Experts Insight On Premier League Club Almost Loses £1m to Hackers

It is being reported by the BBC that a premier league club almost lost £1m to hackers during a transfer deal. A new report from the NCSC says the email address of a Premier League club’s managing director had been hacked during a transfer negotiation. It was only the intervention of the unnamed club’s bank that stopped the theft.

Experts Comments

July 24, 2020
Paul Bischoff
Privacy Advocate
Comparitech
Premier League clubs not only need to consider their cybersecurity, but their operational security. Staff need to be trained on how to spot and handle phishing messages and websites, and have checks in place to verify the identities of any staff member that spends or requests money. It won't matter how good their antivirus and firewalls are if staff members fall for social engineering attempts.
July 24, 2020
Jonathan Knudsen
Senior Security Strategist
Synopsys
The narrowly avoided theft of nearly £1m from a Premier League football club is hardly surprising, but serves to highlight some truths of the current era. First, every organisation is a software organisation. Every organisation either creates software or uses it, and many do both. Consequently, all organisations must embed software security into their culture. Security cannot be bolted on to existing processes and systems. Responsibility for security cannot be assigned to a single group.....Read More
The narrowly avoided theft of nearly £1m from a Premier League football club is hardly surprising, but serves to highlight some truths of the current era. First, every organisation is a software organisation. Every organisation either creates software or uses it, and many do both. Consequently, all organisations must embed software security into their culture. Security cannot be bolted on to existing processes and systems. Responsibility for security cannot be assigned to a single group within an organisation, but must be part of how everyone goes about their daily business. Finally, as organisations gradually get smarter about how they approach software security, attackers shift their attention from the software to the humans operating the software. The attempted theft at the football club was enabled by compromising the credentials of the club’s managing director, which was likely accomplished through social engineering.  Read Less
July 24, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
As more and more organised criminals have moved into the digital world, we've seen more of them less interested in the technical side of hacking an organisation, and going straight for the money. This has resulted in a rise in spearphishing attacks as well as CEO fraud or BEC fraud. These attacks rely primarily on social engineering tricks to fool employees into making payments into accounts owned by the criminals. Therefore, it's important that all organisations look to investing in robust.....Read More
As more and more organised criminals have moved into the digital world, we've seen more of them less interested in the technical side of hacking an organisation, and going straight for the money. This has resulted in a rise in spearphishing attacks as well as CEO fraud or BEC fraud. These attacks rely primarily on social engineering tricks to fool employees into making payments into accounts owned by the criminals. Therefore, it's important that all organisations look to investing in robust layered security that can offer technical protections, detection, and response categories, as well as having good procedures, and ensuring all staff have appropriate and timely security awareness and training so they can identify any attacks.  Read Less
July 24, 2020
David Kennefick
Product Architect
edgescan
Sporting organisations like every other organisation are susceptible to cyber-attacks. This is made even easier when so many transfer details, including information around fees that can amount to millions of pounds, are made public during negotiations. Lazio and Manchester City have both been on the receiving ends of very public cyber-attacks in recent years. In 2018, Lazio paid an attacker close to 2million Euro for an installment of a transfer, unknown to them they were actually negotiating.....Read More
Sporting organisations like every other organisation are susceptible to cyber-attacks. This is made even easier when so many transfer details, including information around fees that can amount to millions of pounds, are made public during negotiations. Lazio and Manchester City have both been on the receiving ends of very public cyber-attacks in recent years. In 2018, Lazio paid an attacker close to 2million Euro for an installment of a transfer, unknown to them they were actually negotiating with a hacker instead of the team they were looking to purchase a player for. In 2015, Manchester City had their emails hacked by an attacker who sent details over to the media which ultimately was very costly. This sent the club on a collision course with many European governing bodies and it still unresolved. While it is quite common, training is the most important method of defense here. Organisations that have a large number of public-facing staff should have the staff trained up and ideally have their technology hardened or at least restricted to stop or delay attacks. We are seeing a tangible negative impact on clubs and hopefully, this will serve as a lesson on how important cybersecurity is.  Read Less
July 24, 2020
Matt Aldridge
Principal Solutions Architect
Webroot
This hack highlights how cybercriminals are increasingly targeting high profile industries with email scams. In this case, it seems a legitimate corporate email account has been broken into and the hacker has impersonated the real owner and attempted to defraud a club or agent into sending money to the attacker. These email scams are becoming increasingly more sophisticated. We’ve witnessed new advanced variants even implementing features such as voice fraud, whereby an accurate deepfake.....Read More
