The 2026 FIFA World Cup kicked off June 11th and runs through July 19th — 48 teams, 104 matches, 16 host cities across the United States, Canada, and Mexico. It is the largest sporting event in history. And cybercriminals have been preparing for it longer than most of the teams have.
The FBI issued a formal Public Service Announcement in May warning that threat actors are actively spoofing official FIFA websites to steal personal information and conduct financial fraud. Cybersecurity researchers at Fortinet, Palo Alto Networks, and others have confirmed thousands of malicious domains already in place. The scam infrastructure was built before the first whistle blew.
Whether your employees are fans following the matches at work, your business is managing travel during the tournament, or you simply do not want your team clicking on something they should not — here is what is actually happening and what you can do about it right now.
Why Major Sporting Events Are a Cybercriminal's Favorite Time of Year
Think about what a mega-event like the World Cup creates from a digital standpoint. Tens of millions of people are urgently searching for tickets, travel deals, live streams, merchandise, and game updates. Transaction volumes surge. People are making purchasing decisions faster than usual, from unfamiliar sites, often on their phones. That combination — high demand, unfamiliar vendors, emotional urgency, and compressed timelines — is exactly the environment where scams thrive and normal scrutiny breaks down.
For businesses, the risk is not just personal. Employees browsing World Cup content on work devices, clicking on sketchy streaming links, or downloading unofficial apps can introduce malware directly into your network. And if your team is traveling to host cities for client meetings or events, the threat surface expands further.
The Scams That Are Already Running Right Now
Fake ticketing sites. Researchers at FortiGuard Labs identified numerous counterfeit sites mimicking official FIFA pages, complete with fake checkout flows designed to harvest payment card details, login credentials, and passport information. Many of these domains were registered as recently as May 2026 and are still active. Some even bundle fake match tickets with fraudulent hotel and flight packages to appear more legitimate.
Typosquatting and domain spoofing. One of the most convincing examples identified by researchers was a domain that removed a single “w” from FIFA’s official address — easy to miss when you are typing quickly. The FBI has specifically warned users to type www.fifa.com directly into their browser and avoid clicking links from search ads, text messages, or social media.
Malicious streaming sites and fake apps. Fans searching for free or unofficial streams are being redirected to sites that install malware or steal account credentials. Fake World Cup apps have appeared in third-party app stores. Stick to official FIFA apps and licensed broadcasters only.
QR code fraud. Security researchers have identified this as one of the fastest-growing scam variants tied to the tournament. Fake QR codes are showing up in transit hubs, fan zones, and parking areas, posing as shuttle passes, parking permits, and fan transport links. Scan with caution in any public World Cup context.
Fake job listings. Researchers uncovered domains impersonating FIFA recruitment portals advertising World Cup-related positions. These sites are designed to steal Google Workspace credentials and other professional account logins — a direct business risk if an employee applies through one of these sites on a work device.
Phishing emails riding the hype. Expect a spike in World Cup-themed phishing in employee inboxes right now. These emails mimic official FIFA communications, sponsor announcements, or travel confirmation notices. They contain links to credential-harvesting sites or attachments that drop malware.
What Businesses Need to Do Right Now
Brief your team. Send a quick heads-up to employees — especially if they are fans — that World Cup scams are actively circulating. Remind them not to click on ticket or streaming links from search results, social media, or email, and not to download unofficial apps on work devices.
Watch for phishing spikes in your inbox. If you are running email security (you should be), check your filtering rules and make sure quarantine alerts are being reviewed. The volume of World Cup-themed phishing emails is expected to peak through July 19th.
Be careful with public Wi-Fi in host cities. If any of your team is traveling to Atlanta, Miami, Los Angeles, Dallas, or any of the other U.S. host cities during the tournament, use cellular data or a VPN for any account-level work activity. Avoid connecting to open Wi-Fi networks in fan zones or transit hubs. If you want a practical guide on how VPNs work and when to actually use one, check out our recent post on VPNs.
Treat QR codes as untrusted by default. In any public World Cup setting, verify QR codes against the official host city transportation app or the venue’s official site before scanning. This applies to your employees as well as yourself.
For Fans: The Short Version
- Buy tickets only at fifa.com/tickets — type it directly, do not click search results or ads
- Bookmark the official FIFA site rather than searching for it every time
- Avoid “too good to be true” ticket offers on Telegram, WhatsApp, or social media
- Use only official FIFA apps listed at the official FIFA website — not third-party app stores
- Watch streams through licensed broadcasters (Fox Sports, Telemundo in the U.S.) only
- Never share passport details, payment info, or login credentials with unverified sites
- If you think you’ve been scammed, report it to the FBI at ic3.gov
The Bottom Line
The World Cup is a once-in-a-generation event happening right here in our backyard. Enjoy it — but go in with your eyes open. The same energy that makes a mega-event exciting is exactly what scammers count on to get people to let their guard down.
If you want a quick review of your business’s email security setup, phishing defenses, or employee security awareness practices heading into the back half of the tournament, reach out. This is exactly the kind of proactive work that keeps small and mid-size businesses from becoming a statistic.