Premier League team narrowly avoids losing £1 million to scammers

Sports organizations from around the United Kingdom have been urged to tighten their cybersecurity after a report revealed a string of attacks against various sports clubs, including an attempt to disrupt a lucrative Premier League transfer deal.

In its first Cyber Threat to Sports Organizations report, the UK’s National Cyber Security Centre (NCSC) singled out Business Email Compromise (BEC) fraud as the biggest threat to sports organizations, with financial gain being the key motivation for BEC attackers. No wonder the sports industry is a lucrative target, contributing £37 billion (US$47 billion) to the UK’s economy each year.

As an example, the NCSC highlighted an incident in which the email account belonging to the managing director of a Premier League club was compromised during a transfer negotiation worth £1 million (US$1.3 million). The attackers used a spear phishing attack involving a malicious email that took the director to a spoofed Office 365 login page where he unwittingly turned over his credentials.

“The attackers assumed the identity of the MD and communicated with the European club. Simultaneously they created a false email account and pretended to be the European club in communications with the real MD,” said the report.  Fortunately, a bank involved in the transfer stepped in at the eleventh hour and thwarted the scheme. In a way, the incident brings echoes of a similar scam where Italian Serie A team Lazio was reportedly duped out of £1.75 million (US$2.2 million).

The NCSC also singled out a ransomware attack that encrypted all end-user devices and several servers belonging to an English Football League club. The attack also cut off its security cameras and turnstiles, which almost led to a match cancellation. The team refused to pay a hefty 400 bitcoin ransom (some US$4 million today) and eventually recovered, but not before incurring losses totaling several hundred thousand pounds.

RELATED READING: Ransomware: Expert advice on how to keep safe and secure

Once it audited its systems, the team found that it lacked sufficient security controls, didn’t invest enough in cybersecurity infrastructure, and didn’t have an emergency response plan in place. Regularly patching and updating systems as well as having backups are just some of the recommendations organizations should implement; for more advice on defending against ransomware, be sure to check out this white paper.

In another incident, a member of staff at a UK racecourse wanted to purchase a piece of grounds keeping equipment on eBay, ultimately agreeing with a seller to pay £15,000 (some US$19,000) for one such listed item. “At this point the seller sent the member of staff bank transfer details via an eBay message, this diverted the member of staff to a spoofed version of eBay ,” reads the report. The buyer made the payment and while they later realized their mistake the money couldn’t be recovered.

RELATED READING: Common eBay scams and how to avoid them

The NCSC report also revealed that at least 70% of the surveyed sports organizations experienced some form of cyber-incident or breach every year, with 3 in 10 incidents ending up causing direct financial damage to the targeted clubs. The average cost of such an incident was more than £10,000 (some US$12,700) while the biggest single loss incurred was worth an astounding £4 million (approx. US$5.1 million).

“While cybersecurity might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real,” said Paul Chichester, Director of Operations at the NCSC. He also went on to urge sports organizations to improve their cybersecurity in order to protect themselves – as well as millions of fans. For example, to mitigate the risk of successful BEC attempts, organizations would be well advised to implement some form of multi-factor authentication.

Meanwhile, Sir Hugh Robertson, the Chair of the British Olympic association, acknowledged the importance of the report, saying, “The British Olympic Association sees this report as a crucial first step, helping sports organizations to better understand the threat and highlighting practical steps that organizations should take to improve cybersecurity practices.”