Clinton Campaign Sent Fake Phishing Emails to Its Own Staff

These security training efforts help explain why the campaign itself wasn’t hacked as associates were.

Hillary Clinton campaign manager Robby Mook.Brian Snyder/Zuma

For indispensable reporting on the coronavirus crisis and more, subscribe to Mother Jones' newsletters.


Hillary Clinton’s run for the White House will be remembered for many things, but information security isn’t likely to be one of them. Her campaign was buffeted by two major hacking episodes. First, the contents of Democratic National Committee servers were stolen and disseminated through WikiLeaks and other news organizations. Then campaign chairman John Podesta had his personal email account hacked and its contents passed to WikiLeaks, which subsequently released the 50,000-email set in chunks over a period of weeks as the presidential election reached fever pitch. The US government’s intelligence community went on to assert that the hacks had been orchestrated at the behest of the Russian government as a deliberate attempt to hurt Clinton’s chances and boost Donald Trump.

But Robby Mook, the Clinton campaign manager, said this week that the hacks didn’t hit the campaign itself, and that’s because the campaign conducted regular security training for staffers, including sending them fake phishing emails to see how they’d be handled.

“We sent out phishing emails of our own to test people and communicate back to team to see how far they were clicking, to educate people, and show their vulnerability and how much their choices matter,” Mook told Dark Reading, a cybersecurity news website, while attending an information security conference in San Francisco.

Mook said there were at least three phishing tests sent out to staffers, and there were also regular emails sent to staff preaching good IT practices. There were signs in the bathrooms “about not sharing passwords and ‘Don’t clink that link, stop and think,'” Mook said.

The Dark Reading piece doesn’t address when the training took place or whether Podesta and his aides were involved. Podesta and Mook did not respond to requests for comment about the IT training during the campaign.

A phishing attack is an attempt to trick a victim into giving up personal information, including logins for email accounts, bank accounts, and other sensitive information. In Podesta’s case, hackers sent a phony warning from Google alerting him that his Gmail password needed to be reset. According to the New York Times, a campaign IT staffer inadvertently advised Podesta and his aides that the warning was legitimate. By using the fake password reset page, Podesta gave the hackers access to his Gmail account and years’ worth of political communications that eventually found their way to WikiLeaks via the Russian operation, according to the US government.

Thank you!

We didn't know what to expect when we told you we needed to raise $400,000 before our fiscal year closed on June 30, and we're thrilled to report that our incredible community of readers contributed some $415,000 to help us keep charging as hard as we can during this crazy year.

You just sent an incredible message: that quality journalism doesn't have to answer to advertisers, billionaires, or hedge funds; that newsrooms can eke out an existence thanks primarily to the generosity of its readers. That's so powerful. Especially during what's been called a "media extinction event" when those looking to make a profit from the news pull back, the Mother Jones community steps in.

The months and years ahead won't be easy. Far from it. But there's no one we'd rather face the big challenges with than you, our committed and passionate readers, and our team of fearless reporters who show up every day.

Thank you!

We didn't know what to expect when we told you we needed to raise $400,000 before our fiscal year closed on June 30, and we're thrilled to report that our incredible community of readers contributed some $415,000 to help us keep charging as hard as we can during this crazy year.

You just sent an incredible message: that quality journalism doesn't have to answer to advertisers, billionaires, or hedge funds; that newsrooms can eke out an existence thanks primarily to the generosity of its readers. That's so powerful. Especially during what's been called a "media extinction event" when those looking to make a profit from the news pull back, the Mother Jones community steps in.

The months and years ahead won't be easy. Far from it. But there's no one we'd rather face the big challenges with than you, our committed and passionate readers, and our team of fearless reporters who show up every day.

We Recommend

Latest

Sign up for our newsletters

Subscribe and we'll send Mother Jones straight to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate