March Madness Phishing Scams

March Phishing Madness: Why You Need To Be Careful Streaming 2020 NCAA Games

Publish date March 4, 2020 Comments: 0
March Madness is one of the most anticipated and most-watched sporting events each year in the US. More than 47 million American adults will wager on the NCAA tournament spending around $4.6 billion to do so. As March Madness approaches, cybersecurity experts are warning fans about hackers that attempt to take advantage of the popularity of the tournament.

In addition to other highly regarded events such as The Super Bowl, Academy Awards, and Black Friday, March Madness will once again generate a new wave of phishing attacks including fake websites as well as videos doused with malware.

Phishing schemes are particularly dangerous and effective as they continue to work. Hackers are looking to capitalize on the public’s eagerness of March Madness meaning that emails mentioning the event have a much higher chance of drawing clicks from possible victims.

So why is this happening every year? Basically, while the average citizen might be confident that they can spot such dangers, in reality, they often can’t.

‘“Phishing emails are one of the highest-risk intrusion methods to date. They are easy to craft, easy to deploy; they are aimed at our broadest, weakest attack surface: The endpoint, and its user. They are designed to make us afraid that if we don’t click on that link or open that attachment something bad will happen. Cybercriminals have been extremely successful at both designing the lure and monetizing their success, despite their re-use of techniques and themes such as threatening our Netflix accounts or suggesting something may be amiss with our credit or identity,” warns Colin Little, Senior Threat Analyst for Centripetal Networks, a threat-intelligence solutions provider based in Herndon, Virginia.

According to the 2017 Verizon Data Breach Investigations Report, almost a third of targeted phishing emails are opened with 12% of people clicking on malicious links.

“With popular sporting events like March Madness, it’s easy for attackers to prey on human emotions with excitement running high and money on the line. With so many employees participating in office pools and brackets, it’s critical to avoid getting phished through fake sporting-themed websites, contests and offers around the games or malicious browser extensions that claim to keep track of scores and stats,” says Atif Mushtaq, CEO at SlashNext, a Pleasanton, Calif.-based provider of third-generation internet security solutions.

“There are thousands of new phishing sites popping up each day, and they avoid detection by appearing legitimate or by being hosted on reputable but compromised sites, bypassing current security tools, and then quickly moving on to different sites to avoid being blocked. You should safely encourage ‘bracketology’ and fun office contests, but it’s more important than ever to have the right security tools in place, such as real-time anti-phishing defenses, and train users to exercise extreme caution when participating in these activities. With the increased use of BYOD and dual-purpose devices, it’s important to avoid giving away login credentials or accidentally adding malicious browser extensions which can be used to breach corporate assets.”

How March Madness Phishing Scams Work

There are a number of forms that March Madness phishing attacks take, including emails requesting you to click on a tournament-themed website. However, instead of taking you to an official CBS or ESPN website, you might be redirected to what looks like a team fansite. Users might be asked to confirm identities either by logging into their email or social media accounts such as Facebook or Gmail. This is how the cybercriminal gets access to your information.

“Typically, an organizer will send out links from a sports-centric website to the interested participants to allow them to join a group. This creates a situation where the participant may be unaware of the authenticity or safety of the website for the link sent by the organizer, making their personal data vulnerable to cross-site scripting attacks, hidden redirects, and website forgery. Participants should be cautious of shortened URLs which can redirect them to a malicious website that may look to steal their personal information,” Mike Banic, Vice President of Marketing at Vectra says.

“As a measure of precaution, participants should ensure that they trust the organizer sharing the link, verify the link they are about to click and pay attention to the certificate validation done by most browsers that tend to warn the user when unauthorized or unsafe websites are being accessed.”

The problem is that many people feel a sense of trust with these emails that are coming in from friends and co-workers, in addition to the excitement about the prospect of making a win. These two factors combined often mean that there is no perception of a security risk at all.

“Another year brings another March Madness. With it comes another chance for cybercriminals to steal your identity or financial information. Like we’ve seen around this time every year the number of scams and malicious emails is on the rise, taking advantage of the interest around fantasy leagues, tournament brackets, and other contests,” says Nathan Wenzler, Senior Director of Cybersecurity at Moss Adams.