This hack highlights how cybercriminals are increasingly targeting high profile industries with email scams. In this case, it seems a legitimate corporate email account has been broken into and the hacker has impersonated the real owner and attempted to defraud a club or agent into sending money to the attacker. These email scams are becoming increasingly more sophisticated. We’ve witnessed new advanced variants even implementing features such as voice fraud, whereby an accurate deepfake voice is created of a company’s CEO, for example, to try and convince other companies or employees to comply with an urgent financial request. Sports companies need to ensure their defenses are watertight both on and off the field of play. This should involve proper and regular cybersecurity training of all personnel within the company, to ensure that individuals are vigilant in scrutinising the types of emails they receive. It’s crucial that the same quality of training is provided to everyone from the intern to the CEO and members of the board, and this should be underpinned by technology such as email filtering, anti-virus protection, and strong password policies.  Read Less
July 24, 2020
Chris Boyd
Lead Malware Intelligence Analyst
Malwarebytes
This is most likely an attempt at CFO fraud, where exec-level accounts responsible for funds are compromised to wire huge sums of money overseas. As the transfer was only prevented due to the bank's actions, the affected club may not have security measures in place to combat or even detect such a threat in the first place. Confirming transfer amounts over the phone, having agreed protocols in place such as 2FA to authorise transfers, and securing relevant email addresses are a few ways.....Read More
This is most likely an attempt at CFO fraud, where exec-level accounts responsible for funds are compromised to wire huge sums of money overseas. As the transfer was only prevented due to the bank's actions, the affected club may not have security measures in place to combat or even detect such a threat in the first place. Confirming transfer amounts over the phone, having agreed protocols in place such as 2FA to authorise transfers, and securing relevant email addresses are a few ways organisations can thwart this type of attack.  Read Less
July 24, 2020
Jake Moore
Cybersecurity Specialist
ESET
Threat actors are like water finding the cracks in organisations they attack. They will persistently look until there is a vulnerability and with enough pressure, this crack will break. Whilst the sporting industry is not seen as a data-driven sector, it is arguably weaker than other sectors as information security often places much lower down the list of priorities. Not only do sports organisations often have less sophisticated and stringent security, but they also have more money to pay.....Read More
Threat actors are like water finding the cracks in organisations they attack. They will persistently look until there is a vulnerability and with enough pressure, this crack will break. Whilst the sporting industry is not seen as a data-driven sector, it is arguably weaker than other sectors as information security often places much lower down the list of priorities. Not only do sports organisations often have less sophisticated and stringent security, but they also have more money to pay demands. These sorts of targets can be seen as a win-win situation for cybercriminals. Those in charge of financial transactions need constant reminders of the risks to their clubs, and up-to-date authentication techniques must be in place to help verify legitimate transactions. The results of any ransom demands or fraudulent transactions will no doubt have a knock-on effect on the spectators and other local connections. The sporting industry might need a shake-up to start valuing their information security as highly as the sport itself.  Read Less
July 24, 2020
Carl Wearn
Head of E-Crime
Mimecast
No organisation or sector is safe from cyber threats, and that includes the beautiful game. Transfer deals are obviously a high-pressure time for many football clubs, with lots of fan pressure to get the deal over the line. This pressure can potentially be really detrimental to cyber-hygiene and lead to its own goals. In this instance, the attack appears to be an impersonation attack and this variation is definitely on the rise. Our recent State of Email Security report found that 60%.....Read More
No organisation or sector is safe from cyber threats, and that includes the beautiful game. Transfer deals are obviously a high-pressure time for many football clubs, with lots of fan pressure to get the deal over the line. This pressure can potentially be really detrimental to cyber-hygiene and lead to its own goals. In this instance, the attack appears to be an impersonation attack and this variation is definitely on the rise. Our recent State of Email Security report found that 60% experienced an increase in impersonation since last year. Whilst 51% have been impacted by ransomware in the past 12 months. Football clubs spend millions every summer investing in their team’s defense, but it is time they started investing in their cyber-defense. Not investing in their organisation’s cyber awareness will leave cyber-criminals with an absolute tap in, that even a Sunday-league striker couldn’t miss. We all need to take time to pause and consider verifying the origins of any electronic communications, by means other than online, if there is likely to be any doubt cast over it being genuine. In a related trend, mergers and acquisitions are being utilised as a theme in BEC emails and employees should be wary of any communications related to “sensitive projects” which may well be seeking to deter you from undertaking adequate steps to verify the authenticity of it. Taking just a few seconds longer to fully consider any important requests could well prevent a significant loss, sometimes in the millions.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.