699eee792235758e12e070c1
FBI warns of fake FIFA websites running World Cup fraud schemes
The FBI warns that hundreds of fake FIFA websites are circulating ahead of the 2026 World Cup in the US, Canada, and Mexico to steal personal and financial data, sell fake tickets and hospitality, and run related fraud. Impersonators use minor typos (like fiffa.com) and various non-.com domains, plus fake job portals. Cybersecurity researchers from Group-IB and Bitdefender report large-scale World Cup-related malvertising and more than 300 phishing sites tied to a campaign called Ghost Stadium. Fake merchandise, kits, streaming services, and Panini offers are also involved across multiple countries. The FBI advises fans to manually type fifa.com, avoid ads and suspicious links, verify .com domains, bookmark official sites, and report incidents to IC3.
FBI Warns of Fake FIFA Websites Ahead of World Cup 2026
OverviewAs the FIFA World Cup approaches, cybercriminals intensify efforts to exploit fans and participants. The FBI has issued warnings about a wave of counterfeit websites that mimic official FIFA portals to harvest personal data, steal funds, sell fake tickets, and peddle fraudulent hospitality packages. With the tournament scheduled from June 11 to July 19 across the United States, Canada, and Mexico, threat actors have prepared hundreds of phishing sites designed to mislead fans and attendees.
Threat Landscape
- Typosquatting and domain impersonation: Fraudulent sites imitate FIFA’s brand by making minor spelling changes, such as fiffa.com, and adopting questionable top-level domains like .org, .xyz, .live, or .sale.
- Fake employment portals: Schemes use jobs-fifa.com or fifa-hiring.com to capture sensitive information under the guise of employment opportunities.
- Data harvest and fraud: Visitors’ names, addresses, phone numbers, and banking details can be collected to create fraudulent accounts, commit identity theft, or run financial scams.
- Multichannel campaigns: Malvertising and phishing campaigns leverage Google Search, social media ads, Telegram, and WhatsApp to reach a broad audience.
Notable Campaigns and Actors
- Ghost Stadium Operation: A Chinese threat actor group is attributed with a large network of more than 300 phishing sites that clone the official FIFA portal to facilitate premium ticket fraud.
- Global reach: Fake merchandise, kits, streaming services, and Panini sticker offers have targeted fans in multiple regions, including the UK, Portugal, Spain, Algeria, the US, Canada, and beyond.
Fake Merchandise and Tickets
- Audio-visual and physical goods: Ad campaigns promote counterfeit jerseys, shirts, and collectibles.
- Ticket and access fraud: Fake portals promise premium or official tickets while steering payments into illegitimate channels.
- Streaming and services: Fraudsters push counterfeit streaming and subscription services as part of the World Cup branding.
Protective Measures for Fans and Visitors
- Type the official site URL directly: Manually enter fifa.com into the browser rather than clicking links in emails or ads.
- Be wary of ads: Avoid sponsored search results and consider using an ad blocker.
- Verify the domain: Ensure the site ends with .com and matches the official FIFA branding.
- Use official bookmarks: Save and rely on bookmarks for FIFA’s legitimate portals.
- Be cautious with DMs and links: Do not click suspicious links sent via direct messages or messaging apps.
- Protect sensitive data: Only enter payment or personal information on verified, authentic sites.
What to ReportIncidents should be reported to the FBI’s Internet Crime Complaint Center (IC3). Include details such as the fake domain, interaction history, and any payment information to aid authorities in taking action against fraudulent portals.
Industry Observations: Automated Validation and PentestingIn the broader security landscape, automated pentesting tools excel at answering whether an attacker can move laterally within a network, but may fall short of testing whether controls block threats, detection rules trigger, or cloud configurations hold. The discussion around this validation gap highlights the need for comprehensive testing across multiple surfaces to ensure defenses are effective beyond basic access.
Additional Context: Related Security Trends
- Related advisories indicate ongoing risks from typosquatted domains, spoofed brands, and spoofed services surrounding high-profile events.
- Researchers continue to monitor malvertising and social-media-driven campaigns that piggyback on major events to lure users into fraudulent sites or services.
Closing NoteAs the World Cup unfolds, staying vigilant and relying on verified, direct sources remains essential. Fans, participants, and viewers should adopt a cautious approach to online interactions surrounding World Cup content, cross-check official channels, and report suspicious activity to the appropriate authorities.
