Major events can be used by malicious actors to bait the general public. Events that gain traffic among consumers can be leveraged to release malicious emails, links and other forms of communication. During March Madness, security leaders are encouraged to remind their organization's employees to remain vigilant against phishing campaigns or other scams. 

Security leaders weigh in

Jason Soroko, Senior Vice President of Product at Sectigo:

“Especially with remote workers, it’s imperative that employees understand the basics of digital hygiene and are trained to recognize social engineering attempts like phishing. All staff should understand the basics of avoiding malware, viruses and phishing — as well as the bare bones of digital identity.

• Stick to reputable sites: Whether betting online or joining a fantasy league, do your research. Choose established platforms with strong reputations for security. Ensure the website you're visiting has https:// in the address bar.
• Keep it personal: When it comes to personal information, less is more. Share only what's absolutely necessary.
• Beware the phish: Don't click on suspicious links or attachments, especially in emails related to fantasy sports or online betting.
• Strong authentication: It may not be enough to use unique and complex passwords for all your online accounts.  If the online betting service or office pool system utilizes multi-factor authentication, then use it.  Better yet, choose a reputable site that offers Passkey authentication, which is far better than anything using passwords and is less vulnerable to social engineering.”

Krishna Vishnubhotla, Vice President of Product Strategy at Zimperium:

“With the NCAA March Madness Tournament approaching, there's an expected surge in online activities related to office pools and online betting, significantly increasing cyber risks. As it is so popular and online activity spikes, it's a prime target for cyber criminals. Fans' emotional investment makes the event a perfect storm for cybercriminals. Fraudsters exploit the increased volume of legitimate communications and people's distracted, relaxed vigilance to launch scams and phishing attacks. 

“Cybercriminals exploit these events to launch attacks via phishing emails, malicious links, or fake betting websites and mobile apps. Due to the prevalence of smartphones for these activities, they often target mobile users.

“What's obvious: 

• Phishing scams: Phishing scams are common during events like March Madness. They often involve emails or messages mimicking legitimate tournament updates or betting sites, aiming to steal credentials or personal information. Since the games are going on during the workday, many of these emails will also target your business email.
• Unsecured Wi-Fi networks: Using public or unsecured Wi-Fi to participate in pools or watch games can expose users to eavesdropping and data theft.

“What's not: 

• Social engineering beyond email: Cybercriminals may use social media or messaging apps to target individuals with scams related to bracket picks or betting pools, leveraging the informal nature of these platforms. Messaging apps like WhatsApp and Telegram and in-app messages on social apps are great for these.
• Compromised mobile apps: Not all apps related to March Madness are legitimate; some may be designed to look genuine but are actually created to install malware or steal data from mobile devices. In particular, betting and gambling apps will lure you into installing them by promising exponential returns.

“Organizations should proactively educate their employees about these risks, advise caution with unsolicited communications related to March Madness, ensure the security of their devices, and verify the legitimacy of websites and apps used for betting or streaming. The security team should consider deploying MFA and mobile endpoint protection tools as part of a multi-layer defense strategy. Implementing and reinforcing cybersecurity best practices during this period can help mitigate the risks associated with the heightened online activities driven by the tournament.”

Darren Guccione, CEO and Co-Founder at Keeper Security:

“Phishing and online scams are two of the biggest cyber threats for March Madness fans leading up to, and during, the NCAA Tournament. Throughout the tournament, cybercriminals may send phishing emails or text messages with malicious links or attachments disguised as updates on games and brackets. I recommend that you do not open attachments or click on any links from unknown sources. Scammers may also use social media to learn more about you or to request money. They may impersonate a friend or family member claiming to be in need of money to buy tickets or place bets on games, or even impersonate an athlete themselves. Along with being wary of fake tickets, fans should also be careful about fake bracket contests promising large prizes to the winners. Once they collect your entry fee or personal information, scammers will disappear and the winners will never receive their prizes.

“When creating accounts to follow the games, create a bracket or take part in the fun of the tournament any other way, it may be tempting to reuse passwords. Make sure you have different, high-strength passwords for all of your accounts. This way, if one account is breached, a cybercriminal does not gain access to all your accounts. Passwords should be at least 16 characters in length with both upper and lowercase letters, numbers and special characters, as well as a random assortment of numbers. Also, consider creating a passphrase rather than using a single word. A secure password manager can help create and store those passwords.”

Patrick Harr, CEO at SlashNext:

“With an event as popular as March Madness, it’s easy for cyber criminals to prey on the excitement. With money on the line for many employees participating in office pools and brackets, cyber criminals serve fake sporting-themed websites, free streaming of games, private VPNs, contests, and browser extensions that claim to keep track of scores and stats of the games.

“The sophistication of these phishing threats is becoming more difficult to detect, especially for users. With the tournament starting next week, March Madness-themed phishing sites will quickly pop up to steal credentials for future corporate-based attacks or to commit credit card fraud.

“Organizations must educate their employees and, most importantly, be proactive in securing employees devices. With the increased use of dual-purpose devices, it’s important to avoid giving away login credentials or accidentally adding malicious browser extensions which can be used to breach corporate assets.

“Protect your organization by encouraging users to exercise extreme caution when participating in brackets and office contests. Most importantly, have the right security tools, including real-time mobile and browser security solutions.”