Hackers and scammers are huge fans of major sporting events like March Madness and step up their game to lure you in with the promise of good seats and attractive betting opportunities that turn out to be run-of-the-mill scams.
College basketball fans are eager to participate in the excitement surrounding the tournament that has 68 teams competing throughout the month. The single elimination tournament decides the national champion of college basketball on April 4 in New Orleans.
It can be easy to get caught up in the fervor and hype of March Madness, but hackers are waiting patiently for these opportunities to conduct phishing, launch malware and steal personal and financial information.
The most important thing to keep in mind is to trust no one, Mark Lambert, vice president of products at ArmorCode, a Palo Alto, Calif.-based application security provider, told TheStreet. There is no doubt that hackers love when people are busy and not paying attention to details in texts and emails.
“When you get an email, validate where it came from, check the website it links to and do not reuse passwords across sites,” he said. “Websites get compromised all the time and if you are reusing passwords it is very easy for a hacker to gain access to an account that has nothing to do with the original site.”
The excitement and greed of winning a bracket means even the most cautious basketball fans can find themselves to be unwilling targets of scams because of chutzpah.
Online Brackets and Betting Pools Are Easy Targets
Scammers are always lurking and seeking new opportunities to lure new victims into their latest racket.
They use the latest news or trends as the pretext to draw interest and to get people to click while getting a slam dunk for their efforts, Alex Hamerstone, director of advisory solutions for TrustedSec, a Strongsville, Ohio-based company that conducts penetration testing, adversarial attack simulation and incident response, told TheStreet.
Brackets used to be filled out on paper with friends or co-workers, but many of them moved online or are gathered through social media.
“People need to be careful to make sure they know who they are dealing with when sharing their personal information or sending payments for their brackets,” he said.
Choosing the winning team might be good for your self-esteem, but remain vigilant when filling out online brackets because your personal information can be stolen easily and sold to hackers.
Filling out a bracket should never require your social security number, Alex Ondrick, director of security operations at BreachQuest, an Augusta, Georgia-based incident response company, told TheStreet.
Fans should think twice before installing an app and double check the URL at the top of your browser before submitting your choices in a bracket.
“Attackers may prey upon the human element by creating and distributing malicious brackets designed to gather sensitive information or to gain unauthorized access to systems,” he said.
How to Avoid Losing Money During March Madness
Sending money to join a betting pool for March Madness can be tricky. PayPal (PYPL) or Zelle are convenient payment services to send money to someone else, but make sure you know the person and not someone impersonating them, said Hamerstone.
“While these payment platforms have robust security features and consumer protection, if you use the friends and family feature then there are few or no consumer protections,” he said. “The friends and family features save the receiver of the funds the fees in most cases, but the sender loses most if not all recourse to get their money back.”
There are limitless ways that an attacker could tempt people, including the promise of bigger winnings or insider information about teams, Hank Schless, senior manager, security solutions at Lookout, a San Francisco-based endpoint-to-cloud security company, told TheStreet.
Betting websites such as DraftKings (DKNG) are very popular among both fans and hackers and are not immune to copy cat websites created by cyber criminals.
“Threat actors could see this as low-hanging fruit for social engineering and phishing by simply spoofing the URL of popular sports and betting websites like ESPN, DraftKings and FanDuel," he said. "There have also been recent reports of attackers using fake share links from Google Drive and Office 365 to trick enterprise users into giving up their login credentials, which is a tactic that could realistically be used here as well.”
Phishing has emerged as the most popular way for attackers to gain initial access to corporate infrastructure and since there is now a heavy reliance on the cloud, IT and security teams have less visibility into the context under which users access apps and data, Schless said.
“Attackers use events like March Madness as a way to entice their targets and get them to overlook any red flags that indicate malicious intent,” he said. “When it comes to phishing for credentials, a simple text or social media message can be quite effective.”
The fear of missing out on fun such as betting can be an easy way for scammers to swindle unsuspecting fans, Casey Ellis, CTO at Bugcrowd, a San Francisco-based crowdsourced cybersecurity company, told TheStreet.
“Since gaming creates a virtual reality of sorts, the opportunity for people to be manipulated for the purpose of having them install malware, become a victim of fraud, or even to tilt/stack the odds of a pool based on participation is higher and cybercriminals know this,” he said.
How to Get Authentic Tickets and Merchandise
Buying tickets to watch the games and merchandise can be frustrating since March Madness is extremely popular. Consumers should always shop by using a credit card instead of a debit card.
The buyer protection insurance provided by the credit card networks can come in handy, Ellis said.
March Madness is the “perfect combination of factors to harvest credentials and credit cards in a phishing attack,” Casey Bisson, head of product and developer relations at BluBracket, a Palo Alto-based provider of code security solutions, told TheStreet.
Attackers simply need topics that are powerful enough to be motivating, yet they are broad enough to “dupe large numbers of users in a single attack,” he said.
Attackers will be on the hunt for Gmail and social networks logins, as well as credit cards and duplicitous payments.
“Everybody should keep a sharp eye open to verify any funds transfer requests and password entry prompts, a sometimes challenging task in the excitement of a game,” Bisson said.
While two-factor authentication remains one of the best defenses since it adds an extra layer for data hackers to access, crafty hackers will even send messages trying to dupe people to share those codes, he said.
Make sure you are purchasing from reputable websites because counterfeit merchandise is everywhere since there are thousands of them that will “gladly take your payment information and personal information and then either send you nothing, or even worse will steal your payment information,” Hamerstone said.
Ticket scams are also common, but fans can avoid falling prey to them when buying or selling electronic tickets that are sanctioned platforms.
Reselling your tickets also requires being careful. Make sure any pictures you include do not show barcodes or QR codes, he said.
“If you share those then anyone can use that barcode or QR code to steal your ticket,” Hamerstone said. “If you sell that ticket to someone and it gets stolen, you will likely lose your ticket and have to refund the money to the buyer.”
Scammers are also prowling on social media websites, so be aware that bragging about your picks for March Madness can lead you straight to the hackers.
You could become a target of social engineering attacks through phishing emails, phishing texts and social media scams.
“The criminals could spoof one of your connections or the gambling platform or payment service you use in order to trick you into sending money or sharing information,” he said. “They could send fake text alerts to your phone about fraudulent activity that was detected on your account or a failed payment that could cause you to lose out on a big game.”