An illustration of someone walking a white envelope with a basketball on it.

Before you rush to enter an old friend's March Madness pool this week, you may want to think twice.

There's nothing wrong with a little camaraderie. It's just that the invite message might actually be coming from a cybercriminal looking to steal your personal information or money.

Cybersecurity researchers say the annual NCAA basketball tournament brings with it a slew of phishing emails from scammers looking to capitalize on the public's eagerness to join the fun.

Like other big seasonal events, March Madness has a way of capturing widespread attention, which means emails that mention it have a better chance of drawing clicks from unsuspecting victims.

And the yearly rush to get brackets filled out before the first game tips off adds a sense of urgency, says Sam McLane, head of security operations for Arctic Wolf Networks.

That combination makes March Madness a slam dunk for cybercriminals.

"With emails regarding taxes and banking, you know what to expect; you know who your provider is," explains McLane. So you're less likely to bite.

"With March Madness, you could be getting an email from an old college buddy who uses Bob's House of Brackets and it wouldn't seem strange," he adds.

How the Scams Work

A March Madness-related phishing attack could take several forms, McLane says. One would be an email asking you to click on a link to a tournament-themed website.

But instead of a well-known news or bracket site such as ESPN or CBS, the link might take you to something that looks like a team fan site. You then might be asked to confirm your identity by logging in to Gmail, Facebook, or another social media site. And that's how the thief gets access to your information.

more on scams

Many people, even those who wouldn't normally fall prey to phishing emails, may not stop and think before clicking and entering that information.

"There's a sense of trust," McLane says. "You're dealing with your friends and your co-workers and you're excited about the prospect of winning. There's no perception that there could be a security risk." 

The attack may also come in the form of an email from a fellow pool participant who's been hacked. The message might ask everyone in the group to send their pool payments to a new account. But instead of going to the pool's organizer, your money goes to the hackers.

McLane says people can quickly put the brakes on this kind of scam just by taking the time to contact the person in charge of the pool—maybe by text or through social media—to confirm the change in plans.

While online NCAA pools have been around for many years, March Madness-related phishing has only recently become a problem, mainly thanks to the rise of social media, McLane says. That's made it much easier for criminals to write and send custom scam emails; a practice known as spear phishing. 

It wasn't that long ago that cybercriminals had to craft these emails one by one, doing painstaking research to find the personal details needed to make the emails look real. But now social media platforms provide them with plenty of personal data on potential victims, and software automates the composition process, sending out millions of highly customized emails and boosting their chances of a payoff.

Other March Madness Threats

Phishing isn't the only easy three-pointer for cybercriminals right now.

Kaspersky, a Russian cybersecurity company that makes antivirus products for consumers (and has had its own issues with hacking), says people need to be on the lookout for other NCAA tournament-related threats, too.

Online ticket scams. Fake websites will be looking to steal payment information from fans in search of last-minute seats. Consumers should buy directly from the venue whenever possible and never shop on any site that doesn't start with "https."

Streaming scams. Beware of shady sites offering to stream the games for free. If you install the "player" provided by the site, you could end up with nasty malware on your computer. Stick with streaming sites you know and trust.

Mobile app scams. The same logic applies here. Malicious app creators love to use big events like this to spread their harmful software. Download apps only from trusted sources. And avoid third-party app stores entirely. 

Payment scams. Need to send money to someone in your pool? As McLane says, make sure it's really going to the right person first. Don't do it over public WiFi. Make certain your computer or mobile device has up-to-date security. And, whenever possible, use a VPN or safe browser.

How to Avoid Getting Scammed

Here are some more tips from digital security experts.

Think before you click. If something doesn’t seem right about an email, just delete it—ideally before you open it. You’re better off not taking the risk.

Examine the link. Before you click on a link, try hovering your mouse over it. This will reveal the full address, which can expose signs of fraud. A “.ru” on the end, for example, means the site was created in Russia; “.br” means Brazil.

Misspellings are another good tipoff to a fake website. If the URL says marchmadnness.com, it's best to avoid it. And if you get an email advertising a great deal on game day gear at a major retailer, open a window in your browser, search for the retailer’s web address, and compare it with the one in your email.

Don’t assume that a website is legitimate just because its URL starts with “https.” Criminals like to use encryption, too.

Don’t open attachments. They may contain malware. And you should never type confidential information into a form attached to an email. The sender can potentially track the info you enter.

Guard your financial information. Be wary of emails asking for account numbers, credit card numbers, wire transfers, and failed transactions. There’s no reason to share such info via message or an unsecure site.

Turn on auto updates. This goes for your computer, smartphone, and tablets. Up-to-date security software goes a long way toward stopping malware.

Use security tools. Install an antivirus program on your device and keep it up to date. You can also use a website reputation rating tool, which comes in the form of a browser plugin, to warn you if you try to go to potentially dangerous websites. Cybersecurity companies such as McAfee, Kaspersky, and Norton offer them. But keep in mind that these tools aren’t foolproof.