author photo
By Cam Sivesind
Mon | Mar 13, 2023 | 5:07 AM PDT

March Madness. It's NCAA basketball tournament time, and that means lots of lost hours of work as folks call in sick to watch games or huddle around the office TVs to see their favorite collegiate teams try to work their way to the Sweet 16, Final Four, and hopefully national title.

The official tipoff started yesterday with Selection Sunday and the beginning of the Round of 64 this week.

March Madness is one of the most watched, and anticipated, sporting events every year here in the U.S. What makes it most interesting is that it's the only major sporting event in the U.S. that traditionally falls during our business day, and those who participate in viewing and playing in their "office pools" are susceptible to a variety of security threats, especially those dreaded phishing lures. The same goes for those who utilize online sportsbooks taking bets on the games.

Cybercriminals will use any major event or tragedy that has captured the attention of the general public as bait for attacks.

While folks are caught up in the excitement of the games and their brackets, bad actors will be plotting to steal your credentials, lure you into fake websites, and deploy ransomware that could wreak havoc on you or your organization long after the conclusion of this year's tournament.

The increased interest from users and the dramatic spike in emails, links, and other communications related to the event make it much easier for these actors to blend in. 

Some individuals, and their companies, could end up with more than their brackets busted. Here's what representatives from a few cybersecurity vendors are saying about hackers and their efforts to force a turnover of sensitive data.

Tim Morris, Chief Security Advisor, Tanium:

"The NCAA tourney is prime time for attackers to play on the passion and emotion of college basketball fans. Success rates of phishing attempts are higher because we, as humans, tend to let our guard down when we are consumed by a major event. After all, it's not called, 'March Madness' for nothing!

The sheer scope and duration of the tournament makes an attractive hunting ground for multiple weeks—not to mention the brackets enjoyed by so many.  It's estimated that more than 36 million adults will complete a bracket. And, who knows how many will join office pools that can't be tracked? Each of which has potential for fraud.

As such, cybersecurity teams can expect to see an increased volume of phishing attempts, website compromises, watering hole attacks, business email compromise (BEC), malvertising, etc., geared towards enthusiasm for March Madness. Scams will also target consumers for fake merchandise, phony tickets, etc."

JT Keating, SVP of Strategic Initiatives, Zimperium:

"Let's face it. Even people who don't regularly watch college basketball throughout the year may be keeping one eye on March Madness over the next few weeks. It's a cultural phenomenon in the United States that brings together people to participate in office pools, online gambling, and more. While the distractions and the substantial bandwidth strains associated with following the annual NCAA Tournament can damage organizations, mobile security threats have proven to be a more dangerous issue that organizations of all sizes should be particularly wary about.

Mobile phishing attacks are on the rise. According to the 2022 Global Mobile Threat report, mobile-specific phishing sites grew by 50% over a three year period. By 2021, 75% of phishing sites were specifically targeting mobile users. What's more is that 66% of mobile phones used at work are employee-owned, creating a challenging environment for security teams to protect.

Unfortunately, many employees who look for alternative sources to participate in March Madness may unwittingly turn to malicious websites and apps on their smartphones and tablets. Phishing, malware, and other attacks flourish during popular online events, such as March Madness, and even one small mistake by an employee whose mobile device is connected to corporate data could cause chaos throughout an entire organization."

Mike Aalot, Co-Founder and CEO, Hoxhunt:

"March Madness gives cybercriminals excellent phishing campaign material because millions of people will be watching games throughout the work week and checking the results of their personal and company brackets via email notifications from online platforms. This creates an environment of heightened emotions and raised expectations for communications from strangers, colleagues, and friends, writing to work and personal email accounts.

One of the most common tactics used by cybercriminals during March Madness is to send phishing attacks with enticing subject lines that promise free tickets or exclusive offers related to the tournament. Such emails are common for those of us who regularly participate in March Madness brackets or fantasy sports, and it's easy for us to lower our guard against a March Madness phish. But these phishing emails contain links or attachments that, when clicked, infect your computer with malware or lead you to a credential harvesting website."

Darren Guccione, CEO and Co-Founder, Keeper Security:

"Phishing and online scams are two of the biggest cyber threats for fans. Throughout the tournament, cybercriminals may send phishing emails or text messages with malicious links or attachments disguised as updates on games and brackets. Do not open attachments or click on links from unknown sources. Scammers may also use social media to learn more about you or request money. They may impersonate a friend or family member claiming to be in urgent need of money to buy tickets or place bets on March Madness games, or even impersonate the athletes themselves. Along with being wary of fake tickets, fans should also be careful about fake bracket contests promising large prizes to the winners. Once they collect your entry fee or personal information, scammers will disappear and the winners never receive their prizes.

When creating accounts to follow the games, create a bracket, or take part in the fun of the tournament any other way, it may be tempting to reuse passwords. Make sure you have different, high-strength passwords for all of your accounts. This way, if one account is breached, a cybercriminal does not gain access to all your accounts. Passwords should be at least 12 characters with a mix of uppercase and lowercase letters, a variety of special characters and a random assortment of numbers. Also, consider creating a passphrase rather than using a single word. A password manager can make this easier by generating and securely storing strong passwords for you, so that all you have to do is remember one master password."

Don't let hackers cast a shadow over what is supposed to be a fun event. The office pool is supposed to be for bragging rights for making the best picks—even if the most likely person to win picks their teams based on mascots or team colors—not for being the poster child of getting duped by a bad actor.