March Madness is one of the most watched—and anticipated—events each year. And each year as March Madness approaches, cybersecurity experts warn about hackers who want to take advantage of the tournament’s popularity with phishing schemes and bogus websites and videos heavy with malware.
The NCAA basketball tournament isn’t the only major event that is targeted this way. The Super Bowl, the Academy Awards and Black Friday also generate the same type of threats and warnings, and by now, we all know about the fake news and scams surrounding election cycles.
Phishing attacks and other malicious tricks occur because they continue to work. The question is, Why are they still so effective? There is more awareness now than ever of how to tell a real message from a phish, and organizations are more diligent about providing security training. Yet, here we are again, back in March with the urgent warnings to pay attention for unsolicited polls, surveys and contests related to March Madness.
Overconfidence in Our Cyber Threat Awareness
Ask the average person about their confidence level of sniffing out a fake email or website, and they will likely tell you they can do so, no problem. That’s because their job requires them to do an online course or sit through a seminar to alert them of the warning signs. And—I’ve witnessed this a couple of times myself—“smart” users aren’t afraid to do some phishing shaming by poking fun at someone who fell for a scam. So it appears that more people are talking a good game about their cyberthreat awareness, but is it an accurate assessment?
“It’s a nice unicorn-and-bunnies feeling that people are more aware, but statistics don’t bear that out,” said Chris Roberts, chief security architect at Acalvio, a Santa Clara, California-based provider of advanced threat detection and defense solutions, “especially when we only train them once a year to not click or send stuff they shouldn’t be.”
According to the 2017 Verizon Data Breach Investigations Report, nearly a third of targeted phishing emails are opened and 12 percent of those recipients end up clicking on a malicious link. How devastating is that 12 percent? The SANS Institute reported that almost all—95 percent—successful attacks on an organization are the result of a phishing or spearphishing campaign.
And the training that employees receive just doesn’t keep up with changing threats and the tactics used in phishing emails.
“Original training was focused on .exe-based exploits through email, but this is a rapidly shrinking attack vector,” explained Atif Mushtaq, CEO with SlashNext. “Phishers have figured out it is easier to come to them so they employ social engineering attacks on very legitimate sites (address, phone, company email, etc.) or a legitimate-looking browser extension that the browser does not alert on. The only way we know of to further protect your users is to augment your current programs with tools built specifically to address this new threat landscape.”
Big Event Madness
What is the appeal for events such as March Madness that have hackers working overtime?
“The thrill surrounding a major event, such as a hotly anticipated concert tour or a big game, can overpower even our best cybersecurity instincts,” said Isabelle Dumont, vice president at Lacework, a Mountain View, California-based provider of cloud security solutions. “Excitement gets the best of us and sometimes we respond to tempting unsolicited emails or visit sham look-alike websites when we should be more careful.”
March Madness, however, is unique because the brackets generate excitement in ways other major events can’t. Office workers follow the games online during the workday. They talk about upsets and bracket busters, and whether you like basketball or not, everybody has a pick on who will win it all. That’s enticing to cybercriminals.
“March Madness is well-known for pools created within the workplace, friends, family etc., where individuals compete with one another in predicting the most accurate NCAA basketball tournament bracket,” said Mike Banic, vice president at Vectra, a San Jose, California-based provider of automated threat management solutions. Most often, these pools are done through a website, and the participants expect correspondence with links sent to them regarding their bracket picks. “This creates a situation where the participant may be unaware of the authenticity or safety of the website for the link sent by the organizer, making their personal data vulnerable to cross-site scripting attacks, hidden redirects and website forgery.”
In the end, we will never bring phishing emails to zero, and next year at this time, the warnings will sound to protect from scams and malicious threats come tournament time. Instead, organizations (and individuals) can take steps such as backing up data regularly as a safeguard to ransomware or other data loss from a phishing email and to slow down when reading email.
“Employees get inundated with email and when they read through a large volume of email messages, they may click too quickly on phishing links,” said Banic. “Just like reminding yourself to ‘listen, think, speak,’ it is best to read the message, match the name and company of the sender with the email address and domain number, and inspect links before clicking on them.”