Gretel Egan | March 22, 2018

March Madness: Expect a full-court press from social engineers and cyber criminals

As seen on Security Info Watch...

In the United States, there may be no surer sign of spring than March Madness — at least for fans of NCAA Men’s Basketball. Like other large events, the tournament draws ticket buyers, TV audiences, media interest, and massive revenues. Unlike other events, March Madness brings with it “bracket mania,” with tens of millions of wannabe bracketologists of all ages picking their winners and losers in the hopes of achieving perfect prognostication and major bragging rights (and, perhaps, a cash prize). Unfortunately, the frenzy also draws in those looking to take advantage and score their own payday: social engineers and other cyber criminals.

It’s likely that these threats crept into your workplace last week, with employees researching and completing brackets, and then searching online for ways to watch opening-round games during business hours. (Brace yourself: A study by WalletHub estimated businesses lost $6.3B due to unproductive workers during March Madness in 2017.) But just because the much-hyped opening weekend has passed, that doesn’t mean the threat is over. Social engineers and cybercriminals will be on offense throughout the tournament (and beyond), so the clock has not run out on your opportunity to improve the defenses of your end users.

Here are a few tips to share with your employees to help them protect their personal and corporate devices and data this March (and year-round):

Deny Requests for Unsolicited Emails

Social engineers love to use email because it allows them to easily impersonate trusted people, brands and organizations. Any message that triggers an elevated emotional response — fear, excitement, curiosity, etc. — should immediately put the recipient on the defensive. During March Madness, phishing attacks might indicate that a bracket has been deleted, warn that a bracket account has been compromised or altered, or promise a special prize.

But these tactics are seen in many forms, all year round. The safest rule of thumb when dealing with an unsolicited message is to verify through a trusted channel — a known website or phone number, for example — rather than clicking links, downloading files, or calling numbers within the email itself.

Anticipate the Presence of Fake Websites

Just because a website looks legitimate does not mean that it is. Some cyber criminals make a living out of creating fraudulent websites that use known brands and logos to fool unsuspecting consumers into divulging passwords, banking and credit card data, and other personal information. During March Madness, web users are likely to encounter websites masquerading as legitimate sources for NCAA news and products, bracket contests, and tournament tickets — but malicious sites aren’t exclusive to this tournament by any stretch.

To avoid running afoul online, users should be discriminating about the website they visit and restrict purchases to reputable, verifiable retailers. If a website is unfamiliar, visitors should avoid sharing any personal or financial information. As well, extreme caution should be exercised with regard to questionable sites that prompt visitors to download files or software.

Screen Out Unverified Links, Ads, and Apps

Unfortunately, as was reflected in Wombat Security’s 2017 User Risk Report, technology users in the U.S. tend to have a misplaced sense of trust in social media platforms, anti-virus software, and other often-used digital resources. This can lead to an assumption that ads, posts, and applications are vetted and safe to interact with on legitimate sites and within mainstream app stores. On the contrary, it’s important for users to do their own due diligence and develop a defensive posture when navigating otherwise trusted platforms.

As with phishing emails, social engineers and cyber criminals try to prey on curiosity and excitement to solicit clicks and downloads. “Click bait” schemes related to March Madness might include social media posts that link to a “story” about an injury to a prominent player or an amazing upset; online ads and mobile apps might promise free access to inside information or premium content. Again, these are tactics that are repeated (with different themes) all year round.

The best way for technology users to maintain a strong posture is to pick trusted sources for their content and their apps and to roll with these rules of thumb:

  • If something seems too good to be true — and it can’t be verified through a trusted channel — it’s likely to be a scam and should be avoided.
  • Apps should be researched before downloading. Reading reviews is a good start, but mobile users should also check the permissions required by an app, the version history, and the number of downloads. As well, an online search for the app and its developer can quickly reveal any red flags.
  • Links or ads that lead to a log-in screen or that ask for personal information in exchange for access should be treated with the utmost caution. They could be a trap designed to steal private data.
  • Apps that promise free access to content that otherwise would cost money should be avoided. Pirated movies, games, and software are illegal, but cyber criminals know that technology users are often lured by the idea of getting premium content for free — and that content often has malware along for the ride. Well-known, legitimate apps and video players are the safest choices.

Read this article on Security Info Watch