Virtualization Technology News and Information
Bring on the Madness: How to Be Cyber-Prepared for the NCAA Tournament


With an average of 10.7 million viewers in 2022, March Madness is one of the most watched, and anticipated, sporting events every year here in the US. What makes it most interesting is that it's the only major sporting event in the US that traditionally falls during our business day, and those who participate in viewing and playing in their "office pools", are susceptible to a variety of security threats, especially those dreading phishing lures. The same goes for those who utilize online sportsbooks taking bets on the games.

As you know, cybercriminals will use any major event or tragedy that has captured the attention of the general public as bait for attacks. While folks are caught up in the excitement of the games and their brackets, bad actors will be plotting to steal your credentials, lure you into fake websites and deploy ransomware that could wreak havoc on you, or your organization, long after the conclusion of this year's tournament. The increased interest from users and the dramatic spike in emails, links and other communications related to the event make it much easier for these actors to blend in.

We all know that cybercriminals are out there right now trying to bust your March Madness bracket!  Read on as industry experts offer their thoughts and commentary on the matter.


Timothy Morris, Chief Security Advisor at Tanium, a Kirkland, Washington-based provider of converged endpoint management (XEM):

The NCAA tourney is prime time for attackers to play on the passion and emotion of college basketball fans. Success rates of phishing attempts are higher because we, as humans, tend to let our guard down when we are consumed by a major event. After all, it's not called, "March Madness" for nothing! 

The sheer scope and duration of the tournament makes an attractive hunting ground for multiple weeks.  Not to mention the brackets enjoyed by so many.  It's estimated that more than 36 million adults will complete a bracket. And, who knows how many will join office pools that can't be tracked?  Each of which has potential for fraud. 

As such, cyber security teams can expect to see an increased volume of phishing attempts, web site compromises, watering hole attacks, business email compromise (BEC), malvertising, etc., geared towards enthusiasm for March Madness.  Scams will also target consumers for fake merchandise, phony tickets, etc. 

To counteract these efforts, it will be important for companies to ensure their systems are patched, particularly applications that are internet facing, and that multi-factor authentication is utilized.  Users should be trained to be on the lookout for these types of attacks and make sure security controls are working and effective.  This includes the management of tools to secure endpoints and email/web content.  For major events, it is a good idea to block or closely review new domains, or those that have unusually high traffic levels. 


JT Keating, SVP of Strategic Initiatives at Zimperium, a Dallas, Texas provider of mobile security solutions:

Let's face it. Even people who don't regularly watch college basketball throughout the year may be keeping one eye on March Madness over the next few weeks. It's a cultural phenomenon in the United States that brings together people to participate in office pools, online gambling and more. While the distractions and the substantial bandwidth strains associated with following the annual NCAA Tournament can damage organizations, mobile security threats have proven to be a more dangerous issue that organizations of all sizes should be particularly wary about.

Mobile phishing attacks are on the rise. According to the 2022 Global Mobile Threat report, mobile-specific phishing sites grew by 50% over a three year period. By 2021, 75% of phishing sites were specifically targeting mobile users. What's more is that 66% of mobile phones used at work are employee-owned, creating a challenging environment for security teams to protect.

Unfortunately, many employees who look for alternative sources to participate in March Madness may unwittingly turn to malicious websites and apps on their smartphones and tablets. Phishing, malware, and other attacks flourish during popular online events, such as March Madness, and even one small mistake by an employee whose mobile device is connected to corporate data could cause chaos throughout an entire organization.

It's easy for an unsuspecting victim using their mobile device to click on an email link they think is from a trustworthy source asking to set up their bracket, or watch the games, that an attacker could spoof. It's even easier for an attacker to spoof one of these organizations and convince someone to click on a link sent via SMS text message. Regardless of whether a link is sent by email or text, users on mobile devices are hampered by smaller screens and mobile-first interfaces that limit information visibility, reducing the ability to identify common red flags or attacks.

Once someone clicks on a link, their phone - and all the info and data stored, processed or transmitted by that phone - could be compromised. Even on employee-owned devices, this usually includes a large amount of corporate data and/or the ability to co-opt multi-factor authentication (MFA) that can provide access to enterprise apps or networks. Additionally, hackers could even use a device's camera or microphone to "bug" corporate offices or access photos to blackmail an employee into divulging sensitive information.

Today, mobile security and education in the enterprise is more crucial than ever. In most cases, mobile devices represent a significant, unaddressed attack surface for enterprises. No matter if they are corporate-owned or part of a BYOD strategy, the need to implement proper security controls and educate end-users about potential threats is critical.

Without defenses in place to stand up against these growing threats - especially during events like the NCAA Tournament - enterprises and their employees are left at risk. However, education is only part of the solution. Attackers are becoming increasingly sophisticated and are always developing new tactics and techniques to undermine employees that have undergone some level of anti-phishing training. Technology is available today that can help fill in the gaps, minimizing the risk and attack surface presented by threat actors.

As technology evolves to address new business challenges and needs, the modern mobile era has ushered in a new category of security to help combat current threats. Organizations can and should continue to use Mobile Device Management (MDM) - but only if they are tying it to a Mobile Threat Defense (MTD) solution, which can detect and prevent mobile device, network, phishing and malicious app attacks.


