Higher education institutions have long been prime targets for cyberattacks, with the average data breach costing $3.5 million. What’s often overlooked, however, is just how complex these institutions are. Beyond educating students, universities operate sprawling ecosystems—hospitality services, retail and dining outlets, healthcare clinics, and of course, multi-million dollar athletic programs. That complexity makes it nearly impossible for security teams to apply one-size-fits-all protection across all business units.

Athletics, in particular, presents a unique challenge. These programs yield immense amounts of revenue and are widely visible, making them ripe targets for attackers. It doesn’t help matters either that athletic staff typically aren’t focused on security posture; they’re dialed in on winning championships and recruiting top talent. That’s their job, after all. Additionally, the reality is that athletic personnel are used to interacting with unknown Gmail or Yahoo accounts in the form of student-athlete recruits, high school coaches, and parents. The nature of typical athletic communication truly presents itself as the perfect storm for phishing attacks.

Moreover, the recent rise in NIL (Name, Image, Likeness) opportunities only adds more fuel to the fire. Now, email attacks don’t just put sensitive information at risk—they can directly impact the livelihoods of student athletes and their families alike. Below, I’ll walk through a few examples of real-world attacks we’ve seen at Abnormal AI that are targeting athletic programs across higher education.

One of the more pervasive attack patterns we’ve seen in recent months is a snowball effect of credential phishing campaigns spreading across athletic departments. It usually starts with a successful compromise—say, a basketball coach’s account from one university. The attacker then uses that compromised account to target dozens of other athletic staff members at different institutions, pulling contact details from publicly available athletic directories.

Here’s how the attack typically unfolds: an email lands in the inbox of 50+ athletic staffers, appearing to come from HR. The subject line references an “Athletic Staff Directory Update” and urges recipients to view the updated document within two to three days. In reality, the link redirects to a newly generated Jotform survey site, masked to look like a secure sign-in page which allows the threat actor to obtain important credentials.

This attack is effective because it’s incredibly difficult to defend against compromised, legitimate accounts—especially when each iteration comes with a new subject line and a fresh (and technically legitimate) Jotform link. Threat intel providers give these URLs a pass, and traditional policy-based solutions fall flat. This results in another batch of compromised accounts and another round of phishing attacks pre-staged for the following weeks.

In one of the more targeted campaigns we observed, a bad actor managed to compromise the email account of a leadership member from an intercollegiate athletic conference. Using that account, they crafted a phishing email directed at the head football coach and athletic director of a major Power 5 program in the same athletic conference.

The message posed as an automated voicemail notification—complete with a convincing link that bypassed traditional security tools. Instead of a standard phishing page, users were first directed to a CAPTCHA that mimicked a voicemail play button, effectively defeating link crawlers and sandboxing solutions.

Once the coach and the athletic director clicked on the CAPTCHA button, they were then presented with a Microsoft credential phishing page where they could supply their credentials to the bad actor.

To add to the complexity, a recent incident involving the school and the conference likely meant that the coach and athletic director were already in communication with the actual conference official. This context made the phishing attempt even more convincing as it wasn’t just well-crafted—it was precisely timed and context-aware.

As a former high school athlete, I remember thinking hard about how to make my HUDL highlight videos stand out when emailing college coaches. As it turns out, threat actors are thinking the same way.

In another targeted attack, a bad actor posing as a high school football coach sent a personalized invitation to a Big-10 head football coach and his assistants.

The message, sent from a Yahoo account, invited them to RSVP to what appeared to be a local recruiting event. The link used a “t.ly” shortener to obscure the destination and rendered a Cloudflare CAPTCHA—again, defeating any sandboxing link analysis.

After completing the CAPTCHA, the coach and his assistants would be taken to a Microsoft credential phishing page. It looked legitimate. It felt legitimate. And that’s why we see these kinds of attacks result in success for the bad actors and hours of incident response for security teams.

When athletic accounts get compromised, it’s not just an isolated inconvenience—it’s a gateway to broader institutional risk, including:

• Lateral Phishing: Once an account is compromised, attackers can launch internal phishing campaigns targeting student-athletes, faculty, and staff—gaining more ground within the university and staying active inside the environment longer.
• Widespread Impersonation: Imagine a student-athlete getting an email from a neighboring program’s coach’s account offering NIL opportunities—if the attacker is using a trusted account, that student is far more likely to engage resulting in credential or financial theft of other institution users.
• Data Loss: Athletic inboxes are goldmines of sensitive data—contract negotiations, scouting reports, internal communications. Once stolen, that data can be sold or leaked, putting competitive and financial integrity at risk.
• Reputational Damage: When a high-profile coach’s email is used to send out malicious or offensive content, it’s not just a security incident—it’s a headline. ESPN won’t miss that story, and neither will your alumni or donors.

If there’s one thing these attacks make clear, it’s that traditional email security isn’t keeping up. Policy tuning, threat intel, and sandboxing aren’t enough—especially when the threats are this targeted and evasive.

What’s needed is a platform that understands behavior. A system that knows what normal communication looks like for every individual—including athletic staff—and flags messages that don’t align. That’s what Abnormal AI was built to do.

By analyzing tens of thousands of signals per message—sender history, tone, relationships, and more—Abnormal can autonomously detect and remediate threats before users ever see them. No policies to maintain. No playbooks to run. Just real-time, behavioral-driven protection that works.

If you’re in higher ed—and especially if you support athletics—now’s the time to rethink your approach. Want to see how Abnormal can help protect your athletic programs and broader university ecosystem? Schedule a demo today!