Image: Google Nano Banana
The FBI warns that fake FIFA websites are targeting World Cup fans with phishing, ticket scams, fake merchandise, and job-related fraud.
World Cup excitement is becoming useful bait for online scammers.
The FBI warned that fraudsters are creating spoofed FIFA-themed websites to trick fans, job seekers, and merchandise buyers into handing over payment details or personal information ahead of the 2026 FIFA World Cup. The fake sites use typosquatting, lookalike domains, and cloned branding to appear legitimate.
With several spoofed domains already flagged, targeting ticket and merchandise buyers as well as job seekers, the bureau warns the list is likely to grow.
The advice is simple: type the fifa.com URL yourself, skip sponsored links, and when in doubt about a site’s legitimacy, don’t enter any sensitive information on it.
Under the hood, this campaign combines social engineering, phishing, impersonation, and online fraud. In its PSA, the FBI says that threat actors use typosquatting and a close replica of FIFA’s website interface to trick visitors into believing they are interacting with the legitimate website.
When these threat actors aren’t using misspellings or typosquatting, they manipulate top-level domain extensions to get unsuspecting targets to land on their websites. Instead of the official fifa.com, users will see domains like fifa-hiring[.]com or www.fifa[.]cab.
It isn’t uncommon for attackers to use job scams in malicious campaigns like this. The bureau says the threat actors register subdomains with job-related keywords — domains like fifa-hr[.]com, jobs-fifa[.]com, fifa-hiring[.]com, and fifaworldcup-careers[.]com are among the domains highlighted by the FBI.
Aside from job offers, unsuspecting users who land on an attacker-controlled website are tricked into buying fake tickets or products that will never arrive. That’s not all. It also says that victims may have personally identifiable information (PII), such as names, email addresses, phone numbers, home addresses, and banking information, submitted on these sites.
This matters because these PII, when combined, are sufficient to launch follow-up personalized phishing attempts or, in the worst case, be sold on the dark web.
As of the time of writing, the FBI has not disclosed any suspects in this scam. However, the agency did list 36 flagged domains that users should be wary of.
In addition, it warns that the number of spoofed websites will continue to grow, even during the FIFA World Cup.
Citing security researchers at Group-IB, BleepingComputer reported that a Chinese threat actor known as Ghost Stadium has cloned over 300 phishing websites for FIFA to commit ticket fraud ahead of the global sports competition.
According to a Bitdefender report, this campaign has been ongoing since February, targeting individuals in the UK, Portugal, Spain, Algeria, the US, Canada, Mexico, Brazil, Germany, and Australia. In its observed campaign, the cybersecurity firm notes that in addition to fake merchandise, targets are offered “streaming services, and Panini sticker offers.”
The FBI’s advice comes down to one thing: do not trust urgency over verification.
To avoid fake FIFA ticket, merchandise, or job sites:
As interest in the 2026 FIFA World Cup grows, scammers are likely to keep spinning up new lookalike domains. Fans should verify every offer through FIFA’s official website before sharing money or personal information.
Also read: The FBI warned that the Silent Ransom Group is using impersonation and in-person data theft tactics against corporate targets.
Joseph is a Technical Writer with about 3 years of experience in the industry, also advancing a career in cyber threat intelligence. He is passionate about the responsible use of technology, a passion that led him into cybersecurity. As an undergrad, he leads a novel community of technology enthusiasts at his school, NOUN, where he guides and shares resources for beginners in tech. His writing experience includes writing on a diverse range of topics, from consumer tech to startups and tutorials. Additionally, he periodically shares case studies and research reports on cybersecurity on his social media pages.
