Cybercriminals began building infrastructure to target the 2026 FIFA World Cup well before the first match was played, according to a new report from Fortinet’s FortiGuard Labs.
The company said it tracked FIFA-themed cyber activity from January through May 2026 and found a growing network of suspicious domains, impersonation accounts, and scam campaigns tied to the tournament.
Researchers identified more than 13,000 newly registered FIFA-themed domains during that period. About 8.8% were classified as malicious or suspicious. The report also found more than 1,700 suspected FIFA impersonation accounts across social media and messaging platforms, with most of the activity concentrated on Facebook and Instagram.
The findings suggest cybercriminals didn’t wait for fans to begin a last-minute rush for tickets or match streams. They prepared web pages and social accounts in advance so those assets are ready as demand peaks.
Criminal Infrastructure Is Being Staged Before the Tournament
FortiGuard Labs found a sharp increase in FIFA-themed domain registrations from March through May. The report also identified reused hosting infrastructure and repeated naming patterns, including some tied to phishing, typosquatting, and malware delivery.
The credential market is already part of the risk. Fortinet said FIFA-related logins are showing up in criminal data streams, including stealer logs and breach repositories. Once exposed, those credentials can be reused in account-takeover attempts or held for later phishing campaigns against people and organizations connected to the tournament.
Anne Cutler, Cybersecurity Evangelist at Keeper Security, said the World Cup gives criminal groups an unusual combination of scale and urgency.
“The World Cup creates one of the most dangerous cyber-attack windows on the planet,” Cutler said. “Billions of people across dozens of time zones, all emotionally invested — and all searching, clicking, and transacting online, at the same time.”
Ticket Scams Remain the Most Visible Threat
Ticket scams remain the clearest risk for fans. Fortinet said attackers are creating fake FIFA ticketing portals that copy official branding and checkout flows. Others pose as resale platforms or last-minute offers aimed at fans worried about missing out.
The lures are appearing in places fans already look for information, including Telegram, social media, and resale sites. FortiGuard Labs also found threat actors advertising discounted World Cup tickets on underground forums, sometimes bundled with fraudulent hotel or flight packages.
Selling fake tickets isn’t the only goal. These scams are designed to collect payment card data, personal information, and account credentials. In some cases, victims are pushed into direct payments through cryptocurrency or wire transfers, leaving little chance of recovery.
Fraud Follows the Fan Journey
The scams extend beyond ticketing. Fortinet found fake merchandise stores impersonating FIFA and partner brands, using copied logos and product listings to sell counterfeit goods or products that may never arrive.
Streaming is another pressure point. When a match is about to start, people are more likely to click quickly and overlook warning signs. Fortinet warned that attackers are promoting fake streaming sites that imitate legitimate broadcast portals. Some ask users to create accounts. Others push a fake “player” that is actually malware.
That risk also extends to apps. FortiGuard Labs identified malicious files and suspicious FIFA-themed APKs on unofficial download sites, including one betting-related executable that showed signs of persistence, encrypted communication, and possible ransomware-related behavior.
Fortinet also observed cryptocurrency scams using World Cup branding, including a fake “World Cup Coin” airdrop. The promotion used official-looking imagery and time pressure to push users toward malicious crypto activity, where they could be prompted to connect a wallet or share sensitive information.
Kern Smith, vice president of global solutions at Zimperium, said the tournament will also test mobile defenses because fans will rely heavily on phones for tickets, payments, and travel.
“Events like the 2026 FIFA World Cup are no longer just physical or network security challenges; they are mobile security stress tests,” Smith said.
Job Seekers Are an Overlooked Target
World Cup scams are also targeting people looking for work connected to the event.
Fortinet said job-related phishing campaigns were expected to increase as people search for short-term roles in staffing, hospitality, and event support—and that window is now open. FortiGuard Labs identified fake FIFA job domains, calendar-invite lures, and fraudulent Google login pages built to steal credentials.
In one campaign, a fake jobs-fifa.com domain presented victims with a Gmail login page. The form accepted an email address and password, then returned a generic error after submission. Fortinet said the same Google Analytics tracking ID appeared across multiple domains impersonating FIFA, sponsors, and affiliated organizations. Submitted credentials were also forwarded to Render-hosted endpoints, giving attackers a collection point for the stolen logins.
AI Makes Familiar Scams Harder to Spot
AI is making familiar scams harder to detect. The fake domains and ticket scams would exist without it, but generative tools can help attackers produce polished phishing messages without the spelling mistakes users were once trained to spot.
Pyry Åvist, co-founder and CTO at Hoxhunt, said attackers can now “generate realistic messages in multiple languages, tailor them, blend into specific corporate workflows, and produce many variations of the same lure.”
Security experts also warn that AI is expanding impersonation beyond email. Deepfake video and fabricated audio can make fraudulent appeals harder to distinguish from legitimate messages, especially when they appear to come from a colleague, recruiter, friend or family member.
Sponsors and Vendors Face Downstream Risk
The same activity targeting fans can also create problems for companies around the tournament. Fortinet found FIFA-related credentials in stealer logs and underground forums, including some tied to FIFA-associated employee accounts. That gives attackers material for account takeover and targeted phishing.
For sponsors, broadcasters, and suppliers, the risk is partly about impersonation. A spoofed domain or fake social account can be used to send bogus ticket offers, travel notices, or hiring messages that appear to come from a trusted brand.
Collin Hogue-Spears, senior director of solution management at Black Duck, said the challenge is applying basic controls across a sprawling event ecosystem.
“The defense playbook is fairly simple, five controls long,” he said. “However, the attack surface is three countries, sixteen host cities, and every vendor that shares a domain with the tournament brand.”
How Fans and Organizations Can Reduce the Risk
For fans, the safest path is to start from official sources rather than links shared through messages, search ads or social media posts. They should avoid unofficial tournament apps, treat unusual payment requests as a red flag, and protect tournament-related accounts with multifactor authentication.
Organizations face a broader task. Fortinet recommends monitoring new domains, fake social accounts, and underground forums for campaigns tied to FIFA branding. Sponsors and vendors should also enforce DMARC, use phishing-resistant MFA, and prepare takedown processes before tournament activity peaks.
The World Cup provides criminals a global audience, a trusted brand, and millions of people making fast decisions online. Defenders do not need to stop every scam before it appears. They need to detect them quickly, remove what they can, and make the next click harder to exploit.
