This story is part of Elections 2020, CNET’s coverage of the run-up to voting in November.

Millions of Americans have voted by mail securely for more than 150 years, with fraud historically being so rare that election officials wouldn’t even consider it significant enough to be a rounding error. But with the coronavirus pandemic pushing a record number of absentee ballot requests, President Donald Trump and his administration has attacked the time-tested system, claiming that it will lead to a chaotic Election Day outcome.

Since April, Trump has questioned the legitimacy of vote-by-mail on Twitter, saying it will “lead to massive corruption and fraud,” without offering any evidence of what security flaws are present. Attorney General William Barr also claimed, in June, that voting by mail “opens the floodgates to fraud,” also without any proof.

These attacks on mail-in voting aren’t new, but they do come at a time when a record number of people in the US are expected to request absentee ballots because of the coronavirus pandemic. COVID-19 has killed more than 160,000 Americans, causing businesses to shut down to prevent the spread of the infectious disease; pushing people to keep their distance from each other; and leading children to attend school online or have their parties via webcam. Sending in your ballot is the next logical step when trying to stay safe.

In Minnesota alone, the number of requests for mail-in ballots has risen more than 16 times, to roughly 470,000, according to Steve Simon, Minnesota’s secretary of state, who doesn’t buy into the concerns raised by the president.

“It would be almost impossible to pull off voter fraud on a scale that would be required to tip the balance,” Simon said. “We have vanishingly rare cases of voter misconduct. The security precautions in place have stood the test of time.”

The real danger is that these attacks damage the credibility of our entire democratic system. Election security officials have long warned that disinformation over votes is more concerning than the potential for someone to tamper with ballots. If you can get people to believe that results aren’t legitimate, it doesn’t matter whether fraud actually happened.

“Nobody really has to successfully attack an election and demonstrate that votes were changed or ballots disappeared,” said Mike Hamilton, a founder of CI Security and a former chief information security officer for Seattle. “You just have to raise enough doubt in people’s minds.”

USPS said it remains committed to delivering election mail on time, and has been coordinating with local election officials, despite the many cuts to its services by the Trump administration.

The truth is, fraud associated with mail-in ballots is exceedingly rare, and when it does happen, it’s miniscule enough that it wouldn’t affect the outcome, election officials and experts said, noting there are several safeguards in place.

That truth gets distorted thanks to social networks. A Wall Street Journal report found over 100 claims from Trump, via Twitter, attacking mail-in voting, a majority of which are factually inaccurate.

The attacks on mail-in ballots, particularly when a pandemic threatens the health of voters and election volunteers, have frustrated experts, who point out that many of the scenarios raised by the Trump administration would be impossible to carry out.

“When people throw these ideas around, it shows a lack of understanding of the overall process,” said Amber McReynolds, CEO of the National Vote at Home Institute and Coalition, and the former director of elections for Denver.

How to get away with vote-by-mail fraud

Trump has repeatedly made claims — which have been disputed by election officials — that voter fraud could happen through foreign countries printing fake ballots and rigging the election.

Across the board, election security experts have pointed out just how difficult it would be to carry out election fraud on a scale large enough to actually affect the outcome. Printing a fake ballot would fall into the “nearly impossible” category.

“The statement that other governments can print ballots and mail them to everybody is bullshit,” Hamilton said. He pointed out that each ballot has a specific barcode generated and matched to the voter, with scanners being able to tell which votes are legitimate. “To print fake ballots with a matching barcode is not even possible.”

But in case you’re curious, here’s what you’d need to do to actually carry out voter fraud by mail and affect the outcome of an election.

  • Figure out every registered voter who requested a mail-in ballot

Not everyone’s going to have a ballot automatically sent to their mailbox. For starters, you need to be registered to vote to receive one, and in some states, you need to have requested an absentee ballot to get it.

Election officials aren’t going to count votes for people who aren’t registered voters, so any nation-state looking to print fake ballots would have to make sure they’re for people who actually exist.

Absentee ballot requests are confidential in states like North Carolina, so depending on where you are, you’d have to get access to an election county’s voter registration records illegally. That’s not impossible, as Russian hackers had stolen data from two Florida counties’ voter registration databases in 2016, but the next steps make committing fraud even more difficult.

  • Intercept the ballot

Now that you know who you’re looking to defraud, you have to actually get their ballot to vote in their name.

You can intercept the ballots by either racing to every mailbox and snatching the envelope out before the voters receive them while hoping they don’t notice it’s gone, or changing the voters’ address so that they all send to your inbox instead.

“You have to get into the voter registration system, get their address changed and go undetected doing that,” Vote at Home’s McReynolds said. “If you’re in a state that offers ballot tracking, you have to avoid voters getting a text saying ‘your ballot is on its way to you’ or seeing that it went to the wrong address. You have to assume they’re not going to vote or pay attention in a presidential year where we’re going to have the highest turnout on record.”

Counties across the US use ballot tracking, including Virginia, Florida, Kansas, South Carolina, Michigan and Illinois. BallotScout, an app from the organization Democracy Works, offers online tracking services for ballots where voters can see the status of their ballot the same way you’d track a package shipping.

Ballot envelopes have specific barcodes on them that let the US Postal Service know that the package is a vote, with unique serial numbers on them tied to individual voter records. If you’re trying to intercept a ballot, you’ll need to overcome this tracking system too.

