The Scottish football association (SFA) website users have been receiving phishing emails, encouraging them to cough up the cash for unpaid tickets. Fans who had signed up to the association were sent phishing emails the morning from an email address, firstname.lastname@example.org, appearing to be registered to the SFA.
Fans received an email early this morning, mentioning that the target has an unpaid bill of up to £170, due by 7 December, and encourages that target to click a link to pay that bill. The list of registered SFA fans was reportedly accessed through the breach of a third party database.
The SFA released a statement on its website earlier today, apologising for the mistake. The statement assured fans that though a third party database was breached, no bank or credit card details were shared. The statement urged “all recipients to delete the email immediately and recommend that anyone who may have opened it run a security check on their computer to ensure no malware has been installed.”
It added, “We have moved to delete this account and the issue has been raised with our suppliers.”
Details are still emerging about what exactly happened and what exactly the link may have contained, although the source code is Chinese according to the SFA.
Dr Jamie Graves, CEO at Zonefox told SC that while “some of the details are lacking, but what is clear is that a backdoor was left open for criminals to exploit and obtain sensitive customer data. Fortunately, the SFA have reassured customers that bank and credit card details have not be shared."
He added, "Despite this, attacks like this often happen stealthily and wreak havoc rapidly - in this case with phishing emails sent to members past and present. It's incredibly serious if this now leads to members sending away the £170 requested to these crooks. Social engineering tactics - like phishing - are increasingly common.”