Like any major event, Super Bowl 53 can generate a slew of cybersecurity risks seeking to capitalize upon the hype and leverage lack of user awareness on how to engage in safe online behavior.
One such risk involves counterfeit tickets. Be suspicious of any offers or ticket prices, which seem too good to be true. Stick to official ticket sources if you plan on attending the game (ensure the URL of the site you’re buying from is legitimate and that it uses encryption, meaning it is prefaced by https). Always use a traceable method of payment such as a credit card—never pay cash.
SEE: Super Bowl 53 is poised to make digital history (TechRepublic)
Another potential threat involves malicious individuals sending emails or text messages with links to bogus websites, which claim to stream the Super Bowl for free (or a ridiculously low charge). You may also come across such links online if you search for them. These websites might harvest confidential information or install malware on your device, so steer clear of suspicious locations; use trusted sources.
Super Bowl security risks
I spoke further about Super Bowl security risks with Tom Kellermann, Chief Cybersecurity Officer at Carbon Black.
Scott Matteson: What are some of the biggest security risks associated with the Super Bowl?
Tom Kellermann: The biggest cybersecurity risks associated with the Super Bowl are targeting the gambling websites and social media of NFL team accounts. Both of these targets could be used as watering holes, whether cybercriminals compromise the gambling sites during halftime, or compromise the NFL’s websites during the big game as millions of viewers stream the Super Bowl in real-time. Watering hole attacks are targeted attacks designed to compromise specific users by infecting websites they typically visit and luring them to a malicious site.
Scott Matteson: What are your top tips for attendees to protect themselves leading up to and during the game?
Tom Kellermann: If you’re attending the Super Bowl in Atlanta, do not use public Wi-Fi, by any means. You should also update all of your devices and minimize your use of credit card purchases in the area. Make sure to disable Bluetooth as well.
For fans who may not be attending the Super Bowl, it’s important to avoid responding to any emails or text messages associated with the big game, team accounts, or online gambling groups, as these correspondences could lure you into a scam.
Scott Matteson: What’s the best way to avoid spearphishing emails?
Tom Kellermann: There are three simple steps that need to be taken in order to avoid falling victim to spearphishing emails:
- Always use Mozilla Firefox as your browser. It’s like a bulletproof Suburban.
- Cut and paste all links from emails and text messages into your browser, especially when the communication is asking for your information.
- Before clicking on that link in your browser, pay attention to the email or text messages text—be sure to check the headers. The “reply to” and the return path need to read the same. If they are not, you’re dealing with a spoof email.
SEE: Information security policy (Tech Pro Research)
Scott Matteson: Who are hackers targeting the most?
Tom Kellermann: Hackers are primarily going to target fans of NFL teams, as well as the online gambling community at large. In addition, since cybercriminals realize that most Americans will be watching the Super Bowl, it means fewer cybersecurity professionals will be doing their job, so vigilance is lowered. It’s a big social event in the nation, so it creates a big opportunity for cybercriminals.
Scott Matteson: How can you spot a scam Super Bowl email?
Tom Kellermann: Three ways:
- Evaluate “the field”: Often with phishing emails, you’ll see poor grammar, misspelled words and unorthodox URLs. Be sure to do a brief check to ensure the sender’s domain and email address are accurate and known to you.
- Know “the play”: Any requests for personal or financial information should be viewed with extreme caution. Be wary of any extraordinary requests in emails. A simple phone call or pop-in to the supposed requestor’s office can go a long way in mitigating risk.
- Watch out for “interceptions”: Don’t download an attachment from anyone other than a verified, trusted source. Attackers will often use links inside of attachments to target victims. If you get an unexpected email from your bank, a shipping provider, or even a friend, some additional insight and verification are required.