The global sporting industry has become a major attraction for cybercriminals, who are actively looking for ways to trick spectators into the trap of social engineering, by posing as an official partner, infrastructure, ticketing platform, or online travel booking site.
Hackers have been using more complex tactics to impersonate legitimate organizations to reach their targets rather than infiltrating their victims' networks and technical infrastructure.
During the 2022 FIFA World Cup in Qatar, cybersecurity experts warned that hackers could fake ticketing, hotel bookings, and restaurant reservations to capture personal data from people traveling to Qatar. As a result, Qatar invested $1.1 billion in cybersecurity to prevent incidents during the World Cup and beyond.
Two years later, the cyber threat to major international sporting events remains as real as ever. As the Paris 2024 Olympic Games, findings indicate that two-thirds of the games' official partners did not have the necessary security measures in place to protect themselves from domain impersonation, exposing the public to the risk of email fraud.
Still gaps in cyber defense
In addition, most local authorities hosting the Games (70 per cent), the top online ticketing platforms (90 per cent), and travel websites (40 per cent) were not proactively blocking fraudulent emails that could reach the public.
The growing risk of cyber threats to sporting events also mirrors those perceived by CISOs in the Middle East for their organizations. A survey revealed that 70 per cent of UAE CISOs felt at risk of experiencing a material cyber attack in the next 12 months. In Saudi Arabia, the top perceived cybersecurity threats for 2024 include business email compromise (50 per cent), cloud account compromise (42 per cent), and insider threats (37 per cent).
Additionally, the study highlighted that 85 per cent of organizations in the UAE were targeted by business email compromise attacks in 2023, up from 66 per cent in 2022. This increase in BEC attack volumes could potentially be attributed to attackers leveraging generative AI to craft more convincing and personalized emails in multiple languages.
As the Middle East strengthens its profile as a host for high-profile sporting events, including the Abu Dhabi Grand Prix, Dubai Desert Classic, and the Aramco Team Series, it will need to take strong measures to protect the public from fraud.
How can large scale event organizers safeguard themselves from such risks? As the majority of cyberattacks start via email, robust email security is a critical place to start.
Make it part of cyber security protocol
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an easy-to-implement email authentication protocol and a highly effective measure against domain name spoofing, which underpins email fraud. The fact that many organizations still do not have it in place raises fear of the advent of a cyber threat of unprecedented proportions.
An analysis of 143 domain names associated with the Paris Games ecosystem revealed that while 66 of the 77 official partners adopted DMARC at a basic level, only 26 use the highest DMARC ‘reject’ registration. Similarly, of the 20 cities that hosted the Games' events, only 6 actively protected the domain name of their official website with the strongest DMARC ‘reject’ registration, while 5 did not have the DMARC protocol in place at all.
This shows that a majority of players in the Olympic Games ecosystem still lagging behind when it comes to protecting their emails. This is a wake-up call for the international and regional sporting industry to be fully DMARC compliant and proactively implement measures to block fraudulent emails from reaching the public.
To keep spectators safe, organizers must stress the importance of being wary of unsolicited emails, texts, or calls, especially if they suggest taking ‘urgent’ action or asking for payment. It is also vital to never give out financial information or passwords via email or text message and always call the bank directly if a request seems suspicious.
Lastly, it is important to create a unique password for each online account used. This is essential to minimize the risk to the public, as often, the easiest way to breach security is to exploit the human factor.