One of the major problems each year with March Madness is that cybercriminals are always a number of steps ahead. They use search engine optimization tactics in order to drive their malware-ridden sites much higher in search rankings using popular March Madness-related terms allowing for more users to infect their devices with drive-by downloads.

“Within a week of the tournament starting we started catching the March Madness-themed phishing sites and shady ads,” Atif Mushtaq, CEO at SlashNext, told Threatpost. “New sites are cropping up daily, and our system alone has caught over 50 websites from just one of the prolific cyber-gangs. With the end game of committing credit card fraud, the realistic-looking pages hope to attract victims getting caught up in the excitement and gambling that goes along with March Madness.”

Other attacks can come from a fellow pool participant that has already been hacked asking each member of the group to send all pool payments to a different account. Instead of the money going to the pool’s organizer, it ends up in the hacker’s pockets.

In previous years hackers had to craft their emails carefully, usually one by one, doing a lot of research in the process in order to find personal details that needed to be included in order for their emails to look authentic. Now, social media platforms provide these savvy criminals with a plethora of personal data on their potential victims. The evolution of technology has also allowed them to automate the composition process aiding them in sending out millions of customized emails, boosting chances of financial gains.

However, phishing isn’t the only danger out there when it comes to March Madness online dangers. Online ticket scams include forged websites that attempt to steal payment information from fans looking to book those last-minute seats. If you want to be part of the action, front and center, you should buy directly from the venue whenever you can and don’t shop at any site that doesn’t start with “https.”

There are many questionable sites out there offering to stream March Madness games for free, but you are first requested to install a flash player in order to watch. Those are normally crawling with malware that can infect your computer. Try sticking to streaming websites that you trust instead.

Malicious mobile app creators love big events such as March Madness as they use them to spread harmful software. Only download apps from trusted app stores, and make sure to avoid third-party app stores completely.

Don’t fall for payment scams when it comes to March Madness pools. Make sure your payment is headed to the right person and never use public wifi to complete the transaction. If you can, always use a reliable VPN to secure your online movements.

Avoid March Madness Phishing Scams

There are a few tips that you should consider in the lead-up to March Madness to ensure your online safety.

  • Disregard any emails that request for you to join a tournament bracket pool from any sites that you yourself didn’t explicitly ask to join. The problem is that fake emails can look identical to the real deal. If you never asked to be contacted, do not take any chances by opening random links.
  • Always head directly to the website managing your tournament bracket instead of clicking on a link from an email. It might be less convenient, but it reduces the likelihood that you will be redirected to a fraudulent website.
  • Don’t willingly hand out more information than you should in order to take park in the pool. If the site in question asks for information like your social security number, bank card number, credit card number, personal verification questions, and answers or PINs, you should stop what you’re doing straight away. It is more likely than not that someone is trying to scam you.
  • Be aware of posts on social media that have links to live video streams. This is one of the major tactics used by hackers in order to gather personal data or drive them to malicious websites.
  • Be sure to understand your company’s policies regarding the use of the company’s equipment and internet safety rules.
  • Install an antivirus program on all your devices and make sure it is kept up to date. This tool will warn you if you attempt to visit potentially dangerous websites.

Mukul Kumar, Chief Information Security Officer and VP of Cyber Practice at Cavirin stressed, “Don’t open or click on suspicious emails, and if an NCAA pool wager looks too good to be true, it probably is. Basically, trust no one you don’t know. In addition, most browsers support whitelists and blacklists, and I expect that sooner rather than later, these settings will be on by default. Even in the absence of this, don’t deactivate security settings that are on by default.”


While employers should safely encourage fun office contests with March Madness, it is much more important to have the security tools in place and train users to use extreme caution when participating in such activities.

Popular events such as March Madness allow for cybercriminals to prey on human emotions with excitement running high whenever there is money on the line. Although it seems like playing a bet or two during the workday might seem like harmless fun, March Madness can come at a cost not only to individuals but also to business owners as they are left picking up the pieces when their devices become infected with malware.

Follow the above-mentioned tips and don’t go mad over your potential losses during March Madness.

Article comments