The World Cup is a joyous time. It brings everyone around the globe together to rally behind their national teams and focus on enjoying the beautiful game. However, such a huge distraction provides opportunity for fraudsters, as cybersecurity organisations warn about a rise in cyber attacks.
You would be forgiven for thinking that the stereotypical hacker in a dim lit room would be the main threat, however, eosedge Legal, the cybersecurity firm, has suggested that government-backed hackers will also be active during the Qatar World Cup.
The Sport Information Sharing and Analysis Organisation (Sports- ISAO), which promotes cybersecurity for teams, leagues, athletes and fans, has warned that some cyber attacks on the World Cup are already underway. Furthermore, cyber security lawyers point out that businesses around the world, as well as fans, are at risk of a cyber breach.
eosedge Legal’s cyberlaw and sports data lawyer, Douglas DePeppe said: “The World Cup in Qatar is likely to be heavily targeted by cyber gangs and nation-state affiliated hackers.
“Fans should be wary about social media links offering free streaming of matches. Sports-ISAO uncovered massive click-fraud schemes during past events which began with lures offering free streaming. After clicking on the link, the user’s device would become compromised and exploited to become part of a large botnet which engaged in advertising fraud. Once compromised, the device could be exploited further. Credential can be harvested leading to identity theft and other thefts against the device owner.”
Stephen Campbell, eosedge Legal and Sports-ISAO cyber consultant added: “Certain Russian groups, like Fancy Bear and Sandworm, may be less active this time because of the war in Ukraine. However, many groups will exploit the World Cup global audience for malicious aims using social media and hacking tactics.”
Illegal streaming services
Jane Ginn of Sports-ISAO and Identity Asset Advisors added: “The valuable assets and money flows around an event as large as the World Cup makes it an attractive cybercrime target. Broadcasters, sponsors, advertisers and commercial partners of FIFA all face different varieties of money flow threats. At Sports-ISAO, for example, our sport NFTs associated with the World Cup linked from our site will likely attract both buyers and scammers.”
Douglas DePeppe of eosedge Legal, who are members of the IR Global network, added: “For the global business community, the risks include workers wanting to watch from work using streaming services which may not be trustworthy, clicking on email and web page banner links, and inattentive smartphone clicking, especially on social media.”
Speaking exclusively to The Fintech Times, Douglas DePeppe, said: “As a revenue generator, the economic value of the Qatar World Cup is in excess of $10billion.
“That figure aggregates revenues from broadcasts, advertising, tourism, event sales and other industries. And, with a projected global audience of five billion people, it should surprise nobody that cybercrime and influence operations will target it. During past global sporting events, web-based malware and social media schemes have skimmed or stolen money, or infringed the rights of advertisers, broadcasters, and fans.”
The delete key is your friend
The old adage, “if its too good to be true, then it probably is”, seems to stand the test of time, as it continues to ring true. PJ Rohall, head of fraud strategy and education at SEON, a cybersecurity firm, spoke to The Fintech Times and explained how many fraudsters see this as an opportunity to cash in on people’s emotions.
Fans invest a lot of emotion into sport events. As a result, it is easy to respond to something in the heat of the moment. For example, a scammer may send a text/call/email saying a fan has won a chance to see a game live, and then ask for personal details or money as a part of the winning.
“Fraudsters use events like this because it is big and important and exciting and folks’ guard is down,” said Rohall. “They are high on the moment and will take action and do things they normally wouldn’t do. And that’s not just the world cup, that’s why scammer leverage many different emotionally impactful events – to prey on excitement (or fear) to separate folks from their traditional way of acting.”
For many, seeing a World Cup game live may be a once in a lifetime opportunity making it impossible to pass up… but if it’s too good to be true, then it probably is. This is especially true if you did not enter any competition.
Mark Brown, founder of Psybersafe, a cybersecurity awareness training platform which uses behavioural psychology techniques to teach businesses the art of spotting potential hacking attempts, put it best: “If you weren’t expecting the email or text , be cautious. The delete key is your friend.”
Neither companies nor citizens can switch off during the next few months. Despite distractions, they must stay attentive. Fintech, Netguru‘s cybersecurity lead, Maciej Markiewicz pointed out the best ways that citizens can prepare themselves: “The most effective methods are standard ones, such as password hygiene and two-factor authentication. Of course, passwords must be long (at least 12+ characters), complex, and unique. You should use those best-practice passwords generated and stored in password managers.
“When it comes to two-factor authentication, it is less obvious, but also a must-have. The most effective 2FA method that protects against phishing is the U2F hardware key (Universal 2nd Factor). However, if you do not have such a key, other methods will also positively impact your security. These methods include SMS, authenticator applications, and push notifications.
“However, the key aspect and the line of defense is user awareness. Unfortunately, this element is the most difficult to achieve. Raising awareness is difficult and the high emotions associated with the championship make it even more so.”
Being on high alert
Impersonating official pages works in tandem with malicious and misleading emails and texts. But it is not only sites which pose a risk. Digital Shadows, the cybersecurity firm, research shows that mobile apps and social media pages are also spreading scams.
A spokesperson said: “We advise people to be very careful with what information is shared online or on social media. Disclosing things such as pet names, schools attended, family members’ names, and your birthday – particularly with a new social media group – can give a scammer all the information they need to guess your password or answer your security questions.
“Also, make sure you only use legitimate app stores such as the Apple and Google stores when downloading applications and ensure you review security and access permissions granted to these programs.”
There are similarities in an organisation’s preparedness plan and that of a citizen’s. Rachael Greaves, CEO and founder of regtech, Castlepoint Systems points out: “To avoid falling victim, the first thing to do is to set up multifactor authentication for everything you can. Usually to successfully impersonate you with a major institution, even with your ID documents, scammers will need to access your email or phone to get validation codes. You can make this much harder by requiring MFA for all your logins.
“Some organisations still use ‘security questions’ to allow a password change without a second factor of authentication. This is why it’s also important to keep your social media private. If someone wants to know your mother’s maiden name, and your Facebook is public, this will only take them a few moments to get.
“The best way to avoid being scammed used to be to safeguard your personal information closely, but it has become clear in the last five years that this is no longer a viable strategy. Even the most sophisticated organisations can be, and have been, breached. This is why we developed artificial intelligence to understand all the risky information they hold about you, spread all over their network, so that they can protect it properly (and destroy it if they don’t need to still be holding it).”