March Madness is heading into its final weekend and if you followed any of the tournament so far there were, as always, some surprises and upsets. In fact, many brackets were busted early on in the tournament much to the chagrin of fans everywhere, but having a bracket disappoint is nothing compared to falling prey to a phishing scam, which is what happens to many fans.
Emotions run pretty high during the tournament and scammers are quick to take advantage of this. Our CEO, Atif Mushtaq, was quoted in Forbes on just this:
With popular sporting events like March Madness, it’s easy for attackers to prey on human emotions with excitement running high and money on the line. With so many employees participating in office pools and brackets, it’s critical to avoid getting phished through fake sporting-themed websites, contests and offers around the games, or malicious browser extensions that claim to keep track of scores and stats.
The sophistication of these phishing threats is becoming more and more difficult to detect, especially for non-security professionals. Atif explains in Threatpost just how prevalent these attacks are:
Within a week of the tournament starting, we started catching the March Madness-themed phishing sites and shady ads. New sites are cropping up daily, and our system alone has caught over 50 websites from just one of the prolific cyber-gangs. With the end game of committing credit-card fraud, the realistic-looking pages hope to attract victims getting caught up in the excitement and gambling that goes along with March Madness. March Madness, like other major sporting events, are prime opportunities for phishing scams, especially credential stealing and credit-card fraud. Browsers have become quite secure and are getting more so all the time. With improved software design and regularly automated patching, zero-day browser exploits are getting rarer, but that doesn’t mean legitimate-looking phishing sites aren’t getting through to their intended targets.
He also emphasized the need for organizations to educate their employees and most importantly be proactive in securing their network.
You should safely encourage ‘bracketology’ and fun office contests, but it’s more important than ever to have the right security tools in place, such as real-time anti-phishing defenses, and train users to exercise extreme caution when participating in these activities.
With the increased use of BYOD and dual-purpose devices, it’s important to avoid giving away login credentials or accidentally adding malicious browser extensions which can be used to breach corporate assets.
Even though the tournament is almost over, we are still seeing new URLs for March Madness phishing websites pop up. Here’s an example of one of the phishing attack sites that our system caught.
So what can you do to help stop employees from getting caught up in a phishing scam and wreaking havoc on your network? Here are four things to address:
- Since most people who fill out an online bracket have done so in the past, continue to remind, educate and encourage your employees to ignore emails soliciting brackets from unknown sites or people. This is basic IT security rule number one but with the excitement that is March Madness, many people click links and attachments they might otherwise ignore.
- When completing a bracket, make sure employees know that they should only provide the basics of personal data. There is absolutely no need to provide anything more than name and email address. If any personally sensitive information or financial data is requested, it should send up an immediate red flag.
- Be sure your IT team is using real-time threat intelligence feeds. Many of the phishing sites today stay live for hours (not days) – just enough time to wreak havoc on your network, but not enough time for traditional network security tools to do their jobs.
- When possible use real-time phishing detection and protection. Our SEER Technology catches phishing threats that evade URL inspection and domain reputation analysis methods. It helps organizations get ahead of zero-hour phishing threats.
With today’s phishing threats, IT security teams need to be thinking about real-time phishing threat intelligence. While March Madness is fun for most, it can be “madness” for some!