NCAA March Madness — the single-elimination tournament played each spring in the United States — is here. The official kickoff started with Selection Sunday, including the unveiling of all 68 teams in the field as well as the seeding and placement for every single team, this past weekend. The first four games will be played between eight teams today, March 15, to decide which teams advance to the 64-team bracket. The play involving teams in the 64-team bracket begins on March 17.

With an average of 16.9 million viewers in 2021, March Madness is one of the most watched sporting events every year in the U.S. Because it’s the only significant sporting event that falls during business days, fans who participate in the excitement of March Madness play in their office pools or those who use online sportsbooks to place bets are susceptible to a number of cybersecurity threats.  

Often, cybercriminals use major events (such as the Olympics or the Super Bowl) or tragedies (such as the Ukraine-Russia crisis) to lure viewers into fake websites to steal their prized information, credentials or deploy ransomware that could create chaos for the sports fan or their organization. “While all major sporting events can create a spike in phishing scams, fake domains, and adware, March Madness creates a unique amount of risk to employers since it takes place during business hours when fans are generally using work-issued devices and network resources,” explains Jasmine Henry, Field Security Director at JupiterOne.

To offset the security risks March Madness brings to corporate network security, Henry recommends security leaders conduct a brief update to the company’s acceptable use policy. However, it’s critical to keep in mind that if strict security policies are implemented, such as blocking official NCAA and ESPN web properties on the company network, sports fans could find alternative sites to watch streams — all “sketchier, malware-riddled websites to get around that strict policy,” Henry says.

Instead, Henry suggests security leaders consider communicating with employees about risk management best practices, including what to look for in their inboxes and text messages, including links, attachments, and bracket invites that are sent by a threat actor instead of a colleague.

“We are a society of clickers; we like to click on things, such as hyperlinks, for example,” says Joseph Carson, Chief Security Scientist and Advisory Chief Information Security Officer (CISO) at Delinea. “Always be cautious of receiving any messages with a hyperlink. Before clicking, ask yourself — “Was this expected?”, “Do I know who is sending this?”.

Before clicking on a hyperlink that might result in malware, ransomware, a remote access tool or a virus that could steal personal or company data, Carson recommends individuals check with the actual person whether they did actually send an email. “Check the URL, make sure the URL is using HTTPS, also that this URL is coming from a legitimate source,” he says.

 As March Madness fans particularly use websites, online platforms or share spreadsheets to organize their betting pools or bracket challenges, cybercriminals could entice fans to engage with them by promising bigger winnings or insider information about teams. Hank Schless, Senior Manager, Security Solutions at Lookout, explains, “Threat actors could see this as low-hanging fruit for social engineering and phishing by simply spoofing the URL of popular sports and betting websites like ESPN, DraftKings and FanDuel.”

To protect against the risk of unauthorized users gaining access to sensitive data during the chaotic atmosphere of March Madness, Schless says, “it’s important to be able to detect and block phishing attacks as well as inspect web traffic from any device to cut connections to malicious sites. In addition, companies need to have visibility into the context under which users are logging in to company infrastructure and accessing data. Anomalous locations, devices, and number of login attempts can all be signs of compromised credentials.”

For sports fans tuning in to March Madness, Richard Fleeman, Vice President, Penetration Testing Ops at Coalfire, offers the following security best practices: 

1. Consider managing office pools via the old school methods of manual tracking and utilize one person to coordinate. If you use a document to track, consider sharing that document via Box, Google Docs, etc.
2. Consider using known and trusted platforms for March Madness brackets, tracking, bets, and spreads. Stick with the known Yahoo, ABC, ESPN, etc. 
3. Continue to maintain proper cyber hygiene — use multi-factor authentication, use a password vault to generate unique passwords, take time to inspect email headers, URL links, do not open unknown attachments, bookmark and log directly into the online platform rather than clicking links in an email etc. 
4. Be wary of applications leveraging common authentication frameworks and third party trust — i.e., do not hastily allow applications to utilize common authentication frameworks such as Google auth or Facebook without inspecting the elements that the application is requesting access or trust to. Blindly permitting access and trust could potentially open your accounts to compromise. 

Lastly, sports fans can relax and enjoy March Madness, all while staying safe and avoiding becoming the next victim of cybercrime.