The FBI is warning of fake websites impersonating FIFA ahead of the 2026 World Cup, to steal personal and financial information, sell fake tickets and hospitality packages, and push other fraud related to the event.
With the international soccer tournament set between June 11 and July 19 in the United States, Canada, and Mexico, threat actors prepared hundreds of phishing sites.
According the the public service announcement from the FBI, the fake domains impersonate the official fifa.com, but rely on minor spelling changes that users are likely to miss, such as fiffa[.]com, and use alternative top-level domains (e.g., .org, .xyz, .live, .sale), along with fake employment portals like “jobs-fifa[.]com” or “fifa-hiring[.]com.”
The agency notes that many of the fraudulent websites collect from visitors various types of data, including names, physical and email addresses, phone numbers, banking/payment details, which could be used to create fraudulent accounts, commit identity theft, or run financial scams.
The scale of these campaigns is also reflected in reports from cybersecurity companies Group-IB and Bitdefender, whose researchers observed World Cup-related malvertising campaigns promoted through Google Search, Facebook ads, Telegram, and WhatsApp.
A major operation that Group-IB researchers attributed to a Chinese threat actor tracked as Ghost Stadium, uses more than 300 phishing sites, clones of the real FIFA portal, for premium ticket fraud.
.jpg)
Source: Group-IB
Starting in February, Bitdefender observed fraudulent activity around the World Cup brand targeting users in the UK, Portugal, Spain, Algeria, the US, Canada, Mexico, Brazil, Germany, and Australia, with fake merchandise, kits and collectibles, streaming services, and Panini sticker offers.
Source: Bitdefender
How to protect
As public interest in the World Cup surges, cybercriminals will try to take advantage through various lures, leading to fraudulent online portals designed to sell fake products or steal money and user data.
Fans can steer away from these risks by following a simple set of recommendations from the FBI:
- Manually type fifa.com into the browser
- Avoid sponsored search ads or use an ad blocker
- Verify the URL ends in .com
- Using bookmarks for official FIFA sites
- Avoid suspicious links sent via direct messages
- Never enter sensitive data unless the site is verified authentic
Users are encouraged to report incidents to the FBI’s Internet Crime Complaint Center (IC3) and include details such as the fake domain used, interaction history, and payment information, so the authorities can take action against the fraudulent portal.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
