Have you filled in your brackets? March Madness kicks off this week. The annual NCAA men’s basketball tournament is a sports spectacle that seems to rival even the Super Bowl in terms of the hype and attention it gets. Of course, cybercriminals know that as well—and that makes March Madness the best bait imaginable for a successful phishing scam or cyber attack.
“With popular sporting events like March Madness, it’s easy for attackers to prey on human emotions with excitement running high and money on the line,” explains Atif Mushtaq, CEO of SlashNext. “With so many employees participating in office pools and brackets, it’s critical to avoid getting phished through fake sporting-themed websites, contests and offers around the games, or malicious browser extensions that claim to keep track of scores and stats.”
Typically, an organizer will send out links from a sports-centric website to the interested participants to allow them to join a group. Mike Banic, Vice President of Marketing at Vectra, pointed out, “This creates a situation where the participant may be unaware of the authenticity or safety of the website for the link sent by the organizer, making their personal data vulnerable to cross-site scripting attacks, hidden redirects and website forgery. Participants should be cautious of shortened URLs which can redirect them to a malicious website that may look to steal their personal information.”
Nathan Wenzler, Senior Director of Cybersecurity at Moss Adams, agrees there is a high risk of phishing attacks around March Madness. . “This year, though, the hackers are armed with more of your personal data than ever before, thanks to the huge number of data breaches that have taken place in the last few years. With this information, cybercriminals are personalizing the malicious emails and fake websites to seem more real and legitimate than ever before, making it that much harder for people to determine when they’re interacting with something that’s a fraud.”
Mushtaq added that there are thousands of new phishing sites that pop up each day, and they’re getting better and better at bypassing or circumventing security tools to avoid detection. Companies need to be aware that users will be actively engaged in March Madness and could be potentially easy prey.
Mukul Kumar, Chief Information Security Officer and VP of Cyber Practice at Cavirin, stressed, “Don’t open or click on suspicious emails, and if an NCAA pool wager looks too good to be true, it probably is. Basically, trust no one you don’t know. In addition, most browsers support whitelists and blacklists, and I expect that sooner rather than later, these settings will be on by default. Even in the absence of this, don’t deactivate security settings that are on by default.”
Wenzler provided a handful of helpful tips that will help ensure that the only heartbreak you experience this year is when your bracket falls apart, and not from a drained bank account:
- Ignore emails to join tournament bracket pools from sites or groups that you didn’t explicitly request to join. Fake emails can look very much like the real thing, so, if you didn’t sign up for it on the legitimate site or ask to be contacted, don’t take any chances by clicking on links or opening attachments in these messages.
- Always go directly to the site you’re managing your tournament bracket, rather than clicking on a link from another webpage or in an email. It’s less convenient but typing in the site into your browser reduces the chance that you’ll be rerouted to a fake website or worse, that malware gets loaded on your system.
- Never give out more information than you need to participate in the pool. If a site starts asking for very personal information or financial details like your social security number, bank or credit card account numbers, PINs or personal verification questions and answers, there’s a good chance it’s trying to scam you out of that information.
- If you’re not complete sure about a website or an email, speak up! Every legitimate company out there has a support team that can tell you if the email you’ve received is actually from them or not. Some even have automated systems where you can forward the message to them and they’ll validate it for you on the fly. If it seems in any way like it might be a scam, don’t hesitate to reach out and check with the company or group involved.
Steve Durbin, managing director of the Information Security Forum, sums up, “The number of “winners” over the next couple weeks will be pretty astounding. However, just be sure you’re on the right side of security best practices and don’t end up becoming another statistic on the losing team.”