World Cup 2026: The "Fan Journey" Becomes Scammers' New Target

Kaspersky has detected 336 unique domains imitating official World Cup resources since the start of the football World Cup. The figure illustrates a now-familiar pattern seen at major sporting events: fraudsters are not targeting a single isolated purchase, but reproducing the entire digital environment surrounding the tournament. Ticketing, merchandise, streaming, betting, travel, accommodation and fake partnerships have all become entry points for stealing money, harvesting credentials or collecting personal data.

Cybercriminals’ interest in the 2026 World Cup stems from a combination of several factors. The event triggers quick purchasing decisions, mobilizes fans across multiple countries and creates strong demand for often-limited services: match tickets, available rooms, plane tickets, online broadcasts or official merchandise. This pressure creates fertile ground for offers that seem too good to be true, fake websites and messages that play on urgency.

“Unfortunately, major sporting events that draw large audiences are never overlooked by scammers. Seemingly harmless, even appealing, emails can often conceal dangerous links and malicious attachments. In some cases, careless interaction with such messages can lead to serious device infections. We recommend that users ignore any suspicious email or website in order to protect their financial assets and keep their devices and personal data secure,” says Anna Lazaricheva, senior spam analyst at Kaspersky.

From Fake Tickets to Fraudulent Shops

The first scams identified rely on the most predictable tactics: selling access to the event or its merchandising universe. Kaspersky reports having identified fraudulent websites offering to sell tickets for FIFA World Cup matches. These pages copy the tournament’s official 2026 colors, accept payments in numerous currencies and lead users through fake registration and payment steps. In the end, victims may lose the funds they committed and expose personal or banking information.

Example of a phishing site offering FIFA World Cup tickets © Kaspersky

The same mechanism applies to merchandise. Another site observed by Kaspersky offers so-called “official merchandise”: t-shirts, mascot plush toys and tournament souvenirs. The fraudsters reinforce the appearance of legitimacy with steep discounts, a “Trusted Shop” badge and a registration form. This kind of staging shows that fraud does not always rely on high technical sophistication. It first exploits visual familiarity, the promise of an attractive price and the perceived scarcity of event-related products.

Example of a fraudulent site encouraging users to buy FIFA 2026 merchandise © Kaspersky

Emails follow the same logic. Some messages claim to come from official representatives of the competition or from bodies linked to dispute resolution. Others announce a fictitious prize, such as a supposed $500,000 grant intended to cover tickets, flights and accommodation. In these scenarios, the fraud aims less at sustained persuasion than at triggering a first interaction: clicking, replying, providing information or making a payment.

Example of a fraudulent email announcing a $500,000 donation © Kaspersky

Streaming and Betting: New Spaces for Data Capture

Once the tournament is underway, scams shift toward real-time activities. Fans look for broadcasts, commentary, match analysis or betting platforms. Kaspersky describes fake streaming sites promising free access to the competition. After clicking “Watch now,” users are asked to create an account, then to pay in cryptocurrency to obtain a supposed “lifetime access to the tournament.” The trap combines the collection of registration data with a financial loss that is difficult to dispute.

Example of a website and its fake video player inviting users to sign up to keep watching the World Cup © Kaspersky

Fraudulent betting platforms extend this same logic. Sites in Spanish and Portuguese have been identified. They ask users to enter their first name, last name, email address, phone number and other personal information under the guise of account creation. The risk goes beyond the amount wagered. Reusing a password across multiple services can open the door to chain compromises, particularly on financial apps or personal messaging services.

Example of a fake betting site in Portuguese asking users to provide personal data to create an account © Kaspersky

“Since the start of the tournament, scammers have increasingly focused on how fans interact with the event online. Because today, watching matches only requires an internet connection and a device. As a result, criminal activity continues to grow, as shown by the fraudulent websites we are observing that offer streaming and betting services in multiple languages. We recommend that users stick to official broadcasts in order to protect their data and finances,” says Olga Altukhova, senior web content analyst at Kaspersky.

Email campaigns related to predictions add another layer. In one example cited by Kaspersky, fans received messages promising football analysis and predictions on winners. The tactic used was urgency, with a request for a $200 AUD payment to access the service. The dynamic resembles other forms of event-related fraud: a legitimate interest serves as a pretext for a paid offer whose real value remains unverifiable.

Travelers, Landlords and Businesses in the Crosshairs

The 2026 World Cup does not only mobilize fans behind their screens. It also attracts travelers, property owners, accommodation platforms, transport providers and potential suppliers. This dimension extends the risk to the tourism sector and to certain organizations likely to take part in the tournament’s commercial ecosystem.

In late April 2026, Kaspersky detected a campaign impersonating a well-known ride-hailing app in Mexico. A fake site in Spanish invited users to enter their phone number and password to “claim prizes.” Behind the promise of a reward, the goal was to steal credentials by leveraging a trusted brand. In March 2026, Kaspersky’s Digital Footprint Intelligence team also spotted offers on a dark web forum promising plane tickets, hotel bookings and match tickets with an advertised 20% discount.

Example of a fraudulent website impersonating a well-known app © Kaspersky

Returning to Official Channels

Landlords are also becoming targets. Strong demand for short-term rentals is pushing some fraudsters to impersonate well-known booking platforms in order to obtain property owners’ credentials. Access to these personal accounts can enable illicit withdrawals or other fraudulent operations. Added to this threat are B2B scenarios: messages impersonate airlines, offer fake business partnerships, send out supplier registration forms and ultimately request a supposed “security deposit.”

“The travel sector, particularly when linked to major events, is a recurring target for a wide range of scams and fraudulent schemes. For users, it is often difficult to tell at first glance a legitimate website from a spoofed one, or genuine marketing communications from a reputable service from fraudulent emails. It is therefore advisable to exercise great caution with offers that seem too good to be true, in order to protect personal data and financial resources,” adds Anna Lazaricheva.

Faced with this multitude of threats, the measures to apply remain well known, but their execution needs to become systematic. Users should check URLs, scrutinize domain spelling, favor official ticketing, streaming and transport platforms, enable multi-factor authentication and monitor their bank accounts. Businesses should add a layer of internal validation: off-channel confirmation of any new supplier, verification of payment requests, awareness training for exposed teams, and rejection of offers that combine urgency, steep discounts and a lack of transparency.

Stay tuned in real time
Subscribe to
the newsletter
By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.
Stay tuned in real time
Subscribe to
the newsletter
By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.