Skip to main content

Editors' pick: Originally published March 6.

A surge in cyber attacks will occur as the hype promoting March Madness rises and the number of people participating in NCAA brackets and betting pools increases, matched by an even larger number of new financial scams and phishing attacks.

Fraudsters have already prepared for the extreme excitement building around the NCAA basketball games by creating fake betting websites and infecting emails with malware as millions of Americans fill out tournament brackets as part of their office pool or as part of another social group.

"Everyone knows that sporting events are watched by millions of Americans each year and that many bet on the outcomes," said Dan Lohrmann, chief security officer at Security Mentor, a Pacific Grove, Calif.-based security awareness training provider.

While many fans hope to cash in on the annual tournament, others will donate the proceeds to charity. Although the yearly ritual is merely entertainment for some people, some individuals are drawn into the online betting options and opportunities to generate additional funds.

"One key difference to this annual March event from others is that people are willing to put money into their brackets, usually in small amounts, in ways that they do not during the rest of the year," he said. "This means that people who are not alert are especially susceptible to falling for phishing email scams or downloading one-off apps to smartphones that may be infected with malware."

March Madness is an opportunity for cyber criminals to trick and manipulate consumers, said Joram Borenstein, vice president of marketing of NICE Actimize, a New York-based financial crimes software solutions provider.

"New phishing and malware schemes will come and go, but the social engineering aspect of these types of events are what remains the consistent element," he said. "Consumers should be vigilant about email, social media posts and calls that are seemingly too good to be true when it comes to March Madness."

How Fans Can Prepare Themselves

Even seemingly legitimate websites can have downloads which are spoofed and infected, so consumers should not assume their favorite sports or fan website is immune from hackers, said Lohrmann.

Before you purchase tickets, buy sports memorabilia or place a bet, determine who you are "truly dealing with online," he said.

"Make sure you are trained on how to spot phishing attacks and other online tricks and be alert," said Lohrmann. "Everyone should be taught critical security skills that show them where they are in danger from their own behavior. Security awareness training in an easy-to-understand, interactive format, is a must to enable real, immediate behavior change."

These scams are not merely a trend and are instead a constant revenue stream for hackers who depend and rely on unsuspecting consumers to fall prey to their shenanigans. Even if you are not fan of March Madness, the criminals will be "back for other major sporting events, such as the next Olympics, the World Cup or the World Series," he said.

"Cyber criminals are just waiting for you to let down your guard," said Lohrmann. "Everyone needs to be on continuous alert for online scams and attempts to trick you or your team into making a costly mistake."

Fraudsters are very active and move rapidly onto the next event, even run of the mill ones such as filing taxes.

"March Madness is a unique annual event over several weeks that opens up the door for cyber criminals in a variety of different ways," he said. "Nevertheless, natural disasters, IRS tax season and other major sporting events can also be exploited by cyber thieves, so be prepared.

Avoid emailed requests to participate in polls, surveys and contests related to March Madness, said Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company.

"Unsolicited requests to sign up and provide information may be attempts to steal your personal information," he said.

One of the first signs of fraud is unusual spelling mistakes, typos or strange email domains which do not match the name.

"I recently received spam from FedEx with a domain of '' instead of '' and other errors," Wenzler said. "These are hallmarks of malicious emails trying to portray themselves as coming from legitimate sources."

Links or attachments in an email are still a popular way for fraudsters to reel victims in. Instead, fans who are participating in a bracket or a fantasy league should type the site into their browser directly.

"Phishing emails may eventually forward you on to the right site, but they can easily hijack the session to point you to other sites that download malware or ransomware to your system before they forward you along," he said.

When consumers are participating in bracket pools, fantasy leagues or surveys, they should never share any personal information such as passwords, account numbers, answers to personal verification questions or any other information that can be used to identify you online or with a co-worker or family member.

"If you're not sure whether an email is legitimate or not, be sure to ask," Wenzler said. "All legitimate companies have ways to verify emails from their site through their web sites and/or support teams."

Companies should be pro-active since the NCAA tournament is one of the highest web traffic periods of the year. Hackers will use "every trick in the book to try to break into business networks," said James Lee, executive vice president at Waratek, a Dublin, Ireland-based provider of application security solutions.

"March Madness is a perfect time for businesses and fans to check their cybersecurity protections to make sure they are up to date," he said.

Since employees will be using their work computers to reach external websites more than any other time of the year, companies need to ensure all of their system security updates have been applied.

"They also need to remind employees to pay close attention to emails that may look legit, but are actually part of a phishing scheme to gain access to a company's systems or software," Lee said.