Beware of March Madness phishing scams

Think twice before you rush to enter an old friend’s March Madness pool this week. There’s nothing wrong with a little camaraderie, but the email invite might be coming from a cybercriminal looking to steal your personal information or money.

Cybersecurity researchers say the annual NCAA basketball tournament brings a slew of phishing emails from scammers looking to capitalize on the public’s eagerness to join the fun. March Madness captures widespread attention, and the yearly rush to get brackets filled out before the first game tips off adds a sense of urgency. That combination makes March Madness a slam dunk for cybercriminals. Emails mentioning the tournament have a better chance of drawing clicks from unsuspecting victims.

Online NCAA pools have been around for years, but March Madness-related phishing has become a growing problem due to the proliferation of social media and artificial intelligence. These technologies have made it much easier for criminals to write and send custom scam emails known as spear phishing. In the past, cybercriminals had to craft spear-phishing emails one by one, doing painstaking research to find the personal details needed to make emails look real. Now social media platforms provide all the personal data needed for potential victims. Artificial intelligence then automates the composition process, allowing scammers to send out millions of highly customized emails that boost their chances of a payoff.

Here are some reminders to avoid getting scammed:

Think before you click. If something doesn’t seem right about an email, just delete it—ideally before you open it. You’re better off not taking the risk.

Examine the link. Before you click on a link, try hovering your mouse over it. This will reveal the full address, which can expose signs of fraud. A “.ru” on the end, for example, means the site was created in Russia. Misspellings are another good tipoff to a fake website. If the URL says marchmadnness.com, avoid it.

Don’t open attachments. They may contain malware. Never type confidential information into a form attached to an email.

Guard your financial information. Be wary of emails asking for account numbers, credit card numbers, wire transfers, or failed transactions. There’s no reason to share such info via message or an unsecure site.

ITS will continue to simulate phishing and assign training to those most susceptible. If you believe you’ve been targeted by phishing, see Reporting a Phishing Message (How-to).

— Chris Mielke, ITS