Scottish Football Association subscribers receive fake billing emails

Football fans have received phishing emails claiming to be from the Scottish Football Association (SFA), demanding money for tickets.

The fraudulent messages, received on Monday morning from, demanded up to £170 each from SFA subscribers, to be paid by December 7th.

It is unclear exactly what the emails' payment link led to, although in similar campaigns links have led to malware or fake payment pages designed to steal card details.

The SFA said the data was obtained when a third-party database was breached.

"We urge all recipients to delete the email immediately and recommend that anyone who may have opened it run a security check on their computer to ensure no malware has been installed," it said in a statement posted to its website.

"We would like to assure all supporters that no bank or credit card details have been shared. We have moved to delete this account and the issue has been raised with our suppliers."

Cyber security experts said the breach highlights why businesses need to take care when sharing data between their own employees and with third-party suppliers.

“Some of the details are lacking, but what is clear is that a backdoor was left open for criminals to exploit and obtain sensitive customer data,” said Dr Jamie Graves, CEO at ZoneFox. “Fortunately, the SFA have reassured customers that bank and credit card details have not be shared. Despite this, attacks like this often happen stealthily and wreak havoc rapidly – in this case with phishing emails sent to members past and present.

“It’s incredibly serious if this now leads to members sending away the £170 requested to these crooks. Social engineering tactics like phishing are increasingly common – the Federation of Small Businesses reported 86 per cent of cyber attacks on their members was due to social engineering tactics over the last two years.

“This incident is another wake-up call to companies to become more alert to such breaches and realise that it could happen to anyone. This breach highlights the importance of educating all staff to secure their systems, spot an attempt to gain information from them and to ensure that wherever they are storing this data is locked down tight.”

The emails are just the latest phishing scam consumers have been warned about.

Last week, cyber security researchers discovered a phishing campaign that sent fake billing emails purporting to be from WhatsApp in an attempt to trick users.

Photo © Ronnie Macdonald (CC BY 2.0). Cropped.



Get our latest features in your inbox

Join our community of business leaders