Online scammers are jumping into high gear to target fans during the month-long March Madness basketball tournament, and – whether you play offense or defense – Cybernews is here for the assist.
When it comes to navigating the fast-paced world of cybercrime in sports, the bad guys seem to get smarter and bolder each year, finding new ways to profit by stealing money, information, and even your identity.
Adding AI technology to the mix almost guarantees this season to be filled with a plethora of online scams to watch out for - both old and new.
Cybernews has advice for fans, and sports business owners, about how to make it through the 2023 college basketball tournament season unscathed.
Wider attack surface
The widely followed, action-packed National Collegiate Athletic Association (NCAA) men’s basketball tournament kicks off March 14 in the US.
The NCAA tournament is typically known by most as March Madness – although it runs through to early April – mainly because of the large number of simultaneous games that take place throughout the country, back to back, during the four-week time frame.
“As excitement around March Madness builds, it is critical to be wary of the opportunistic threat actors looming in the shadows," said DataDome co-founder and CEO Benjamin Fabre.
This longer time frame, unlike other one-off US sporting events, such as the Superbowl or World Series, gives the bad guys more time to reel in their unsuspecting victims and perfect their strategies.
“With the increase in online users during these popular times such as big games and events, the attack surface for hackers grows exponentially,” Fabre said.
Scammers know their audience
Social engineering and targeted phishing attacks using fake websites, apps, and ads are some of the most common approaches used by cybercriminals, mainly because they work.
The weakest part of any security set-up is human involvement, according to the Better Business Bureau (BBB) consumer protection agency.
These scammers rely on fans getting caught up in the excitement of the games, wanting to support their favorite teams, and the excess of social gatherings built around them.
“Free online betting, discounted food delivery services, and even cut-rate tickets, are all valid opportunities that can be co-opted by attackers seeking to infiltrate the web traffic and transactions of viewers,” said Jack Danahy, VP of Strategy and Innovation at NuHarbor Security.
“Awareness is the constant key to online safety. During periods of high interest and traffic, like the lead-up to the NCAA Tournament, watching for telltale indicators of fraud while consuming content is the best way to avoid criminals,” Danahy said.
Let’s examine some of the more popular scams happening right now according to the BBB and cybersecurity experts.
A survey by Vegas Odds showed over 52% of wagers will be placed online.
Online betting and brackets
“Last year alone, the American Gaming Association found that 17% of American adults, or 45 million people, planned to wager $3.1 billion on the 2022 March Madness tournament," said Fabre.
Those numbers are expected to quintuples this year with over $15 billion in wagers according to a 2023 March Madness survey by the American Gaming Association.
Another survey, by Vegas Odds, showed over 52% of wagers will be placed online or through a mobile app.
According to the BBB, it is much easier to create a fake sports betting app than a full-service fake sports betting website.
Either way, these fake sites and apps are designed to look legitimate.
They often times imply a sense of urgency to trick users to click on a hyperlink, redirecting the player to a fake webpage in order to harvest personal details including passwords and credit card numbers, said the BBB.
“When cybercriminals succeed in taking control of an online account, they can perform unauthorized transactions, unbeknownst to the victims,” Fabre said.
The BBB warns that registered players may unwittingly enter log-in details and subsequently lose access to their account.
“Once a hacker is inside a user’s account, they have access to linked bank accounts, credit cards, and personal data that they can use for identity theft,” Fabre explained.
“These often go undetected for a long time because logging in isn’t a suspicious action. It’s within the business logic of any website with a login page,” Fabre said.
Sometimes the sites aren’t after personal information, just your cold hard cash.
These sites will entice users with “no risk” introductory bets, but after the user wins money, they never actually receive the payout.
Instead, these sites will allege technical issues or require the user to deposit more funds before any winnings are released.
"I deposited money to put a wager for a sports game. I won the bet, attempted three times to cash out, and three times it has 'decline.'"Online fraud victim
One consumer who filed a complaint with the BBB Scam Tracker said he lost over $600 with the online site MyBookie after trying to cash out winnings.
“I deposited money to put a wager for a sports game. I won the bet, attempted three times to cash out, and three times it has 'decline.' Spoke to their representative: they needed a picture of my driver's license, a photo of myself holding my ID, and a blank check from my bank.” the consumer stated.
Another online betting con known as the "match fixing scam" uses social media to lure its victims.
The bad guys search sites like Facebook or Instagram for profiles and followers who post about online sports betting.
The victim is then sent a direct message offering an 'inside scoop' about a fixed sports event, requesting an upfront fee for the information.
Other times, the victim will receive a direct message on social media or through email that will seem to come from someone they know, with a link connected to March Madness brackets or simply an invitation to place a bet.
Sometimes it's not just the sports fan who can be a victim. “We’ve seen similar situations like DraftKings, which fell prey to credential-stuffing attacks,” said Fabre.
The DraftKings breach cost consumers $300,000 in losses and damaged the reputation of the online betting site, even though the company itself was not breached during the November 2022 attack.
In the DraftKings attack, the threat actors used login credentials obtained from a third-party source to access customer accounts.
The attackers were then able to withdraw funds from a “limited number of accounts” as well as gain other sensitive personal information from the victims.
“Once inside, these criminals look to spread their base of compromised accounts and systems through both technical and social engineering means,” Danahy said.
Beware tempting offers from mystery providers
The biggest lesson from the breach for consumers is not to reuse passwords, and enable multifactor authentication on all accounts.
