A single typo could derail your World Cup plans

Cybercriminals are spoofing Fédération Internationale de Football Association (FIFA) websites ahead of the 2026 FIFA World Cup, the FBI warns.

The attackers are registering lookalike domains with small spelling changes or different domain endings to impersonate FIFA websites and services. The tactic, known as typosquatting, relies on users making small typing mistakes when entering website addresses.

People who land on the fake sites may hand over names, addresses, phone numbers, email addresses, banking details, or payment card information.

According to the FBI, the fake sites are being used to steal personal information, sell counterfeit World Cup tickets and hospitality packages, and support additional fraud schemes.

“Spoofed websites may mimic the legitimate URL by using a minor misspelling, such as fiffa[.]com, or alternative top-level domains, such as .org rather than .com,” the FBI said.

The agency also said attackers may register domains such as jobs-fifa[.]com to impersonate FIFA-related services and subdomains.

Criminals are hoping to capitalize on massive demand for World Cup tickets. FIFA expects more than 6.5 million fans to attend matches during the 2026 FIFA World Cup.

FIFA President Gianni Infantino noted that fans submitted more than 150 million ticket requests within the first 15 days of sales, making the tournament roughly 30 times oversubscribed compared to previous World Cups.

The Group-IB investigation uncovered a large fraud ecosystem targeting football fans ahead of the 2026 FIFA World Cup, including more than 4,300 fake domains impersonating FIFA websites, six separate fraud schemes, and four independent threat actor groups.

At the center of the activity was a Chinese-speaking threat actor Group-IB calls “GHOST STADIUM,” which allegedly operated more than 300 phishing domains designed to mimic FIFA’s official website.

“GHOST STADIUM has built a pixel-perfect clone of the official FIFA website, complete with a replicated single sign-on (SSO) authentication flow, and multi-language support in 11 languages,” Group-IB stated.

Netcraft also found that scammers are using Facebook, X, Telegram, and WhatsApp channels to promote fake World Cup tickets, hotel deals, betting offers, and FIFA-themed phishing sites.

“The risk environment surrounding the 2026 World Cup is characterized by extreme operational density. There are three simultaneous pressures: millions navigating shared public infrastructure, systems pushed to the brink across three countries, and a global spotlight that attracts opportunistic and malicious actors,” said Ian Gray, VP of Intelligence, Flashpoint.

“Against this backdrop, disruption often starts in overlooked places, like fraudulent ticketing domains, transit delays, unauthorized gatherings, or signals in online communities, and then compounds quickly into operational impact. Effective teams should monitor both the cyber and physical domains for risk indicators to preempt their materialization into real-world disruptions,” added Gray.

To help users avoid scams, the FBI published a list of spoofed domains it identified, shared safety tips, and said additional fake websites are likely to appear ahead of the 2026 FIFA World Cup.