Be careful for bogus World Cup web sites that mimic official ticket and merchandise flows to steal cash and private information
22 Might 2026
•
,
5 min. learn
Because the FIFA World Cup 2026™ in the US, Canada, and Mexico attracts nearer, anticipation is constructing towards fever pitch. Many soccer followers should be looking for tickets, merchandise, journey and hospitality packages – and scammers know precisely how you can exploit this demand. In different phrases, many individuals are already within the way of thinking that scammers depend on: , impatient and, certainly, perhaps just a little nervous that the tickets or different items will promote out. Which is finally what makes these scams so efficient.
ESET researchers in Latin America not too long ago noticed numerous web sites which are constructed for this very second. Posing because the FIFA affiliation or the official World Cup web site, the imposter websites goal individuals searching for tickets and merchandise, then steer them by means of faux registration and cost flows that steal their cash and private information. The sequence of steps is usually truly the identical as on the real World Cup web site: register, add tickets for a recreation, jerseys or different merchandise to the cart, and pay.
Some victims could attain these web sites by means of sponsored search outcomes, whereas others click on on advertisements on social media or hyperlinks in electronic mail messages forwarded by somebody who didn’t verify the tackle correctly. Regardless of the state of affairs, right here’s what it’s best to learn about faux FIFA- and World Cup-themed web sites – and how you can keep away from scoring an ‘personal objective.’
First pattern
One of many faux websites, hosted at https://***fifa26[.]store, makes use of a website that appears shut sufficient to FIFA and the 2026 World Cup to catch a hurried customer. Certainly, many websites arrange within the run-up to main occasions will depend on a standard trick often called typosquatting, which includes on a website title that intently resembles the legit one, however accommodates small additions or includes different modifications within the area title that the sufferer usually will not discover.
The trickery doesn’t cease there, nevertheless. The positioning additionally copies the feel and appear of FIFA’s official web site, together with the colours, structure, navigation and ticketing stream, all with the intention to make the sufferer really feel that the expertise is legit.
And right here, for comparability, is the legit web site:
However again to the faux web site – right here’s what occurs if you wish to “buy” tickets or merchandise. Very like the official FIFA web site, the imposter web site additionally asks you to register. In the event you count on to create a FIFA ID earlier than shopping for tickets, a faux registration kind could not look unusual at first. It additionally asks for the same old issues comparable to your title, electronic mail tackle, and cellphone quantity. Nothing about that feels uncommon in case you imagine you’re on FIFA’s official web site.
In the meantime, Determine 5 reveals the registration step on the official web site.
The bogus web site additionally presents what seems to be official merchandise. The purpose is to maintain you inside a well-known procuring routine lengthy sufficient for the cost web page to really feel like the following anticipated step.
It means that you can choose any product and add it to the procuring cart:
When you enter your card particulars, it goes straight to the individuals behind the faux web site – and there’s no jersey coming from FIFA, after all.
The ticket stream works the identical method. After registration, the bogus web site lets you choose supposed World Cup matches, transfer towards checkout, and attain a cost web page.
You’ll be able to select the specified match, in any stage of the match:
After which, it results in the procuring cart. As soon as entered into the shape, your funds particulars would journey into the arms of the cybercriminal behind the bogus web site.
The apparent loss is cash, however the quieter loss is monetary and identification information. A full title, electronic mail tackle, cellphone quantity and reused password could be misused by attackers past any single fraudulent web site. If the identical password opens your electronic mail or social media account, the faux FIFA registration can develop into step one in one other, and fairly presumably much more damaging, assault.
4 extra websites riffing on the identical theme
One other faux web site, https://****26-fifa[.]com, follows the identical sample. The area is World Cup-themed, the location makes use of FIFA’s visuals, and the customer is pushed towards registration earlier than being provided purported tickets and merchandise.
The faux World Cup web sites normally, together with the menu tabs and different visible cues, are designed to look as intently as potential the official one. The highest-level domains matter, too – a .store or .retailer area could make a faux web site really feel like a retail offshoot, particularly when the remainder of the URL tackle accommodates “fifa” and every little thing in regards to the web site seems to be polished.
Techniques for staying protected
Crucially, FIFA has made it clear that World Cup tickets can solely be purchased by way of three official channels – fifa.com/tickets, fifa.com/hospitality, and particular Qatar Airways journey packages (which can truly be bought out by now). It follows then that you just’re greatest off steering clear of assorted third-party sellers or social media listings.
- Go to FIFA’s official web site immediately. Kind the tackle your self; i.e., begin from FIFA.com or FIFA’s ticketing portal, not from an advert, a social media put up or a hyperlink somebody has despatched to you.
- Look intently on the area title earlier than coming into any info. Additional characters, phrases, odd endings and near-matches could possibly be the one seen clue that the location shouldn’t be what it claims to be.
- Watch out with presents constructed round strain: “restricted tickets,” “VIP entry,” “reductions,” “final likelihood,” or something that rushes you into motion and makes checking really feel like a delay you may’t afford.
- Keep away from reusing passwords. If a faux registration web page steals a password that you just additionally use to your electronic mail, social media or banking account, the issue might observe you method past the faux web site.
- And don’t let a checkout stream reassure you. A working cart and a cost kind don’t show that the vendor is legit.
- Shield all of your accounts with robust, distinctive passwords and two-factor authentication, in addition to use safety software program on all of your units.
The countdown to the World Cup provides criminals a ready-made viewers: numerous individuals looking for tickets, merchandise and varied last-minute alternatives. The faux FIFA websites present how that demand is being became a phishing stream, one acquainted click on at a time. Keep protected!
![How easy semantics elevated our AI citations by 642% [New results]](https://blog.aimactgrow.com/wp-content/uploads/2026/01/Amanda20Sellers20MiM-120x86.png)