“A voter would be able to see their ballot move through the mail stream, and they can advocate for themselves now,” said Jessenia Elia, Democracy Works’ director of government initiatives. “They can say they sent this ballot five days ago, it should’ve been received, and call the office themselves.”

  • Get good at forging signatures and really good at guessing

Nearly every state requires a signature on the ballot to verify a voter’s identity when it’s mailed in. The signatures need to match the ones logged on the voter’s registration file, and is required for both issuing ballots and counting the vote.

“Forging someone else’s signature on an application and submitting it to receive a ballot is both extremely difficult, and a crime,” Michigan’s Department of State said in a statement. “It is rarely attempted.”

Some states require multiple signatures, like a notary or a witness to sign off on the mail-in ballot. In North Carolina, voters have to sign their ballots in front of a witness, who also signs the envelope the vote is sent in.

When you register to vote in Minnesota, Simon said, you also have to provide your driver’s license number, your state ID number and the last four digits of your Social Security number. The state uses that to verify votes also.

So once you intercept the ballot, you’d need to be able to account for all of these details too.

“Unless the mailbox thief knows not only the person’s personal identifying information, or which specific form they used, the joke is on the would-be thief,” Simon said.

Assuming you try your luck at forging signatures, some counties also have machines scanning for accuracy on the votes to make sure they match up. If it’s not a good enough match, it often gets flagged to a person to check, and if enough anomalies pop up, election officials said they would investigate further.

If you’ve successfully gotten through all of these security checks, congratulations: You’ve done something most election officials would consider nearly impossible.

But remember, you need to do this for hundreds — if not thousands — of people for your effort to actually affect the outcome.

Laying the groundwork for disinformation

A much easier way of disrupting the process is to cast doubt on the legitimacy of the election’s outcome.

Lawmakers are criticizing the Trump administration’s decision to replace the United States Postal Service’s two top executives, calling it a veiled attempt to sabotage the mail system and disrupt the mail-in voting process. Trump is also opposing funding to the Postal Service that would help it handle all of the mailed-in ballots.

gettyimages-1215361926
President Trump has consistently tweeted since April about mail-in voting fraud, a claim that many election security experts say is incorrect.
Getty Images

“They want $25 billion, billion, for the post office. Now, they need that money in order to have the post office work so it can take all of these millions and millions of ballots,” Trump said in an interview with Fox Business on Aug. 13.

It could mean delays in receiving mail-in ballots, leading to uncertainty on Election Day and sowing more doubt. Stacking the deck against USPS makes it much easier to cast doubt and disinformation about the election’s outcome.

The USPS also has a warning for the public.

“In order to allow sufficient time for voters to receive, complete and return ballots via the mail, and to facilitate timely receipt of completed ballots by election officials, the Postal Service strongly recommends that jurisdictions immediately communicate and advise voters to request ballots at the earliest point allowable but no later than 15 days prior to the election date,” a USPS spokeswoman said in a statement.

Because a lot of votes are expected to come in by mail, there’s already an expected delay in results for tallying the ballots. Many states have deadlines to vote by mail right up until the polls close, which means you’re not likely to get the results on Election Day.

New York City’s primaries have taken weeks to tally up its mail-in votes, and experts are concerned about the same for the general election in November. People are used to knowing who won the election that same evening. The longer the delay, the greater chance there is for disinformation and distrust to flow on social media.

“Mail ballots certainly do take more time to process,” McReynolds said. “We need to have a national conversation on what voting results look like.”

Digital doubt

Disruptions can also come digitally — election officials are frequently on alert for cyberattacks, working with government agencies like the Cybersecurity and Infrastructure Security Agency to test for vulnerabilities.

There’s no evidence that hackers have ever changed votes in an election, but a cyberattack could still cause concerns for officials. Counties that use computers to verify signatures, for example, could be affected if those devices are vulnerable.

“A ransomware attack could affect the outcome of an election if it happens during the counting process,” CI Security’s Hamilton said. “If I can encrypt your data, I have enough access to change it. How are we going to prove it wasn’t changed? It’s the integrity of the votes — that’s exactly where this applies.”

Now playing:
Watch this:

CISA director: Paper record key to keeping 2020 election…

5:22

Simon, the secretary of state of Minnesota, said that while a cyberattack could cause disruptions, paper ballots and human intervention would prevent it from becoming catastrophic. People could still count the votes by hand, and even if the voter registration database was deleted, Minnesota has same-day voter registration policies.

“Let’s say a malicious hacker deletes a bunch of voter records so that an eligible voter stops in and they tell her she’s not on the list,” Simon said. “The remedy there would be some sighs and then a re-registration. We have figured out ways to foil or at least delay the impact of those kinds of things.”

Election officials can have security measures in place to prevent mail-in voter fraud and cyberattacks, but managing disinformation is going to be a much more difficult challenge.

Twitter and Facebook have both labeled Trump’s posts on mail-in voting as misleading information, but it hasn’t stopped the spread of disinformation.

A ProPublica investigation in July found that nearly half of all top posts on Facebook about voting by mail were misleading, presenting a concern more threatening than voter fraud for election officials.

“You have to retain public confidence in these systems,” Simon said. “My worry is that there’s been criticism bordering on trash-talking.”