Phishing emails ostensibly from the Scottish Football Association (SFA) were sent to subscribers on Monday as the result of a breach.
The SFA blamed a breach at a third-party supplier for a leak of sensitive info that was used in an attempt to trick recipients into opening a dodgy email that appeared under the guise of an invoice for £170. In a statement, the SFA reassured football fans and other registered parties that their financial details (at least) were not exposed by the slip.
We would like to apologise to those who have received a spam email this morning purporting to be from the Scottish FA. The email asks recipients to click a link where they can pay an outstanding bill. This has occurred due to a third-party email database being compromised.
We urge all recipients to delete the email immediately and recommend that anyone who may have opened it run a security check on their computer to ensure no malware has been installed. We would like to assure all supporters that no bank or credit card details have been shared.
We have moved to delete this account and the issue has been raised with our suppliers.
Dr Jamie Graves, chief exec of threat detection biz ZoneFox, said: "The SFA data breach is yet another example of the unintentional insider threat striking many businesses. The breach happened after a third-party email database was compromised – some of the details are lacking, but what is clear is that a backdoor was left open for criminals to exploit and obtain sensitive customer data. Fortunately, the SFA have reassured customers that bank and credit card details have not be shared.
"Social engineering tactics – like phishing – are increasingly common, the Federation of Small Businesses reported 86 per cent of cyber attacks on their members was due to social engineering tactics over the last two years." ®