Reports have indicated that an influx of phishing emails related to the World Cup have centered around sports betting in attempts to lure victims into handing over banking details.

With an estimated 5 billion people tuning in to the World Cup from across the globe, the event has taken center stage this autumn/winter.

As the nations progress through the tournament in a bid to make the final, fans will only become more invested in the success of their national squad, with many placing bets or even travelling to Qatar to show support in person.

But, as the competition hots up, it’s important that fans remain vigilant against the increased cybersecurity risks posed by threat actors, who are taking advantage by launching numerous phishing campaigns.

Phishing is a type of cyberattack where malicious actors send messages pretending to be from a trusted person or company. Phishing emails are designed to manipulate a user into performing an action, such as downloading a malicious file, clicking a suspicious link, or divulging sensitive information.

The basic delivery of a phishing attack is through SMS, email, social media, or other electronic communication means.

Attackers often set up fake websites that resemble a trusted entity like the target’s bank, workplace, or university. Through these sites, attackers attempt to collect private information such as usernames and passwords, or payment information.

During the World Cup, many of the recent phishing campaigns are related to the sale of last-minute tickets or announcing the win of a sporting bet. These messages or websites usually include malicious links that, once clicked, deploy malware and infect the device or ask for login details that hackers can then steal.

With World Cup betting scams on the rise, we have put together some guidance on what to look out for:

• Be aware of imitation: Many scam websites will use a domain name similar to the brand they are trying to replicate, but with additional letters or misspellings. To ensure that you are not handing over your banking information to scammers, pay attention to the URLs to check if there is anything unusual or suspicious. By taking a minute to look for tell-tale signs that a website may be fraudulent, you can quickly determine its legitimacy.
• Never share your credentials: Credential theft is a common goal of phishing emails. Many people re-use the same usernames and passwords across different accounts, so stealing the credentials for a single account is likely to give an attacker access to others. Not all attacks are direct either. Some phishing emails carry malware, such as keyloggers or trojans, that are designed to monitor when you type passwords into your computer. Never tell anyone your password, and, if an email sends you to a login page, visit the site directly and sign in from there to protect against lookalike phishing sites.
• Secure your mobile device: With most of us now accessing our emails from our phones and with hackers now also sending malicious text messages, it’s important that our mobile devices are protected from the latest threats as well. Once granted access, a cybercriminal can steal an incalculable amount of information and a breach can even put the victim’s known contacts at risk. As a result, it is essential to make use of preventative mobile threat defense solutions that protect devices against advanced mobile threats.

Cybercriminals will up the ante when they are presented with an opportunity to make a quick cash grab or steal credentials that they can sell on the Dark Web, and a global event like the World Cup is prime time for them.

This World Cup has already raised cybersecurity concerns, with many security experts warning the public over data privacy concerns with the official app. This, alongside the influx of phishing scams, means it is important that necessary steps are taken to keep yourself protected.

Are you a business owner concerned about phishing?

If you own a business and employ staff with access to an email system, or supply employees with tech such as tablets and phones, you may wish to consider Security Awareness Training.

Delivered by our cadre of students - who have become experts on the subject of cyber security - the EMCRC will help train your staff so they can spot the tell-tale signs of phishing, vishing, smishing et al, and how to protect themselves from threats online.

Your staff can become a barrier to cyber-attacks and malicious activity. For more information, contact us about Security Awareness Training and read about the national Cyber Path programme and how it can deliver the training alongside the EMCRC.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).