/

July 10, 2026

The World Cup Is Here — And So Are 4,300 Fake FIFA Websites

The 2026 World Cup is in full swing across the United States, Canada, and Mexico — the biggest sporting event in a generation, with millions of fans buying tickets, booking travel, placing bets, and hunting for streams. And criminals prepared for kickoff more thoroughly than some of the teams did. Security researchers and the FBI have documented one of the largest coordinated fraud waves ever tied to a single event, and most of it was built and waiting before the first whistle.

Whether you are a fan, a business owner, or an employer whose team is sneaking match updates at work, this one is worth five minutes. Here is what is out there, how it works, and the instincts that keep you and your business out of the net.

The scam wave, by the numbers

4,300+Fraudulent FIFA-themed websites tracked by researchers since last August — fake tickets, fake hospitality, fake merchandise
~3,800Additional fake domains sitting parked and dormant, ready to switch on during the tournament’s busiest weeks
60xThe spike in fake sports-betting apps compared to normal, published in coordinated batches on official app stores
1,700+Spoofed FIFA social media accounts — nearly 90 percent on Facebook and Instagram
Hundreds of thousandsFan logins already stolen and circulating from World Cup-related phishing
1Official FBI public warning about spoofed FIFA websites, with more fakes expected all tournament long

Why a World Cup is a fraud magnet

Think about what a mega-event does to human behavior. Tickets are scarce — the tournament was roughly thirty times oversubscribed — so fans are anxious and moving fast. Money is flowing to unfamiliar merchants: resale sites, travel packages, betting platforms, merchandise shops. Deadlines are compressed. Everyone is buying things they genuinely expect to buy, right now, before they sell out. That urgency is precisely the condition every scam depends on, because a person in a hurry does not double-check the web address, the sender, or the deal that looks a little too good.

The pattern under every one of these scams: the criminal hijacks a transaction you were already planning to make — a ticket, a room, a bet, a stream — and swaps in a convincing fake at the exact moment your urgency is highest and your guard is lowest. The scam does not have to talk you into anything. You were already reaching for your wallet.

The plays in the scammers’ playbook

  • Fake ticket and hospitality sites. Thousands of lookalike domains — some copying FIFA’s real site almost pixel-for-pixel in eleven languages — collect payment details from fans who think they are buying seats.
  • Fake betting apps and “tipster” channels. Impostor sportsbook apps published in coordinated batches, plus betting groups that fake winning streaks to keep victims depositing money that can never be withdrawn.
  • Fake streams. “Free live coverage” sites that harvest your logins or quietly install software that hands control of your device to a stranger.
  • Travel and hotel lookalikes. Hotel and lodging brands made up more than half of the fake domains researchers tracked — built to intercept fans at the moment of booking.
  • Job scams and prize emails. Cloned FIFA careers portals harvesting applicants’ personal data, and “you’ve won tickets” emails that researchers describe as nearly always phishing.

Why this is a business problem too

Here is the part most coverage skips. For the next week and a half, your employees are fans. They are checking scores at work, hunting for a stream of the afternoon match, grabbing a “deal” on a jersey, maybe placing a bet at lunch — often on the same devices and accounts that touch your business. Every scam above lands just as hard on a work laptop as a personal phone, except the stakes now include your passwords, your files, and your customers. And businesses face a second, quieter exposure: researchers found that a large share of official tournament partners lack basic protections against sender impersonation, which fuels fake invoices and payment-redirect fraud across every company anywhere near the event’s supply chain.

Keep it simple during the tournament: type fifa.com directly rather than clicking search ads or email links * buy tickets, streams, and merch only from official sources * treat “you’ve won” emails and guaranteed-profit betting offers as automatic fakes * download betting apps only from official stores and only from brands you verified yourself * and slow down anytime an offer creates urgency — urgency is the trap.

The instinct that outlasts the tournament

The World Cup ends July 19. The technique does not. Every one of these scams is the same move wearing a different jersey: borrowed trust plus manufactured urgency, aimed at a person mid-transaction. Teaching yourself — and your team — to feel that combination as a warning sign is worth more than any single list of fake websites, because the next event, the next holiday, and the next headline will bring a fresh batch. That instinct is exactly what we build in our focused, plain-language security training, using the real lures your people actually see. The scammers spent months preparing for this tournament. A single training session is all it takes to make sure your team is prepared too.

Sources: FBI IC3 public service announcement; Check Point Research; Group-IB; Fortinet; CybelAngel; The Hacker News, May-July 2026.

From the same category