While football fans around the world wait with bated breath for the FIFA World Cup to start, cyber criminals are already hard at work online.
The tournament, heralded by the organisers as the biggest event of its kind ever, will see 104 teams go head-to-head in 16 North American cities across Canada, the United States and Mexico when the games begin later this week.
Cybercriminals have already created thousands of World Cup-related campaigns and, heading into the tournament, the Canadian and American governments have issued warnings for spectators to keep a close eye out for scams.
Here is what campaigns have already taken place online and what to expect as we wait for the kick-off.
Thousands of fake FIFA websites
One of the most popular schemes for cybercriminals is the fake FIFA website or merchandise store, according to cybersecurity firms Fortinet and Check Point.
In a recent report, Fortinet identified over 13,000 World Cup-themed websites registered between January and May. Approximately 8% of these websites were classified as malicious or suspicious based on scam activity and patterns on the website, the analysis found.
Most of the websites they identified were used to attract users who are looking for tournament information and services by using World Cup-related keywords and abusing the FIFA branding, Fortinet said.
The goal of these sites is to “steal sensitive information such as payment card details, personal identification data, and login credentials” by tricking World Cup hopefuls into buying fake tickets, Fortinet said.
Often called “card not present,” fraud, these sites have been in place at other major events, such as the 2022 World Cup and the 2024 Paris Olympics, and look to exploit “urgency and scarcity to pressure rapid purchasing decisions,” according to Check Point.
Fortinet observed some scammers posting fake World Cup travel packages, including tickets, hotel and transportation on messaging app Telegram “while creating a strong sense of urgency,” the report said.
The Telegram posts redirect potential buyers to a fake ticketing website hosting a sham checkout page, where they are prompted to enter their personal information. After putting in their payment information, the victim receives a fake invoice.
Other websites also replicate sports-related gambling sites that face increased demand during large events such as the World Cup, the report said. Cyber criminals often distribute “fake or trojanized betting applications disguised as legitimate software,” to trick users into placing bets on their platforms.
Fake jobs, profiles and streaming services on social media
Cybercriminals are not just restricted to traditional websites; they also created 1,700 fake social media profiles on Facebook and Instagram, the report said.
“The widespread presence of unofficial accounts using FIFA branding increases the risk of brand abuse, misinformation, fraudulent promotions, phishing attempts, and other social engineering activities targeting football fans ahead of the FIFA World Cup 2026,” the report said.
On the LinkedIn job site, scammers have been circulating fake job advertisements to trick users into thinking they were applying for short-term roles in event staffing, hospitality, logistics and media support.
Hackers often impersonate real recruitment agents for their scams, directing prospective job applicants to fake calendar schedules that have a phishing site embedded to steal their personal information.
Social media platforms such as Facebook, X and Telegram have also distributed fake links to streaming platforms that promise to livestream a specific game with a group of fans.
The links would often appear a few minutes before a match begins, often within closed groups or channels, and users are pressured into quickly registering their information or installing a fake “player” before the stream starts.
However, in many of the social media cases, Fortinet noted that fans have been quick to spot fakes, with many taking to Reddit to ask other fans to confirm whether they have been the victim of a scam.
Euronews Next contacted these platforms to see whether they have increased any content moderation or scam detection ahead of the World Cup, but did not receive an immediate reply.
How to protect yourself
Consider verifying the domain name of a website or email address related to the World Cup before deciding to click on it, Check Point said in a list of recommendations.
Only book through On Location, FIFA’s hospitality partner, for hospitality packages or directly with the hotel that you want to stay at, the cybersecurity firm said.
If booking online, use a credit card instead of a debit card to buy something tournament-related due to stronger protections against scammers, it suggested.
If a fan sees something suspicious, Check Point suggests slowing down before acting, because buying into urgency can make it easier to fall for a scam.
For fans going to the World Cup, Check Point recommends running phone and app updates before arrival at the stadium so hackers cannot access devices that have security flaws.