World Cup scams: How to avoid an own goal
By ESET June 15, 2018
- In Singapore, scammers have presented very believable phishing emails for banking fraud
- Fraudsters impersonate FIFA, its sponsors, or event sponsors and partners to send missives
WITH 2018 Fifa World Cup in Russia underway, fraudsters are increasingly using all things soccer as bait to reel in unsuspecting fans so that they get more than they bargained for.
Have you been looking forward to the 2018 FIFA World Cup? So have scammers, kicking it up a notch and looking to cash in on the hype surrounding the quadrennial soccer extravaganza. Fraudsters will attempt to gain access to your personal data, typically credit card details or login credentials, using various methods. What are some of the scams that you may encounter?
Sting in the tail
One common method is to tout a variety of “wares” in large-scale campaigns: cheap match tickets, ticket-inclusive hospitality packages, accommodation-booking services, flights to match-hosting cities, to name just a few. These “bargains” are typically hawked via fraudulent emails or social media posts and messages that, as is their wont, play on people’s emotions. Who doesn’t like a good deal, after all?
Naturally, there’s a kicker. Once the targets are bamboozled into believing that the spam offers something they want or need and click on the provided link, they end up on a phishing website that can convincingly imitate World Cup branding or might even be an outright duplicate of the genuine site.
In Singapore, we have already seen scammers present very believable phishing emails for banking fraud, complete with a legitimate looking email address, professionally typed email, and even official looking websites.
It’s not hard to imagine the same tactics being replicated against a possibly less suspicious audience of World Cup fans. Once a recipient has dutifully input their personal information so they can pay for and receive their “tickets”. Armed with credit card details thus provided, the attackers will raid the victims' bank accounts.
Fraudsters also impersonate Fifa, its sponsors, or event sponsors and partners such as Visa, Adidas or Coca-Cola, to send missives to congratulate you on your “win” in a lottery. In order for your “prize” to be released, they will ask for your personal details and/or request a payment upfront in a kind of “advance-fee scam”.
Other scams may focus on travel visas or the Fan ID, the latter being an identification document required by Russian authorities to gain admittance to a match along with a valid ticket. Furthermore, using bogus offers or counterfeit websites, fraudsters may attempt to sell you bogus World Cup merchandise.
Even if you have no intention of visiting a World Cup venue, you may receive an email or social media message that contains a malicious attachment or link, supposedly to games, apps, footage of highlights, videos with hot news about players, or other tempting content. With the “help” of malware such as a banking Trojan implanted on your machine after you open the attachment or click the link, the attackers may extract your financial information.
In another common scenario, you may be offered to watch games for free on a malicious – or legitimate, but compromised – live-streaming website. All that you’re then asked to do is download additional software or update an existing program (such as Flash Player), but you inadvertently end up compromising your computer with malware or unwanted software such as adware or a browser hijacker.
Attackers may also gain access to your personal data when you connect to a public Wi-Fi hotspot. They can set up a rogue hotspot that can sport a generic name like “Free Wi-Fi” and act like a decoy. Even the use of a legitimate public Wi-Fi network isn’t safe unless the connection is secured. Attacks at insecure hotspots are typically “man-in-the-middle” attacks, where an attacker is able to intercept your data on its travels.
Showing the red card to scammers
Fifa has warned that match tickets are only available on its site, while official ticket-inclusive hospitality packages are only available through an appointed company and its sales agents. A number of ticket listings and sites claiming to sell tickets have been removed, but we’re unlikely to have seen the last of them. The same goes for fake offers on legitimate (e.g. auction or social media) sites. By purchasing tickets from anywhere other than the official source, you’re very unlikely to gain admission to the stadium.
Basic online defenses apply here, too. This includes being astute in recognising phishing messages, which rely on techniques that have been around for several decades and yet remain some of the most effective methods for fraud used by cybercriminals.
Be wary of too-good-to-be-true and out-of-the-blue offerings and communications that ask for your sensitive information – a request at the heart of any phishing attempt. Legitimate organizations such as banks should never ask for your details by email. Similarly straightforward guidance extends to lottery scams: lottery companies do not ask for payments upfront in order for you to collect a prize.
Don’t assume that a website is legit, just because it has that comforting green padlock (i.e. HTTP Secure/HTTPS sign) to the left of the URL. A secure connection and a secure site are two different things. Scammers, too, are increasingly embracing HTTPS.
Similarly, the mere fact that a site appears in a Google search doesn’t mean that the site is genuine. Malefactors can boost their sites’ search rankings via search engine optimization (SEO) strategies or paid ads. Use only tried-and-true channels to receive the latest updates on your favourite teams and players.
Likewise, don’t assume that a public Wi-Fi network is legit. Even if they’re not set up by cybercriminals, many public wireless access points (WAPs) can leave you vulnerable to dangers simply because they’re unsecured.
Attackers can easily use an unencrypted Wi-Fi connection to eavesdrop on the traffic and pick up sensitive information that you type, as well as inject malware into the traffic. Avoid using online banking or personal shopping on insecure connections and/or use a reputable virtual private network (VPN) to encrypt traffic between your device and the internet.
The bottom line
The importance of staying on top of social engineering tactics used by scammers cannot be overstated, says head of ESET Awareness & Research for Latin America Camilo Gutiérrez. “The more educated we are as users, the harder it will be for the attackers to spread their deceptions and make them effective,” he said.
To be sure, the above is just a sample of the ways in which fraudsters are trying to get soccer fans to part with their personal information, money, or both. The high season for World Cup-themed fraud is just getting going as we get closer to the actual event. You need to stay on top of your game, so that you can enjoy the coming soccer spectacle without getting caught in an “offside-trap”.
This article is a contribution by ESET, the IT security software and services provider.
Sony’s A8F Bravia OLED TV brings the World Cup to your living room
Mayfair 101 completes US$1mil investment in live streaming platform SportsFix
Sportsfix wants to take Southeast Asia by storm