“While ransomware dominates headlines, the theft of legitimate login credentials and authority is the new favorite target of attackers," said Danahy.
Other advice from experts is to make sure you only use established, approved betting services.
The BBB states fans can look for "white-listed" sports books "approved by your area's gaming commission or through [US cable channel] ESPN.”
Consumers should be careful of tempting ads and ignore gambling pop-ups, emails and text messages.
The BBB also advises fans to carefully read the fine print on gambling sites and apps.
“Many offer incentives or bonuses to new users, and around major games, but like any sales pitch these can be deceptive,” it said.
Folks can also be susceptible to scammers from the comfort of their own homes, while trying to stream games live on TV.
Ticket sales, merchandise and streaming services
Other scams consumers should be wary of concern any type of purchases made online.
During March Madness, cybercriminals polish their social engineering skills in the hope of catching fans looking for a good deal, on anything from buying tickets to the big game itself or sports paraphernalia from their favorite team.
Folks can also be susceptible to scammers from the comfort of their own homes, while trying to stream games live on TV.
“Cybercriminals look out for the best opportunities such as flash sales, hot ticket items, and popular online activities to target organizations and consumers at the most lucrative times, causing significant economic and reputational damage,” Fabre said.
For example, Ticketmaster found itself in hot water several times in the past year, as ticket scalpers flooded its website using automated bots – similar to a distributed denial of service (DDoS) 'zombie' computer attack. This included the well-publicized debacle that occurred in November during online sales of tickets to a popular Taylor Swift concert.
“When it comes to sales, any coveted tickets to events are at risk – scalper bots are a threat, as they aim to snag large quantities of tickets to resell them at a significant markup,” Fabre explained.
Such shady moves force fans to buy tickets from alternate online resale sites, some run by legitimate ticket scalpers, but oftentimes run by scammers who have no problem selling fans counterfeit tickets.
Many stadiums and venues have begun accepting only digital tickets, making scams like this even more likely, the BBB warned.
Fans don’t realize these bogus tickets are phony, until they try to scan them at the venue. Not only do they suffer, but artists, teams and venues also take a hit financially and in terms of their reputation.
Fake companies can create websites not just to sell tickets, but also official sports merchandise such as jerseys, blankets, mugs, flags, and other decorative items.
The BBB Scam Tracker shows one consumer lost hundreds of dollars trying to purchase game tickets through the online site megaseats dot com. The victim claimed the site let them “hover over the section you want and it tells you what is available.”
“It highlighted the floor sections and row letter. I purchased. Then they send you a summary. After they take your money, they send you to a different website,” the victim said.
Scammers are also taking advantage of canceled events, knowing consumers will be looking for refunds.
One BBB complainant said they called a phone number listed as Ticketmaster, and a person even answered the phone claiming to represent the vendor.
The scammer instructed the victim to download a seemingly legitimate app from the Google Play store and enter credit-card details to claim a refund. That consumer lost over $300.
Fake companies can easily create websites not just to sell tickets, but also official sports merchandise such as jerseys, blankets, mugs, flags, and other decorative items.
In fact, the BBB Scam Tracker shows a majority of the consumer complaints are against scammer websites where people pay for merchandise they never receive.
Oftentimes, when the items never arrive, the consumer will go back to the site only to discover there are no contact details, or that the companies are located overseas with an email address to a non-existent customer service department.
If items do arrive, they can be of poor quality or irregular sizes, with no option to exchange or get a refund.
The last area targeted by scammers we will cover is online streaming services. Often these scam sites try and lure consumers in by advertising discounted services or free trials.
The latter ask consumers to put in credit card details to activate, or simply continue to charge the card a monthly fee even after the victim has tried to cancel the service.
“I tried to cancel this on their website, but I can’t get through. I don’t know what to do or how to cancel this," said one consumer, about a trial-streaming service called digitalizze dot com.
"I even contacted my credit card, but they can't cancel or block them. I tried to email them, but no response. I tried to get on their site, but it didn't work," the complaint stated.
Another BBB Scam Tracker complaint stated, "I went to the NCAA dot com website to find out how to watch the tournament finals and clicked on an ad called "Watch Here"...since it was on NCAA website, I figured it was legit and entered my credit card info. After that, I was unable to log in, and I saw a charge on my credit card."
How to avoid giving criminals a slam dunk
“AI and new research techniques are simplifying the creation of realistic messages and offers capable of convincing all but the most attentive targets,” said Danahy.
To stay safe buying merchandise or online streaming services, Danahy recommends you “block questionable sources of email and texts, and ignore ads placed on popular sites and services like Facebook, Instagram, and even LinkedIn, unless their legitimacy can be absolutely confirmed."
Watch for typos in web addresses, and double-check the company's location and contact information to make sure they are legitimate.
When it comes to tickets, the BBB said fans should research the ticket site or seller to see if it provides buyer protections, such as money-back guarantees if tickets are fake.
Consumers should also be wary of ticket offers at extreme discount prices.
And finally, the NCAA itself advises fans to purchase only from its website or schools hosting the games.
For resale tickets, the NCAA Ticket Exchange is the only guaranteed secondary ticket marketplace that has been approved by the sporting body.
The 2023 NCAA schedule will culminate with the Final Four and championship game April 1-3.
More from Cybernews:
Subscribe to our newsletter