Targeted cyberattacks are increasingly hitting athletic departments at US universities, exploiting trusted communication channels and threatening institutional security.
What happened
College athletic programs have emerged as a new focus for email-based cyberattacks. These departments are attractive targets due to their public visibility, decentralized communication practices, and growing involvement in Name, Image, and Likeness (NIL) deals. Recent incidents have involved credential phishing campaigns that use compromised staff accounts to impersonate conference officials, fellow coaches, and even high school recruiters.
Phishing messages often arrive through trusted platforms like Jotform or links that mimic voicemails and secure login pages. Athletic staff who frequently receive emails from unknown senders, such as recruits and parents, are particularly vulnerable.
Going deeper
In recent attacks, a compromised basketball coach’s account was used to send credential phishing links to staff members at over 50 other universities. Another campaign compromised a conference leader’s email and targeted a head football coach and athletic director with a voicemail phishing lure. In both cases, attackers employed CAPTCHA systems to bypass link analysis tools and redirected recipients to convincing Microsoft login pages.
A third example involved an attacker posing as a high school coach, inviting staff to a fake recruiting event via a shortened link. This campaign used shortened links, CAPTCHA gates, and fake Microsoft login pages to gain account access.
These compromised accounts can be used to conduct lateral phishing across institutions, mislead students with fake NIL offers, and exfiltrate sensitive data, including scouting reports and contract details.
The big picture
Traditional defenses falter against threats that originate from legitimate, compromised accounts and use platforms that pass threat intel checks. Rules and signature-based systems simply can’t catch those subtle or novel attacks.
Paubox recommends using Inbound Email Security, which uses generative AI to go deeper than links or keywords. It understands your organization’s typical email patterns and flags deviations in tone, sender behavior, and message intent. With features like ExecProtect+ (to block display-name spoofing) and continuous learning, it stops sophisticated phishing, BEC, and spoofed communications before they reach staff.
FAQs
Why are CAPTCHA-based phishing attacks harder to detect?
CAPTCHAs act as a barrier that prevents security tools from scanning the final phishing page, allowing the malicious link to bypass most automated link analysis systems.
How do attackers access athletic staff directories?
Many athletic department staff lists are publicly available on university websites, giving attackers easy access to names and email addresses for large-scale targeting.
What is NIL, and why does it matter in these attacks?
NIL refers to Name, Image, and Likeness deals that allow student-athletes to earn income. Phishing emails referencing NIL opportunities can appear legitimate and emotionally persuasive, increasing the likelihood of engagement.
Are these attacks isolated to athletics, or are other university departments at risk?
While athletics is a current focus, other high-profile or decentralized departments, such as healthcare clinics or finance offices- face similar risks due to complex communication environments.
What can universities do to secure their athletic departments?
In addition to staff training, universities can implement generative AI-powered inbound email security tools like Paubox’s, which monitor and flag unusual sender behavior to detect attacks that evade traditional filters.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Farah Amod
