The FBI is warning soccer fans to watch for fake FIFA websites as scammers prep to cash in on ticket demand, travel planning and World Cup fever ahead of the 2026 tournament in the U.S., Canada and Mexico.
The FBI issued a warning on Wednesday saying threat actors have created spoofed FIFA websites designed to steal personal information, payment data and money from fans looking for hard-to-find tickets and hospitality packages.
“The FBI has identified actors engaging in this activity to collect personal information, sell fake World Cup tickets and hospitality products, and to possibly facilitate other malicious activity,” the bureau said in the notice.
The scams rely on typosquatting – slightly altered domains that look close enough to the real thing to fool a hurried fan. The FBI said spoofed sites use misspellings, alternate top-level domains or fake subdomains to impersonate FIFA. The bureau listed dozens of domains already spoofing FIFA, including ones that appeared to mimic ticketing, official merchandise stores, and World Cup-related employment opportunities.
The FBI’s advice is to type fifa.com directly into the browser, avoid sponsored search results and do not trust links that differ from FIFA’s official domain. Similar warnings have been issued to businesses and platforms that are seeing an uptick in World Cup-related business.
ACI, a global electronic payments company, has long warned merchants that the World Cup presents opportunities for fraudsters to harvest card details using a range of scams and technologies to take advantage of ‘out-of-the-ordinary’ purchasing behavior. It warns of ATM skimmers at host cities, insecure Wi-Fi hotspots and compromised credit card payment systems.
“As fraudsters make a concerted effort to harvest card details (often then sold on the dark web), merchants need to get better at identifying when stolen card details are being used in their stores – they need to focus on identifying the shopper rather than the transaction,” wrote ACI in a past blog post.
The warning lands less than two weeks before the first match in Mexico City and as World Cup interest is peaking. Ticketing is in high demand and already sky-high ticket prices are coming under intense scrutiny. That mix of interest, pent-up demand and hype is just the type of environment criminal opportunists thrive in, security experts warn.
Ticket pressure gives scams room to breathe
New York and New Jersey attorneys general have subpoenaed FIFA over ticketing practices for matches at MetLife Stadium, including the July 19 final, according to The Associated Press. The investigation focuses on high prices, variable pricing and complaints that some fans paid for one seat category but were moved to less desirable locations. AP reported some final tickets were listed for nearly $33,000.
Scammers love high prices, limited supply, confused buyers and enthusiastic fans willing to look beyond official channels for a better deal on tickets, accommodations or FIFA merchandise.
Services such as Airbnb have responded and posted FIFA informational websites with tips to avoid getting scammed. The fear is fraudsters may make bookings with stolen credit cards or attempt to overstay and establish squatters’ rights.
“Prevent scams by paying and communicating with hosts only through the Airbnb platform,” according to the platform’s FIFA support page.
Meta has vowed to up its Facebook anti-scam efforts around the FIFA World Cup games with “measures to combat scams, reduce abuse, and protect fans and players throughout the tournament.” In a recent post, Meta said it will use AI and user feedback to combat not just scams but also online harassment.
The Federal Trade Commission warned in March that remaining tickets should be purchased through FIFA.com/tickets or the FIFA app. Resale tickets are available through FIFA’s Resale/Exchange Marketplace and third-party resale platforms, but the FTC urged buyers to check refund policies and buyer protections before purchasing. The FTC also warned that most tickets will be delivered electronically through the FIFA app, making offers of paper tickets or screenshots a red flag.
Not just fake tickets
The FBI notice is a consumer warning, and that’s it. There is no public evidence tying the spoofed FIFA domains in the FBI alert to a nation-state campaign.
Still, global sporting events are ripe for exploitation. They are temporary digital cities built on ticketing systems, mobile credentials, hotel reservations, transportation apps, payment platforms, Wi-Fi, fan zones, broadcast operations and local government services.
Dave Russell, SVP and head of strategy at Veeam, said organizations often underestimate how temporary and partner-dependent major event infrastructure becomes.
“Large, multi-venue tournaments are effectively ‘pop-up enterprises,’” Russell said. “New networks and applications are stood up quickly, integrated with existing stadium and host-city systems, and operated by a rotating mix of partners, contractors and short-term administrators under intense time pressure.”
That makes the World Cup attractive to several types of attackers. Scammers want payment data and personal information. Cybercriminals may target hotels, travel providers and vendors. Hacktivists may look for public disruption. State-aligned actors may see a high-visibility event hosted partly in the U.S. as a stage for embarrassment or messaging.
Russell said the goal of attacks against major events is not always extortion or data theft.
“With high-visibility events, the objective is often disruption and loss of trust,” he said. “Threat actors may aim to interrupt broadcasts, degrade streaming quality, disrupt ticketing or access control, tamper with scheduling or scoring data, or knock communications platforms offline — creating public confusion and doubt about what’s real and what’s reliable.”
Unit 42, Palo Alto Networks’ threat intelligence team, warned in a May 28 assessment that defenders should prepare for cybercriminal targeting of fans and hospitality providers, politically motivated DDoS and defacement activity, and possible disruptive attacks against tournament or host-city infrastructure.
The Justice Department said Russian GRU officers were behind Olympic Destroyer, malware that disrupted thousands of computers supporting the 2018 PyeongChang Winter Olympics after Russian athletes were barred from competing under their national flag.
Tokyo 2020 organizers also faced a massive volume of cyber activity. NTT said it helped block 450 million security events during the Tokyo Olympic and Paralympic Games, though the company said no cyber incident affected the operation of the Games.
The modern ticket is a cyber asset
The sports and entertainment business has already learned this lesson the hard way.
In March 2025, the Queens district attorney charged two people in a cybercrime scheme involving more than 900 stolen concert tickets, most of them for Taylor Swift’s Eras Tour. Prosecutors said ticket URLs were allegedly stolen by people working at a third-party contractor for StubHub, then resold for more than $600,000.
That case illustrates the risks around digital ticketing. A ticket is now essentially an account, a link, a mobile credential, a vendor workflow and a resale asset. A weak point anywhere in that chain can become a way to steal access.
For the World Cup, the same problem appears at global scale. Fans may be buying tickets, booking hotels, applying for visas, downloading apps, scanning QR codes, joining fan groups and arranging travel across three countries. Each step gives scammers another way in.
What’s a fan to do?
The FBI urged fans to go directly to fifa.com rather than clicking search ads or links sent by email, text or social media. It also advised users to bookmark official sites and avoid links whose URLs do not match FIFA’s real domain.
Fans who believe they have been scammed should file a complaint with the FBI’s Internet Crime Complaint Center and include the fake domain, details of the interaction and any financial transaction information.
For organizations supporting major events, Russell said the recovery question has also changed. The issue is not just whether backups exist, but whether teams can restore the right service, revoke or rotate compromised credentials, validate clean data and keep critical operations running under public pressure.
“Many organizations are still overly focused on traditional infrastructure recovery — servers, storage and the primary datacenter,” Russell said. “Real-world disruption at major events is more likely to involve SaaS, cloud control planes and third-party services that sit outside any single team’s direct control.”
For defenders, the first wave may be fake ticket sites, but the lasting impact could be played out on the dark web and the carding-as-a-service economy.
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in cybersecurity
Image by Сергей Петров from Pixabay
