Big Game Phish: Cybersecurity and the Super Bowl

Cybersecurity and the SuperBowl

In America, as January rolls in, interest in American Football rises leading up to the biggest game of the year; The Super Bowl. Since 2006, Super Bowl viewership has consistently drawn more than 90 Million television viewers. While this is easily eclipsed by World Cup viewership,  such a large interest in this single sporting event makes for fertile phishing bait for cybercriminals. From pre-game activities, and all the way through the post-game analysis, each step along the way to the Super Bowl offers some interesting, albeit hypothetical criminal opportunities.

Before the Game

Even before the playoffs conclude, the announcements leading up to the big game are often highly charged. Phishers love this type of excitement. For example, the recent announcement of the retirement of legendary coach Bill Belichick was sensational for many fans of the game. A similarly sensational, yet false story could easily garner some clicks from an ardent follower of the game.

Even a casual fan of the game could be tricked with a carefully crafted phish about a change in the performer line-up for the halftime show.  While this has never actually happened, it would easily present an irresistible opportunity for high engagement in a phisher’s arsenal.

Be Careful Entering the Pool

Games of chance are always attractive, and when the cost to participate is low, they are even more popular. Small stakes football pools are a time-honored tradition in many offices. For those unfamiliar with this game, a grid is created on a large piece of paper, and participants can purchase random boxes on the grid, usually for a nominal sum.  Each of the two competing teams are written along the vertical, and horizontal sides of the grid. Numbers are then randomly assigned to the grid, and the pooled money is assigned to every aspect of the game, from the opening coin toss, to the score at the end of each quarter, and finally, the grand prize for the final score.

Gambling seems to attract phishing. In one report, the State of Nevada had the highest incidence of phishing attacks. Coincidentally, it is also the same State that hosts the largest number of gambling casinos in the US. The thrill of an easy win makes it likely that a person may follow a link to fraudulent site associated with the big game or to participate in a malicious pool. Most wagering is done with actual currency, and while still only the subject of errant internet chatter, the thought of a cryptocurrency pool is not beyond the imagination, raising the possibility for scams.


The cost to purchase advertising during the Super Bowl is breathtaking, and this year’s festivities are reported to be equally astonishing. While most people will not generally follow an advertising link, it may be difficult to resist a great bargain crafted by a phisher based on one of the popular advertisements that are presented during the game.

To illustrate the point, sometimes, even an authentic advertisement can easily fool the viewing audience, as was the case during an infamous commercial that aired during the 2023 game. The emotional intensity during the game can be surprising.

Monday-Morning Quarterbacks

The day after the game ends is equally as exciting as the game itself. Whether it is a discussion of who scored big in the office pool, or a debate about some questionable calls, there is always a good amount of post-game buzz. Sometimes the game itself is not the centerpiece of the commentary. An analysis of the commercials, as well as the halftime show performance, are also fodder for lively banter. In one regular season game, even the Earth’s rotation was not out of bounds for commentary by an astrophysicist.

A cybercriminal is aware of the opportunities presented by these post-game phenomena, and could easily devise some compelling phishing lures.

Gridiron Fantasies

While many seasoned cybersecurity professionals may think that these phishing scenarios are just impossible musings of an unhinged risk manager, in the world of football, seemingly impossible outcomes are not unusual. Whether it is a team with an undefeated record that loses the most important game of the season, or an important Sunday playoff game that gets postponed until Monday afternoon due to snow, anything is possible in the world of the gridiron.

Similarly, a Super Bowl themed phishing campaign may not be as impossible as it seems.

Phishing still ranks as among the most popular techniques of social engineers. Of course, the best way to combat all of this is with good security awareness training. The most important aspect of the training has to emphasize that, no matter how urgent or emotionally charged a headline, and no matter how enticing the offer, consider all the possibilities before clicking on any links. Just as a good team must keep their wits in the high-pressure environment of the Super Bowl, we must all consider the high stakes of a cyberattack.

May your team win, both in the big game, and in business.

Have you enjoyed reading ‘Big Game Phish: Cybersecurity and the Super Bowl’? If you have, you may well enjoy ‘The Use of Automated Facial Recognition in Football Across Europe’.

Big Game Phish: Cybersecurity and the Super Bowl
Scroll to top