Hacking March Madness - The Cybercriminal's Final Four Bracket Picks

The madness is about to begin…

On March 11th, the 68 teams that made it to the NCAA championships will be revealed and the first games begin on March 13th. The Final Four will stretch into early April and because of the workweek scheduling, March Madness will be an enticing distraction for many employees. Whether your company embraces the championships as a morale boosting, competitive team event or puts a halt to personal distractions and unproductive behavior during the work day, it’s inevitable that March Madness is going to impact office productivity.

The cell phones and computers that your workers use every day make it easy for them to secretly stream games online, check the scores in real time, and even place bets on whether Virginia or Villanova will win it all this year.

While your employees fill out their brackets, cybercriminals are choosing their top picks as well. However, they’re not betting on the game. They’re betting they can fool the unwitting fanatic into downloading malware, providing personally identifiable information, and harvesting their login information with a few enticing tricks.


1. Malicious Sites Requiring Registration

Want to watch the games safely or download a bracket? Only use the official source: https://www.ncaa.com/march-madness-live/watch. Remember, blocking access to the official site will only further encourage employees to find work-arounds to watch the game. This drastically increases your risk of being compromised from an employee visiting a malicious site.

Many shady websites claim they’ll give your employees access to free, on-demand streaming of the NCAA championships if they simply create an account. The issue is, many of these sites are harvesting users’ login information to access their other accounts (such as online banking, work accounts, or e-mails). If your employees use the same email, password, or username on multiple sites – they may be putting the entire company’s information systems at risk. Cybercriminals often use harvested credentials to access one account and move laterally across the network until they find financial information or trade secrets.

2. Online Betting

If your employees are looking to make a quick buck from their in-depth sports knowledge, they may try to strike up a friendly wager with their friends and co-workers. If they can’t convince anyone to bet them, they may turn to online gambling to try to cash in on their NCAA picks. According to the American Gaming Association, an estimated $10.4 billion will be spent on March Madness gambling alone. But it turns out, many NCAA bets are actually illegal - depending on the situation. In addition to the risk of breaking the law possibly using your equipment, many of the shadier online gambling sites are run by cybercriminals pushing malicious software, stealing and selling credit card information, or scamming users for personal information. Ensuring your employees are educated on the risks reduces your susceptibility to network compromise.

3. Sketchy Apps & Malicious Downloads

Simply downloading a bracket or rogue March Madness app could quickly turn into a ransomware situation with just a click. Applications that are offered outside of trusted app stores could contain malware designed to lock devices for payment or provide too much access to the contents of your files, exposing personal or financial information. Consider reminding employees about your IT policies. Prohibiting unapproved applications can assist in the protection of the network. Otherwise your business could face the same issues this marketing agency did: Locked Out: Ransomware Shuts Down Marketing Agency

4. Targeted Phishing Attacks

You might see a rise in timely, malicious emails hitting your employee’s inbox in the upcoming weeks. Spoofed e-mails are designed to look like bracket pool invitations, winnings, or updates on how the underdog #10 seed picked off the #2 seed (your employees are going to want to watch that!)

Managing the Madness

Controlling how your employees spend their time is hard. Informing them on the risks and best practices to avoid data compromise and lost productivity is easy. Make sure your employees have the knowledge to spot the red flags of a dangerous situation. Learn more about the Summit Security Awareness Service.

Lee Snead

Lee Snead is Summit's Content Marketing Specialist, and brings cyber-security awareness and training expertise from his days as a security awareness program lead for a Fortune 500 company. Lee focuses on quality content creation, photography, videography, and impactful communications that turn complex IT topics into easily consumable ideas. When he's not writing or filming, he's out on the water. Surfing, kayaking, and SUPing are this St. Louis native's forte.

Related Posts


Sign up for Our Blogs

Latest blogs