The NFL Draft Prank Call Was a Security Lesson

Every so often a very public moment shows exactly why basic security matters everywhere, not just in IT departments. The 2025 NFL Draft was one of those moments. Several prospects got prank calls during the draft, and one in particular is a clean lesson for any business. Let us walk through it.

It Started With an Unlocked Tablet

Quarterback Shedeur Sanders received a prank call live on stream from someone impersonating an NFL general manager. How did the caller get his private draft number? It was found on an unlocked iPad at a coach's home, jotted down by a family member, and used for the prank. The NFL took it seriously, fining the team 250,000 dollars and the coach 100,000. One device left unlocked, one number left visible, and it became a national story with real consequences.

Why This Is a Business Problem Too

Swap the iPad for a laptop and the phone number for a client list, a password, or a wire instruction, and this is a Tuesday at a lot of companies. The exact same chain of small failures plays out in offices constantly. Three lessons stand out.

Limit Who Can See What

This is the principle of least privilege: people, and devices, should only have access to the information they actually need. That sensitive number should never have been sitting in the open on a device a visitor could pick up. In your business, the fewer people and screens that can reach your sensitive data, the smaller the chance it walks out the door by accident.

Lock Things Down

An unlocked device is an open filing cabinet. Screens should lock automatically, accounts should require real authentication, and sensitive systems should sit behind multifactor authentication so a glance over someone's shoulder is not enough to get in. Simple habits, enforced consistently, close the door this whole incident walked through.

Recognize Impersonation for What It Is

The call worked because someone pretended to be a person of authority. That is social engineering, the same trick behind most phishing, and it does not only come by email. It is the fake call from the bank, the urgent text from the boss, the message from a vendor that is not really the vendor. Train your people to verify before they act, especially when a request is urgent or involves money or data.

Avoid the Same Mistake

A prank during a football draft is harmless compared to what the same lapses cost a business: a drained account, a data breach, a lost client. The fixes are not complicated. Limit access, lock devices, verify identities. The hard part is doing them consistently, which is where most organizations slip.

That consistency is what we provide. We build least privilege, strong authentication, and phishing awareness into how our clients operate as part of managed cybersecurity, so a small lapse does not turn into a headline. If you want to make sure your unlocked-iPad moment never happens, book a call.