Threat actors are intensifying spoofing campaigns that imitate FIFA-branded websites ahead of the 2026 World Cup, the FBI warned in a Public Service Announcement (Alert I-052726-PSA) published May 27, 2026.
The campaign exploits the tournament’s global attention by directing users to fraudulent domains that closely resemble the official FIFA site and other event-related web resources.
FIFA Website Spoofing Campaign
Attackers register lookalike domains and set up pages that copy FIFA’s visual branding and functionality. Common fraud lures include fake ticket sales, bogus hospitality or merchandise portals, and counterfeit job listings that appeal to people seeking event-related work.
These pages often host phishing forms or deliver malware to capture credentials and other sensitive data. The primary objective is harvesting personally identifiable information (PII): names, addresses, phone numbers, email credentials, and payment details.
In many cases scammers seek to process fake transactions selling non-existent World Cup tickets or hospitality packages to collect money and card data. Successful compromises can also provide footholds for more damaging attacks on users or organizations.
- Typo-squatting and domain spoofing: attackers create domains that are minor misspellings or visual imitators of “fifa.com,” or use different top-level domains (TLDs).
- Subdomain impersonation: malicious registrations such as jobs-fifa[.]com or fifa-careerhub[.]com pose as official portals to target job seekers.
- Visual deception: domains like wvvw-fifa[.]com and fifa-com[.]com exploit character similarity and punctuation to mislead users.
- Examples identified by the FBI: FIFA.]pink, fifa[.]ceo, filfa[.]org, fifa-ticket[.]live, worldcup26ticket[.]com.
Fraudulent domains may appear in search results, sponsored ads, social media posts, and phishing emails. Attackers may also promote these pages through targeted campaigns that mimic legitimate communications from event organizers or vendors.
Mitigation
Always navigate to the event site by typing the official URL: www.fifa.com. Avoid clicking sponsored search results for ticket purchases or job applications. Verify domains carefully look for misspellings, extra characters, or unfamiliar TLDs.
Use bookmarks for frequently visited official pages. Be suspicious of requests for sensitive information, poor page design, or unexpected redirects.
Monitor newly registered domains containing FIFA or World Cup keywords and add suspicious entries to blocklists. Implement DNS filtering and threat intelligence feeds to detect emerging indicators of compromise (IOCs).
Deploy endpoint protection and browser isolation to limit exposure to phishing pages and drive‑by downloads. Share IOC details and domain lists across security teams and partners to speed detection and takedown.
Victims should report incidents to the FBI’s Internet Crime Complaint Center (IC3) and provide the malicious domain, interaction history, and transaction details. Early reporting helps authorities track campaigns and remove fraudulent infrastructure.
No Comment! Be the first one.