The official NFL season may have just started, but for the tens of millions of people in the United States and Canada who play fantasy football, work began weeks earlier--from researching players to running player drafts. Almost all of that work is done on computers as users skip around free websites, and, given that billions of dollars are spent on fantasy sports every year, it would be unsurprising that the industry and those participating would be the target of cybercriminals.
Furthermore, many participants in fantasy football today (and similar fantasy sports) spend part of their time online at work hitting up websites to look up statistics and scores, conduct research and and perform other fantasy football tasks, potentially making their company’s networks more vulnerable to attack.
With this in mind, researchers with cybersecurity software provider Kaspersky Lab are sending out warnings to fantasy football players about the vulnerabilities to watch out for--including phishing websites and fraudulent apps--and the steps both players and businesses can take to protect themselves.
“The draw for cybercriminals during sports-related attacks is financial gain--they are looking to earn a large sum of money as quickly as possible, and a large number of potential victims means they have a greater chance of their schemes operating as planned,” Brian Anderson, vice president of consumer sales at Kaspersky Lab North America, told ITPro Today in an email. “In addition, during fantasy sports tournaments, fans often act on emotion, meaning they are more willing to click on a fraudulent link if it relates to fantasy tips, their No. 1 pick or their favorite team, further increasing the profits for cybercriminals.”
Daily fantasy sports giant DraftKings reportedly was attacked twice by hackers in August ahead of the NFL season in a distributed denial-of-service (DDoS) campaign that took its servers down, though it was unclear whether the bad actors’ goal was get money or disrupt the service.
Fantasy Sports Generates Fantastic Amounts of Money
The money in fantasy sports is big and getting bigger. The number of fantasy sports players has grown from 500,000 in 1988 to 59.3 million last year, and the industry is now at $7.22 billion, according to the Fantasy Sports Trade Association (FSTA).
That many people and that much money is an irresistible mix for bad actors, and, according to Anderson, the “most common potential cyberthreats relating to fantasy football are often based on human behavior. Whether it’s a lack of awareness or simply not being careful, the excitement of fantasy sports leagues can sometimes lead to risky online behaviors.”
He outlined three key risks fantasy sports players need to be aware of:
- Fake apps: Fantasy football players not only go online to do research, they also may download apps when doing things like joining leagues, scouting players or participating in various games. The danger could come if they download a fraudulent app that carries malware, puts adware on their devices or steals data.
- Phishing websites: In the same vein, they may unintentionally find phishing links while looking for information or access live streams that direct users to pages that seem legitimate but end up stealing personal information of putting malware on devices.
- Fraudulent payment requests: Fantasy players can spend hundreds of dollars to pay for league-related costs and may use peer-to-peer payment apps to send the money to other participants. If they don’t have the necessary privacy controls on their devices, scammers may be able to impersonate a contact and send a fake request for payment with the goal of stealing money.
The threat isn’t only to the players. Companies can be put at risk if employees aren’t careful while playing fantasy sports at work.
“If an employee clicks on a phishing link or downloads malicious content while at work, they risk infecting the entire corporate network or leaking sensitive data,” Anderson said. “Furthermore, if employees face a cyberthreat due to their fantasy football activities, they may be more reluctant to report it due to fear of embarrassment or repercussions. This can give the attack more time to spread, and therefore make it more difficult to combat and remediate.”
Phishing continues to be a popular workplace attack, he said. In 2017, Kaspersky technologies detected more than 246.2 million attempts to visit various phishing pages, more than half of which tried to mimic bands, payment systems, online stores and even Fortnite links.
There are steps players and enterprises can take to protect themselves. For users, that includes not clicking on spam or hyperlinks not sent by trusted sources, putting strong privacy controls in place for e-payment systems, creating strong passwords, using security software on all devices and ensuring they’re kept up-to-date, and using two-factor authentication when possible.
Business officials should make sure the company has a multi-layered cybersecurity solution that can predict, prevent, detect and respond to attacks, and should include capabilities like endpoint protection, file antivirus, threat management and hybrid cloud security. In addition, there should be a dedicated solution to automate system monitoring and reporting, as well as policies about what fantasy sites and apps are allowed in the workplace and what behavior is acceptable. In addition, cybersecurity training should be conducted year-round. Companies also need a bring-your-own-device (BYOD) policy in place, Anderson said.