Back to Blog

The World Cup Starts Thursday. Scammers Have Been Ready Since January.

The 2026 FIFA World Cup kicks off in three days. Matches are running across 16 host cities in the US, Canada, and Mexico, with Philadelphia’s Lincoln Financial Field carrying the action closest to Pittsburgh. And for months, cybercriminals have been treating the tournament like a business opportunity.

Researchers published analysis today showing that 19,000 FIFA-themed domains have been registered since January 2026.[1] Over 4,300 of them are already operational — spinning up fake merchandise stores, credential-harvesting pages, and counterfeit ticket platforms built to look just convincing enough. The FBI issued an official warning last month flagging threat actors spoofing FIFA's websites and collecting payment information from people who thought they were buying from the real thing.[2]

This has been building for a while. It's not a last-minute rush job.

Why This Is a Business Problem, Not Just a Personal One

Most people assume phishing aimed at sports fans is a consumer issue. Their employees get scammed on their own time, on their own devices, with their own money.

That's not how it actually works. People click on these links at their desks, on company laptops, through work email. A FIFA phishing page clicked on a work machine can expose corporate credentials alongside whatever personal payment information gets entered. The two aren't neatly separated the way we'd like to think.

There's a more direct threat too. Researchers found banking malware embedded inside pirate streaming apps people are downloading to watch World Cup matches for free.[3] Someone installs one of these apps on a work computer and they've got a credential stealer running in the background alongside your accounting software and email client. That's not a theoretical scenario. These apps are circulating right now.

AI Made This Year's Campaign Different

Scammers have been running tournament-themed fraud for years. What's changed is the quality. AI tools are now generating phishing emails in multiple languages with accurate FIFA branding, realistic ticket confirmation pages, and fake dispute resolution notices designed to trigger urgency. "Your recent purchase has been flagged — verify your account within 24 hours to avoid cancellation."

A few years ago you could catch most of these on grammar alone. That's not reliable anymore. The fakes pass a casual read.

Group-IB estimates losses from premium ticket fraud and hospitality package scams alone could reach $474 million globally by the time the tournament ends.[4] That figure is for one segment of the campaign. The broader operation — fake stores, credential harvesting, malware delivery — is larger.

What Specific Tactics Are in Play

Fake FIFA merchandise stores are collecting credit card numbers for gear that never ships. Counterfeit ticket platforms are selling at scalper prices with fake QR codes that won't scan at the gate. Phishing emails are spoofing FIFA's sender domain to direct people toward credential-stealing pages. And lookalike sites are popping up for travel packages, hospitality suites, and "official fan experiences" that exist only to take money.[5]

What ties all of it together is that the people running these campaigns are professionals. They're not throwing together a sloppy site over a weekend. They started in January, built out infrastructure over months, and are ready to process a massive volume of victims over the next six weeks.

A Few Things Worth Doing Before Thursday

You don't have to ban your team from talking about soccer. But a quick heads-up before the tournament starts costs nothing and prevents a lot of potential headaches.

Tell your employees: don't click FIFA or World Cup links in email, even ones that look official. If they want tickets or merchandise, they should go directly to the official FIFA website by typing the address themselves, not by clicking a link from anywhere.

On the IT side, DNS filtering that blocks newly registered domains will catch a lot of this automatically. The vast majority of those 19,000 domains are recent registrations, and most threat intelligence feeds flag new low-reputation domains by default. If your DNS filter doesn't block newly registered domains, worth checking that setting today.

Also make sure your team knows what to do if something goes wrong. The answer should be "call IT right away" rather than hoping it was nothing. The faster an incident gets flagged, the faster it can be contained — and the difference between a quick cleanup and a real mess often comes down to whether someone waited a week to mention it.