregistered in our databases, with the intent to help them register to vote.”

Landau said filling out the form on Votewin.org merely checks to see if the visitor is registered to vote in their state, and then attempts to help them register if not.

“We understand that many people are jarred by the messages – we tested hundreds of variations of messages and found that these had the largest impact on someone’s likelihood to register,” he said. “I’m deeply sorry for anyone that may have gotten the message in error, who is registered to vote, and we’re looking into our content now to see if there are any variations that might be less certain but still as effective in generating new legal registrations.”

Cleaver said Movement Labs’ SMS campaign may have been incompetent, but it wasn’t malicious.

“When you work in voter mobilization, it’s not enough to want to do good, you actually need to be good,” she said. “At the end of the day the end result of incompetence and maliciousness is the same: increased chaos, reduced voter turnout, and long-term harm to our democracy.”

To register to vote or to update your voter registration, visit vote.gov and select your state or region.


42 thoughts on “When Get-Out-The-Vote Efforts Look Like Phishing

  1. Rex Fermier

    Too bad you didn’t press them to name who their client was.

    1. Benny Cemoli

      Kamala Harris and Big Daddy Walz. Seems like something they’d do.

      1. R.Cake

        Well and – just a stupid question from across the pond – why would you even care?
        If, as we have learned from the article, the activity is (stupidly executed but) legitimate, it does not matter who triggered it. It should be in the interest of any citizen _regardless of their political affiliation_ that everybody goes to vote. After all, even if the “other” party (from your point of view) triggered someone to come out, they could still vote for “your” candidate once in the booth. So what’s the problem?
        The only reason I can think of – again, from the limited information I have from outside – is that you know very well the current system is not fair (what with gerrymandering and such) and you prefer it to nicely stay that way, knowing or hoping that “your” candidate will get a benefit from that.

        1. Ben

          We do care I believe limiting corporate donations like the limit on personal ones at the same amount. That would crash the money (call it laundering in the tax world) Half the people don’t vote so they don’t have the capacity to understand.

          1. R.Cake

            oh absolutely, regulating/limiting contributions to political campaigns is a very worthy cause, however a whole ‘nother story. The article and the comment I had reacted to were about (ridiculously badly executed) individual voter motivation.

      1. Phil

        CTRL F – Republican – ZERO POINT ZERO results.
        CTRL F – Democra — lights up like a Christmas tree.

        Again, I am shocked…

  2. vb

    Completely untargeted, Red flag #0. Nearly the definition of unsolicited commercial email (UCE), aka SPAM.

  3. ricky cabeza

    can i blame the government for ņot protecting consumers from spoofed text spam?

    1. Phil

      Love the username, and yes. We need to report the Government to the Government. That way, they can set up a committee to investigate themselves, charge the taxpayer billions, then hire a gaggle of trans nuts to tell us that a Saturday Morning Drag Queen Library Reading Festival for Toddlers will fix it all.

  4. Quid

    Hundreds of variations and still a major fail?

    How about, “Have you registered to vote yet in the upcoming election? Check to ensure your voting status is current and your home address is correct at: http://www.XXXXXX.gov where XXXXXX = whatever the proper government website is for voter registration in that county or state.

  5. Quid

    Hundreds of variations and still a major fail?

    How about, “Have you registered to vote yet in the upcoming election? Check to ensure your voting status is current and your home address is correct at: http://www.XXXXXX.gov where XXXXXX = whatever the proper government website is for voter registration in that county or state.

  6. Moike

    I also ignore any text message asking for a donation – no way to know who sent it. Just start with the candidate’s web site.

    1. Old School Okie

      Like I don’t “piss in public” or on “public land” I do not subscribe to “political funds” because they are less useful than “pissing in the ocean”.

      If you want to make a political difference “give your time” not money, the benefit will be way way greater for the same value.

  7. S. Lewis

    I live in the state of Georgia and received this text a couple of times and was highly suspicious. If this was a legitimate effort to get people to vote they should have:
    1. Actually set up a home page at all-vote that gave more information about who they are and who is funding them.
    2. Instead of presenting the target of these messages with a reference to an established site, like vote.org.
    Even if their intensions were good, the messages did not pass the sniff test

  8. PhilD

    I got one of those and immediately blocked it as SPAM and reported it to my carrier. I have always voted in all local and national elections and so knew immediately it was bogus. “We just stoopid and incompetent” is no excuse. They know exactly what they are doing and the end result is increased chaos, reduced voter turnout, and long-term harm to our democracy. Exactly as designed and were paid to do.

  9. Bob

    Given the number of states purging their voter registration records of ‘undesirable’ voters, surprised there aren’t more Get-Out-The-Vote efforts underway.

  10. Jack E.

    “We have you in our records…”
    And THAT is the real problem.

    1. mealy

      My phone number was previously owned by someone named “samantha” and she donated or something, so now I’m in permanent spam hell. Great system we got.

  11. Tyson

    There’s no “skin in the game” for people who decide to start dabbling with “personal data” (using GDPR parlance) to try to make a few bucks, or gain influence. Until it hurts to go muck around with private citizens privacy and data, any retired sheriff of failed movie actor might try it. There’s no disincentive.

  12. someguy

    this is fraudulent/illegal activity, specifically it is a direct and open violation of the Telephone Consumer Protection Act 47 U.S.C. § 227 specifically section c

  13. Jon I

    Every time I receive an unsolicited text from a political candidate that candidate winds up in my “won’t get my vote under any circumstances” category.

  14. Mike

    I have been receiving these since July after I sent in my ballot. I keep blocking the numbers.

  15. Jack

    I wish they would stop trying to “get out the vote”. The last thing we need is more unengaged, uninformed voters.

  16. Phil Robare

    This has been going on for some time, not just since July. I received that message (wanting me to go to voteftw.net) on Feb 6 2024 in advance of the local primary elections. I reported it to the county Board of Elections who could only comment that it was not from them (and advising me not to click the link). Thanks for looking into this Brian.

    1. Fr00tL00ps

      ‘I got one of those and immediately blocked it as SPAM and reported it to my carrier.’

      Krishan, it is sad that you come here and complain about spam and then post your own crap spam. Seriously!?

    1. Fr00tL00ps

      Ignore this. More crap spam and it is not even in English.

  17. Andy S

    Yoni has been an SMS spammer for many years. He was one of the people behind Rapid Resist which got tons of press in 2015 about how many millions of messages they were sending.

    Some people just have no shame.

  18. Nick

    I was getting a bunch of Republican targeted messages that told me to click a link to read a message from Trump, Mitch McConnell, or Cruz that was only available for a limited time (I’m an independent voter). What was odd is any text I had received in the past had the entire message, so this really seemed like phishing.

  19. Craig

    Seems like this could be used to collect enough information for some bad actor to request mail-in ballots that could be used fraudulently.

  20. Gerard Eaton

    Excellent and necessary piece. Kudos! Interesting that DomainTools assigns a low risk score (42) to all-vote[.]com and the highest risk (100) to votewin[.]org.

Comments are closed.