September 3, 2014 By Douglas Bonderud 3 min read

It’s nearly impossible to avoid the ALS Ice Bucket Challenge (#ALSicebucketchallenge) since television, social media and the Web at large are flooded with videos of people willing to douse themselves in freezing cold water and make a donation to the ALS Association. According to Forbes, the effort has raised over $100 million over the past month. That’s a far cry from the $2.8 million the organization raised in the same month last year — 3,500 percent more, in fact.

Part of the challenge’s appeal is its simplicity: It takes less than five minutes and requires only a bucket of ice water and a video camera to complete. Celebrities are also getting in on the action — and helping pump up donations — by recording popular videos of their own soakings. How popular are these videos? QZ.com reports that Bill Gates’ Ice Bucket Challenge video has garnered more than 5 million views, while Robert Downey Jr.’s video pulled in more than 3 million views.

However, with such popularity comes a problem: scams. Con artists are using the incredible reach of this charitable effort to trick users into giving up personal information or making donations that never reach the ALS Association.

Phishing With Dynamite

According to a recent Detroit Free Press article, scammers are trying to grab personal data from unwary ALS challenge viewers. It starts with an email about the “craziest Ice Bucket Challenge yet” and contains either a website link or an attached file. When users go to the website, they are required to provide a few personal details to access the video — which doesn’t actually exist. When they click on the attached file, a malware package attempts to install itself and grab sensitive data. In most cases, this information is sold to underhanded advertisers, but it may also be funneled to less scrupulous actors who create fake social media profiles and email accounts in an attempt to obtain credit card information.

Is There a Donation Risk?

The other major concern, according to Steven Sundermeier of security firm ThirtySeven4, is the creation of spoof Web pages that claim to be ALS donation sites but instead funnel the money to a third party.

“A hacker can set up a fake foundation Web page and have people donate to this page,” Sundermeier said. “We saw this with the Haitian earthquakes.”

The easiest way to avoid this problem is to never rely on site links; always type in the official URL.

Common Problems

With its clever premise and relatively low-cost expectations, it’s no surprise that the ALS Ice Bucket Challenge has been a success and, thus, spawned more than a few scams. But it isn’t alone: In 2013, a Gmail phishing scam targeted residents of Iraq just before the national election, and in December, students from the United Kingdom were targeted by a loan scam.

According to NBC, organizations are now trying to capitalize on the success of the Ice Bucket Challenge by creating their own versions. “Lather Against Ebola” asks challengers to cover themselves in soapy water and then give out three bottles of hand sanitizer to promote basic hygiene, while the “Rice Bucket Challenge” has participants take rice in a bucket and donate it to an Indian food bank. Could one of these become the next phishing superstar?

Ultimately, the ALS challenge highlights a fundamental truth of social media fundraising: Nothing happens in isolation. For all the good done by ice buckets and celebrities, there will always be scammers ready to spin up a phishing effort or spoof website. Protection for individuals and businesses comes from knowing the market — never download, never link, and the results may be shocking.

More from

ONCD releases 2024 Report on the Cybersecurity Posture of the U.S.

4 min read - On May 7, the Office of the National Cyber Director (ONCD) released the 2024 Report on the Cybersecurity Posture of the United States. This new document is a report card on how well cyber policy followed the guidelines set by the National Cybersecurity Strategy, introduced in March 2023. Here’s what you need to know about the newly released report. Fundamental shifts in cyber roles Over the past year, the U.S. national cybersecurity posture was driven by the 2023 National Cybersecurity…

CISA wants private industry to publicly commit to Secure by Design

4 min read - The tech industry has the power to protect the world from nation-state threat attacks, cyber crime and those wanting to compromise data and manipulate critical infrastructure. But with this power comes great responsibility, which, to be honest, the tech industry has not been that interested in holding. But at the RSA Conference (RSAC) in San Francisco, the cybersecurity and tech communities took steps to exert some power and take responsibility. They took the Secure by Design pledge, a promise to…

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today