With the 2026 FIFA World Cup kicking off June 11 across the U.S., Canada, and Mexico, the FBI and multiple security firms issued urgent warnings this week that a massive fraud operation is already running against fans. Over 4,300 fake FIFA domains, banking malware in pirate streaming apps, and credential-harvesting phishing operations are already targeting World Cup 2026 fans ahead of the 11 June kickoff. If you plan to buy tickets, stream a match, or shop for merchandise from your home PC, the risk of landing on a malicious site is unusually high right now.
What the FBI is warning about
The FBI's Internet Crime Complaint Center (IC3) issued a public service announcement warning that cyber threat actors are conducting spoofing attacks against the Fédération Internationale de Football Association (FIFA) website in advance of the 2026 FIFA World Cup. The fake sites are convincing copies of fifa.com built to harvest data. Threat actors often create spoofed websites by slightly altering characteristics of legitimate website domains, with the purpose of gathering personally identifiable information (PII) entered by a user into the site, including name, home address, phone number, email address, and banking information.
With the international soccer tournament set between June 11 and July 19 in the United States, Canada, and Mexico, threat actors prepared hundreds of phishing sites. The fake domains impersonate the official fifa.com, but rely on minor spelling changes that users are likely to miss, such as fiffa[.]com, and use alternative top-level domains (e.g., .org, .xyz, .live, .sale), along with fake employment portals like "jobs-fifa[.]com" or "fifa-hiring[.]com."
The scale is bigger than typical phishing campaigns
This isn't a handful of opportunistic scams. The most detailed findings come from Group-IB, which tracked more than 4,300 fraudulent FIFA domains registered since August 2025. At the center is a group it calls GHOST STADIUM, a Chinese-speaking, money-driven operation running one phishing kit across more than 300 sites. FortiGuard Labs counted more than 13,000 World Cup-themed domains registered between January and May, roughly 8.8% of them classified as malicious or suspicious.
And more is coming. Group-IB counted roughly 3,800 fraudulent FIFA domains sitting parked and unused, ready to switch on. With ready-made scam kits and ticket-buying bots already for sale, the peak window is easy to predict: 11 June to 19 July, when searches for tickets, streams, and travel will be at their highest. If your home PC gets hit by malware after clicking one of these links, our malware and phishing cleanup service can clean it out and check what data may have been exposed.
How the attacks work on a Windows PC
The fake ticket sites are technically sophisticated. At the most visible level are fake ticketing sites – pages that copy FIFA's logo, colours and login system so closely that the fake pages load images directly from FIFA's own servers, making them appear authentic and harder for standard security tools to flag. Beyond fake tickets, Group-IB also found counterfeit merchandise shops, bogus streaming sites that take a subscription fee and then install malware that hands control to the attacker, and fake betting sites that collect passport scans and selfies for identity theft. Bitdefender separately tracked FIFA lottery emails promising payouts of up to $2 million.
The damage chain is well-organized: fake domains catch the ticket searches, ads and search results push the traffic, stolen-password dumps feed account takeovers, and sideloaded apps turn stream-hunting into bank fraud. If a family member already entered card details on a lookalike site or downloaded a sketchy streaming app, the practical next steps are immediate password changes, a card freeze with your bank, and a full malware scan — and if files have been encrypted or deleted, our file recovery team can often pull them back.
How to stay safe
The FBI's guidance is simple and worth following. When navigating to FIFA's official website, type fifa.com directly into the address bar located at the top of your Internet browser, rather than using a search engine. If using a search engine, avoid any "sponsored" results as these can be paid imitators looking to deter traffic from the legitimate FIFA website. Verify that the URL of the FIFA website ends in [.]com and is correctly entered as www.fifa.com. Avoid clicking on any link whose URL differs from the legitimate FIFA website to mitigate risk of fraud. Use Bookmarks or Favorites for navigating to login websites rather than clicking on Internet search results or advertisements.
A few extra rules from the researchers: Buy tickets only through fifa.com, typed directly, not via an ad or search result. Enable multi-factor authentication, and treat any seller requesting cryptocurrency as a scam. Anything ending in .shop, .store, .live, .xyz, or .site claiming to sell tickets should be treated as fake. And if your browser starts redirecting, pop-ups appear, or the PC slows down after visiting one of these sites, get the machine checked at a local PC repair shop before logging into anything sensitive again.
What This Means for York, PA
York County residents heading to matches or planning watch parties should assume the first dozen Google results for "FIFA tickets" or "World Cup stream" include traps. If you clicked one and now suspect your PC or accounts have been compromised, walk in to York Computer Repair at 2069 Carlisle Rd or call 717-739-9675 and we'll check the machine and help you lock down your accounts.