Mika Aalto, Co-Founder and CEO at Hoxhunt, a Helsinki-based provider of enterprise security awareness solutions:

March Madness gives cyber criminals excellent phishing campaign material because millions of people will be watching games throughout the work week and checking the results of their personal and company brackets via email notifications from online platforms. This creates an environment of heightened emotions and raised expectations for communications from strangers, colleagues and friends, writing to work and personal email accounts.

One of the most common tactics used by cybercriminals during March Madness is to send phishing attacks with enticing subject lines that promise free tickets or exclusive offers related to the tournament. Such emails are common for those of us who regularly participate in March Madness brackets or fantasy sports, and it's easy for us to lower our guard against a March Madness phish. But these phishing emails contain links or attachments that, when clicked, infect your computer with malware or lead you to a credential harvesting website.

Cybercriminals may also leverage social media and brand familiarity to trick people. For example, criminals may create fake social media profiles that claim to be from reputable sources, such as sports broadcasters or tournament organizers who urge people to click on links or provide personal information.

Be cautious of unsolicited emails or messages. If you get a vague email reminding you to immediately fill in your bracket, take a moment to verify the legitimacy of offers or links before clicking on them, and never sharing sensitive information with unknown sources.

Be smart and stay safe during March Madness. Keep your computer and software up-to-date with the latest security patches, protect your accounts with strong and unique passwords, and enable multi-factor authentication whenever possible.


Guillaume Ross, Deputy CISO at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions:

Events like March Madness are recurring reasons why people venture out of their daily list of websites they are familiar with. Yes, there might be more attacks, social engineering might be easier, however, if you think you don't have systems configured in such a way that they can handle this, then they are likely to be compromised during the rest of the year. It's like unsafe Wi-Fi. If you believe your corporate laptops are not usable securely on hotel Wi-Fi, they're probably not usable securely anywhere.

When educating employees on security, it's important to explain why certain controls are useful, as well as how they can leverage them in their own personal lives. We might enforce multi-factor authentication (MFA) at work, but we should also suggest that people use it on their own important accounts, when it's available at least. The same goes with password managers, keeping browsers up-to-date, as well as on the dangers of submitting information to unknown sources on the Internet.

If your browsers are not updated rapidly when new vulnerabilities are discovered, it's likely that one of them could be compromised during March Madness, the Olympics, the World Cup or during any regular week. 

For this reason, a company with a good understanding of their social engineering attack surface, a well-configured spam filter, employees that are used to reporting suspicious emails, and where a well-known, trustworthy site to track brackets is chosen early on is probably not exposed to significantly higher risk during March Madness.

For companies where all traffic goes through a corporate VPN, I recommend making official streaming sites available out of the VPN rather than blocking them, which will lead to people searching for illegal streams that aren't blocked, which might bring more security risk.


Patrick Harr, CEO at SlashNext, a Pleasanton, Calif.-based anti phishing company:

Emotions run high during the March Madness tournament each year, and hackers quickly take advantage of the predictability of fans falling prey to malicious content that leads to data breaches.

With this popular sporting tournament, it's easy for hackers to prey on the excitement. With money on the line for many employees participating in office pools and brackets, hackers serve fake sporting-themed websites, free streaming of games, private VPNs, contests, and browser extensions that claim to keep track of scores and stats of the games.

The sophistication of these phishing threats is becoming more difficult to detect, especially for users. With the tournament starting next week,  March Madness-themed phishing sites will pop up to steal credentials for future corporate-based attacks or commit credit card fraud.

Organizations must educate their employees and, most importantly, be proactive in securing BYOD. With the increased use of BYOD and dual-purpose devices, it's important to avoid giving away login credentials or accidentally adding malicious browser extensions which can be used to breach corporate assets.

Protect your organization by encouraging users to exercise extreme caution when participating in brackets and office contests. Most importantly, have the right security tools, including real-time mobile and browser security solutions.


Darren Guccione, CEO and Co-Founder at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software:

March is an exciting time for diehard and casual college basketball fans alike, but it's also an opportune time for cybercriminals. To avoid falling victim to March Madness related scams, always be cautious of unsolicited messages or offers, double-check the authenticity of any websites or apps you may be using to watch, follow or bet on the games, and never provide personal information or payment without verifying the legitimacy of the transaction.

Phishing and online scams are two of the biggest cyber threats for fans. Throughout the tournament, cybercriminals may send phishing emails or text messages with malicious links or attachments disguised as updates on games and brackets. Do not open attachments or click on links from unknown sources. Scammers may also use social media to learn more about you or request money. They may impersonate a friend or family member claiming to be in urgent need of money to buy tickets or place bets on March Madness games, or even impersonate the athletes themselves. Along with being wary of fake tickets, fans should also be careful about fake bracket contests promising large prizes to the winners. Once they collect your entry fee or personal information, scammers will disappear and the winners never receive their prizes.

When creating accounts to follow the games, create a bracket or take part in the fun of the tournament any other way, it may be tempting to reuse passwords. Make sure you have different, high-strength passwords for all of your accounts. This way, if one account is breached, a cybercriminal does not gain access to all your accounts. Passwords should be at least 12 characters with a mix of uppercase and lowercase letters, a variety of special characters and a random assortment of numbers. Also, consider creating a passphrase rather than using a single word. A password manager can make this easier by generating and securely storing strong passwords for you, so that all you have to do is remember one master password.


Published Monday, March 13, 2023 7:31 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2023>