The World Cup Fraud Economy

The 2026 World Cup kicks off June 11, but the scammers have already taken the field. The FBI put out a public alert this week about fake FIFA websites, and the security firms that track this stuff say the fraud is already running at scale.

Group-IB counted more than 4,300 fake FIFA domains registered since last August. FortiGuard Labs logged over 13,000 World Cup-themed domains in the first five months of this year and flagged close to one in eleven as malicious or suspicious. The FBI's own alert names dozens of spoofed sites and says more are coming.

Most of these run on a trick called typosquatting, which is registering a web address that sits one letter or one ending away from the real one (fifa.com versus a lookalike with an extra letter, or a .net where the real site uses .com). The fake page copies FIFA's logo, colors, and layout closely enough that a quick glance won't catch it. You think you're buying a ticket, and you're handing your name, address, and card number to a stranger. The FBI says those stolen details get reused later to open accounts in your name.

Tickets are only one lane being exploited. Researchers found counterfeit merchandise shops, fake job pages on addresses like jobs-fifa and fifa-hiring, and bogus streaming sites that charge a subscription and then install malware that hands your device to the attacker.

Some fake betting sites ask for a passport scan and a selfie, which is everything an identity thief needs in a single upload. Bitdefender tracked "you won the FIFA lottery" emails promising payouts up to $2 million. FIFA reported more than 150 million ticket requests in the first 15 days for roughly 6 million seats, so there are a lot of anxious fans with money ready to move.

The reach is huge, with matches in 16 cities across the US, Canada, and Mexico. Since Seattle is a host site, anyone in the Pacific Northwest is going to be blanketed by the targeted ads driving these campaigns.

Every big event creates its own little fraud economy. It happened with the Olympics, with concert ticket sites, even at Covid vaccine sites. The World Cup is just the largest version yet. Unfortunately, losing the ticket money is rarely the worst outcome. The damage that lasts is the banking detail, the password, or the photo of your passport you handed over while you were focused on getting a seat. That is the part that follows you around after the final whistle.

What to do:

• Type the address yourself. Go to fifa.com directly, or use a saved bookmark. Do not Google the tournament and click the top results, and absolutely do not click the sponsored links.
• Buy through official channels only. FIFA sells tickets through its own site. A "great deal" in a social media ad or a stranger's DM is a scam.
• Slow down on streaming "deals." A site that wants a subscription to stream matches and then asks you to install an app is a well-worn malware path. If you hadn't heard of it last month, don't install it. Our guide to spotting a phishing attempt covers the same red flags to look out for.
• Pay with something that has recourse. A credit card charge can be disputed. A wire transfer, gift card, or crypto payment usually cannot. Do not use a debit card.
• Turn on two-factor. If a fake login does grab your password, MFA is what keeps the thief out of the account.
• Report it if you get hit. The FBI takes fraud reports at ic3.gov, and flagging a fake World Cup site helps investigators map the network and warn the next person.

The loss figures going around (one estimate puts premium and hospitality ticket fraud alone somewhere between $71 million and $474 million) are projections based on how much fake infrastructure is out there, not confirmed losses, so read them as a measure of effort rather than a tally. Most fans won't get burned, but the cost of being careful is close to zero. The cost of one bad click is your card, your identity, or both.

Seen a fake FIFA site or a streaming "deal" that smelled wrong? Forward it to me at joel@freshfromcache.com. I'm keeping a running list of the worst ones, and a real example beats a warning every time.

Joel

Sources:

• The Hacker News, FIFA World Cup 2026 Scams Are Already Live — https://thehackernews.com/2026/06/fifa-world-cup-2026-scams-are-already.html
• BleepingComputer, FBI warns of fake FIFA websites running World Cup fraud schemes — https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-fifa-websites-running-world-cup-fraud-schemes/
• Bitdefender Labs, FBI Warns Fans About FIFA Scams Ahead of 2026 World Cup — https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-fifa-scams-2026-world-cup
• The Next Web, FIFA World Cup 2026 scams are live (Group-IB and Fortinet figures) — https://thenextweb.com/news/fifa-world-cup-2026-scams-phishing-malware