$20B loss estimated from potential March Madness hacks

With the rise of artificial intelligence (AI), the potential for monetary losses during March Madness is increased. With a combination of cyberattacks and lacking productivity from office betting pools, it is estimated that organizations could lose more than $18.3 billion in revenue this year. This is an increase from 2023, at $17.3 billion.

Large events often attract cybercriminals, leading to greater malicious activity. Unlike most other events, however, March Madness occurs over several weeks, giving cybercriminals a more time to execute plans. 

Below, cybersecurity leaders discuss the risks surrounding March Madness and provide advice for how organizations can prepare. 

Security leaders weigh in 

J Stephen Kowski, Field CTO at SlashNext Email Security+

March Madness brings heightened cybersecurity risks this year, especially with the expansion of sports gambling beyond traditional office pools creating new attack vectors for credential harvesting and financial fraud. Attackers are crafting convincing phishing campaigns that mimic tournament brackets, betting promotions and registration forms — all designed to steal credentials or connect to funding sources.

Modern email security with real-time phishing detection can identify these threats at the point of click, protecting users whether they’re participating in office pools or exploring betting platforms. The intersection of a major sporting event during business hours, with increased personal financial stakes, creates a perfect opportunity for sophisticated social engineering attacks that blend seamlessly with legitimate tournament communications.

Krishna Vishnubhotla, Vice President, Threat Intelligence at Zimperium:

March Madness creates a perfect storm for mobile-targeted cyber threats. From phishing scams to fake bracket apps, cybercriminals exploit the surge in activity to steal credentials and compromise devices. Organizations must ensure their mobile security strategy includes proactive, on-device protection that detects and stops threats before damage is done.

Cybercriminals know employees will be streaming games, checking brackets and engaging on mobile devices during March Madness. Fake betting apps, fraudulent login pages and malicious streaming links can easily bypass traditional security layers. Enterprises must take a mobile-first approach to security, ensuring threats are detected in real-time before they impact users or corporate networks.

With employees engaging in March Madness activities on mobile devices, security blind spots increase. Cybercriminals take advantage of this with phishing attacks, fake apps and malicious links that traditional security solutions often miss. Businesses should implement mobile security that continuously monitors for threats — on and offline — to keep both devices and corporate data safe.

Chris Gray, Field CTO at Deepwatch:

This scenario follows the common phishing tactics — strike at personal interest. End users know not to trust random emails. We know that no Nigerian prince is actually going to give us millions. We understand that unsolicited requests from our bank may be falsely presented. Each of these, however, address something we care about: fear, greed, self-interest, a lack of time, etc. The end result is that phishing remains one of the most effective sources of compromise in play.

The March Madness concerns fall into the same category. Mass interest equal mass opportunity, and familiarity breeds contempt. Organizations (and end users in general) need to invest in awareness training and protection, be it agents, system policies, or preventative gateway controls, in order to minimize damage. Monitoring of credit, dark web activity and other associated remote access means can help identify potential harm if the door was already left open.

In short, all of the normal phishing protections and practices should be in place, updated as needed and well communicated. This is an exciting time, but it doesn’t excuse us from properly cyber hygiene. 

Trey Ford, Chief Information Security Officer at Bugcrowd:

The same advice rings true for March Madness as it does any other time of the year. If it sounds too good to be true, it probably is... except on the internet, where it always is. We all love a good deal, but take care in where you try to make purchases online. Buying from reputed sources (whether tickets, merchandise, or anything else) is the only way to avoid credit card theft and counterfeit products.

I believe that most people have learned not to enter credit cards into shady websites, and we should all think twice before giving away our email address and cell phone numbers. Please never, ever install applications after clicking an advertising link, especially when it came from trying to buy tickets or sports merchandise. Most of this fraud should clearly take place outside of the workplace — ultimately we should all avoid conducting personal business on our work accounts. 

Kaushik Devireddy, Senior Product Manager at Deepwatch:

Betting and sports websites such as DraftKings, FanDuel, etc. rely heavily on engaging users through promotional offers such as Bonus Bets. These provide users a risk-free bet, or discounted odds on popular odds lines. We can expect that as March Madness ramps up, threat actors will craft phishing emails and notifications for bonus bets impersonating betting platforms with the imagery/likeness of March Madness players. Their goal with these attacks will be to gain access to betting accounts which contain deposited funds, as well as bank account linkages. While the method to exfiltrate funds for threat actors is not obvious (many betting platforms have strong verification procedures for withdrawals), they can certainly cause users harm by wasting deposited funds.