It is being reported by the BBC that a premier league club almost lost £1m to hackers during a transfer deal. A new report from the NCSC says the email address of a Premier League club’s managing director had been hacked during a transfer negotiation. It was only the intervention of the unnamed club’s bank that stopped the theft.
Premier League clubs not only need to consider their cybersecurity, but their operational security. Staff need to be trained on how to spot and handle phishing messages and websites, and have checks in place to verify the identities of any staff member that spends or requests money. It won\’t matter how good their antivirus and firewalls are if staff members fall for social engineering attempts.
The narrowly avoided theft of nearly £1m from a Premier League football club is hardly surprising, but serves to highlight some truths of the current era.
First, every organisation is a software organisation. Every organisation either creates software or uses it, and many do both.
Consequently, all organisations must embed software security into their culture. Security cannot be bolted on to existing processes and systems. Responsibility for security cannot be assigned to a single group within an organisation, but must be part of how everyone goes about their daily business.
Finally, as organisations gradually get smarter about how they approach software security, attackers shift their attention from the software to the humans operating the software. The attempted theft at the football club was enabled by compromising the credentials of the club’s managing director, which was likely accomplished through social engineering.
As more and more organised criminals have moved into the digital world, we\’ve seen more of them less interested in the technical side of hacking an organisation, and going straight for the money. This has resulted in a rise in spearphishing attacks as well as CEO fraud or BEC fraud.
These attacks rely primarily on social engineering tricks to fool employees into making payments into accounts owned by the criminals. Therefore, it\’s important that all organisations look to investing in robust layered security that can offer technical protections, detection, and response categories, as well as having good procedures, and ensuring all staff have appropriate and timely security awareness and training so they can identify any attacks.
Sporting organisations like every other organisation are susceptible to cyber-attacks. This is made even easier when so many transfer details, including information around fees that can amount to millions of pounds, are made public during negotiations.
Lazio and Manchester City have both been on the receiving ends of very public cyber-attacks in recent years. In 2018, Lazio paid an attacker close to 2million Euro for an installment of a transfer, unknown to them they were actually negotiating with a hacker instead of the team they were looking to purchase a player for.
In 2015, Manchester City had their emails hacked by an attacker who sent details over to the media which ultimately was very costly. This sent the club on a collision course with many European governing bodies and it still unresolved.
While it is quite common, training is the most important method of defense here. Organisations that have a large number of public-facing staff should have the staff trained up and ideally have their technology hardened or at least restricted to stop or delay attacks. We are seeing a tangible negative impact on clubs and hopefully, this will serve as a lesson on how important cybersecurity is.
This hack highlights how cybercriminals are increasingly targeting high profile industries with email scams. In this case, it seems a legitimate corporate email account has been broken into and the hacker has impersonated the real owner and attempted to defraud a club or agent into sending money to the attacker.
These email scams are becoming increasingly more sophisticated. We’ve witnessed new advanced variants even implementing features such as voice fraud, whereby an accurate deepfake voice is created of a company’s CEO, for example, to try and convince other companies or employees to comply with an urgent financial request.
Sports companies need to ensure their defenses are watertight both on and off the field of play. This should involve proper and regular cybersecurity training of all personnel within the company, to ensure that individuals are vigilant in scrutinising the types of emails they receive. It’s crucial that the same quality of training is provided to everyone from the intern to the CEO and members of the board, and this should be underpinned by technology such as email filtering, anti-virus protection, and strong password policies.