FIFA World Cup 2026 Ticket Scams Surge as Cybercriminals Exploit Fan Frenzy

Bengaluru: Cybercriminals are intensifying efforts to exploit football fans ahead of the FIFA World Cup 2026, with fraudulent ticketing platforms, fake merchandise stores, phishing campaigns and social media impersonation schemes emerging as major threats, according to a new cyberthreat landscape report released by FortiGuard Labs, the threat intelligence division of Fortinet.

The report reveals that threat actors are capitalizing on the excitement surrounding the world’s biggest sporting event by creating sophisticated scams designed to steal money, personal information, banking credentials and online account details from unsuspecting fans.

Researchers identified more than 13,000 FIFA World Cup 2026-themed domains registered between January and May 2026. Approximately 8.8 percent of these domains were classified as malicious or suspicious, indicating a large-scale infrastructure being prepared for phishing attacks, fake ticket sales and financial fraud. The report notes that domain registrations surged sharply between March and May, suggesting coordinated preparations by cybercriminal groups ahead of the tournament.

Fake ticket websites among biggest threats

According to the report, ticket scams represent one of the most significant threats facing football fans. Cybercriminals are creating websites that closely resemble official FIFA ticketing portals, complete with authentic-looking branding, logos and layouts. These fraudulent platforms lure users into entering personal information and payment card details while attempting to purchase tickets.

FortiGuard researchers identified several impersonation websites, including one domain registered shortly before the tournament period that replicated official FIFA content and used fake checkout pages to harvest billing information, personal details and financial data from victims.

The report also found that discounted FIFA tickets were being advertised on underground cybercrime forums and Telegram channels, often bundled with fraudulent travel and hotel packages. These schemes create urgency through limited-time offers and heavily discounted prices to pressure fans into making quick purchasing decisions.

Resale market increasingly targeted

Researchers warned that fans who fail to secure tickets through official channels face heightened risks in secondary markets. Fraudsters are posing as legitimate sellers and offering discounted, VIP or last-minute tickets through social media groups and unofficial marketplaces. Victims are frequently shown fabricated ticket confirmations and payment receipts to establish credibility before being asked to transfer money.

In one case highlighted in the report, investigators uncovered a ticket resale platform promoted through Telegram channels that claimed years of operating history despite having been registered only recently. Users were directed to enter billing and payment information before receiving payment instructions through personal email accounts rather than legitimate corporate domains.

Social media impersonation on the rise

The report identified more than 1,700 suspected FIFA-related impersonation accounts and channels across social media and messaging platforms. Nearly 90 percent of these accounts were concentrated on Facebook and Instagram, where attackers used FIFA branding to spread fraudulent promotions, phishing links and misleading information.

Researchers warned that the widespread presence of unofficial accounts significantly increases the risk of social engineering attacks targeting football fans worldwide.

Fake job offers and recruitment scams

Cybercriminals are also exploiting interest in temporary employment opportunities associated with the tournament. The report describes campaigns using fake job advertisements for event staffing, hospitality, logistics and media support roles.

Victims receive fraudulent meeting invitations or recruitment messages directing them to counterfeit websites impersonating FIFA and its sponsors. These sites often display fake Google login pages designed solely to steal usernames and passwords. After credentials are entered, victims typically receive error messages while their information is secretly transmitted to attacker-controlled infrastructure.

Researchers linked multiple FIFA-themed recruitment domains to a coordinated phishing campaign that used shared tracking infrastructure and cloud-hosted data collection systems.

Malware, fake apps and streaming fraud

The report highlights a growing threat from malicious software disguised as betting applications, streaming tools and FIFA-related mobile apps. Cybercriminals are distributing fake applications through unofficial download sites and third-party app repositories, often embedding credential stealers, spyware and ransomware.

Football fans searching for free live streams are also being targeted. Fraudulent streaming websites promoted through social media and messaging platforms encourage users to register accounts, install fake media players or submit personal information, exposing them to malware infections and credential theft.

Credential theft and data exposure

FortiGuard Labs found evidence of FIFA-related credentials appearing in stealer logs, historical breach datasets and underground forums. The report identified exposed accounts associated with both FIFA employees and users interacting with FIFA-related websites. Popular credential-stealing malware families including Vidar, LummaC2 and RedLine were observed harvesting FIFA-related login information.

Researchers also discovered discussions on underground forums where threat actors shared FIFA-related username and password combinations, increasing the risk of account takeover attacks and targeted phishing campaigns.

Organized campaigns likely to intensify

The report concludes that cyberthreats targeting FIFA World Cup 2026 are already active and are expected to escalate as the tournament approaches. Evidence of coordinated domain registrations, infrastructure reuse, social media impersonation and recurring scam techniques suggests that many of these operations are organized campaigns rather than isolated incidents.

Fortinet recommends that football fans purchase tickets only through official channels, verify website authenticity before entering personal information, avoid downloading applications from unofficial sources, enable multi-factor authentication and remain cautious of unsolicited messages promoting ticket sales, employment opportunities or exclusive tournament offers.

About the Report

The “FIFA World Cup 2026: Cyberthreat Landscape Report” was prepared by FortiGuard Labs, which analyzed FIFA-themed cyber activity between January and May 2026. The study examined malicious domains, phishing campaigns, social media impersonation, malware distribution, credential theft activity and underground cybercrime forums targeting the global football community.