With the FIFA World Cup 2026 set to run from June 11 through July 19 across the United States, Canada, and Mexico, cybercriminals have launched hundreds of fake websites targeting football fans worldwide. The FBI issued a formal warning on May 27, 2026, alerting the public to spoofed FIFA domains, fake ticket portals, fraudulent merchandise stores, and lottery email scams running ahead of the tournament.

Cybersecurity researchers at Bitdefender Labs independently uncovered more than 55 football-related scam campaigns running across Meta platforms, including fake merchandise ads, IPTV piracy services, and fraudulent collectible offers targeting fans in over a dozen countries.
How Cybercriminals Build Fake FIFA Websites
Scammers create spoofed versions of the official FIFA website (www.fifa.com) using a tactic called typosquatting. This involves registering domain names with minor spelling changes or alternative top-level domains that users are likely to overlook when typing quickly or clicking from search results.
A fake domain might use fiffa[.]com instead of the real address, or swap .com for alternatives like .org, .xyz, .live, or .sale. Visitors who land on these sites unknowingly submit personal and financial information directly to attackers.
The FBI’s public service announcement confirms that many fraudulent websites collect:
- Full names
- Home and email addresses
- Phone numbers
- Banking and payment card details
Attackers use this data to commit identity theft, open fraudulent accounts, and run follow-up financial scams against the same victims.
Fake FIFA Domains Already Identified by the FBI
The FBI has published a list of fake domains already targeting fans. None of the following are legitimate FIFA properties:
Fake main domains:
- www.fifa[.]cab
- www.fifa[.]pink
- www.fifa[.]blue
- www.fifa[.]pub
- FIFA[.]city
- Fifa[.]bio
- fifa[.]beer
- fifa[.]click
- fifa[.]cam
- fifa[.]ceo
- fifa[.]help
- filfa[.]org
- fifa-online[.]com
- fifa-2026[.]xyz
- wvvw-fifa[.]com
- ww-fifa[.]com
- fifa-com[.]com
- www.fifa-com[.]services
Fake employment portals:
- jobs-fifa[.]com
- fifa-hr[.]com
- fifa-careerhub[.]com
- fifaworldcup-careers[.]com
- fifa-hiring[.]com
- fifahiring[.]com
Fake ticket and merchandise sites:
- fifa-ticket[.]live
- fifastore.us[.]com
- fifaworldcup26[.]sale
- worldcup2026-tickets.com[.]mx
- worldcup26ticket[.]com
- 2026fifaworldcuptickets[.]online
- fwc2026[.]net
- fwc2026.web[.]app
- www.fifa2026p[.]com
- fifa2026fworldcup[.]com
The FBI expects new fake domains to appear throughout the tournament period. Treat any domain that does not exactly match www.fifa.com with caution.
Fake Ticket and Merchandise Scams
Cybersecurity firm Group-IB attributed a major phishing operation to a Chinese threat actor tracked as Ghost Stadium. This group operates more than 300 cloned FIFA portal sites focused exclusively on premium ticket fraud, making it one of the largest World Cup-themed phishing networks identified so far.
Bitdefender Labs researchers observed separate fraudulent merchandise campaigns starting as early as February 2026, targeting users in the UK, Portugal, Spain, Algeria, the United States, Canada, Mexico, Brazil, Germany, and Australia. These scam ads promoted:
- Fake FIFA World Cup merchandise and kits
- England and Scotland national team football kits
- Hearts FC-themed clothing
- Panini sticker packs and collector albums
- Limited-edition football collectibles
- Fake fan gear and ticket offers
Many of the ads blended naturally into social media feeds using countdown timers and pressure phrases such as “Limited stock,” “Today only,” and “Selling out fast.” The campaigns ran across Facebook, Instagram, Google Search, Telegram, and WhatsApp.
Researchers identified recurring fake storefront domains including faithoutfit[.]uk, defwear[.]uk, savebigwear[.]com, teamcollections[.]com, fanzonewear[.]com, and crestwearus[.]com.
Chinese-Operated Fake Merchandise Stores
Two fake merchandise campaigns targeting UK football supporters were definitively attributed to Chinese operators. Investigators discovered Simplified Chinese UTM campaign parameters embedded directly inside advertising tracking infrastructure, providing unusually strong attribution evidence.
These operators ran several fake shops simultaneously so that the operation could continue even if individual websites got blocked or removed. One campaign stood out for specifically targeting parents shopping for children’s football kits. The site malskitukpatch.com operated under the name “PrimeFinds UK” and advertised football kits for children aged 3 to 13. It claimed products dispatched from the UK within 24 hours, with free shipping and 30-day returns. Researchers found no evidence to support any of these claims. Products were likely shipped from overseas suppliers, meaning buyers could face long delivery times, poor quality, or refund difficulties.
AI-Generated Scam Ads
Researchers also found that several FIFA-themed scam campaigns used AI-generated or heavily AI-enhanced promotional imagery. These ads featured unusually polished visuals, synthetic-looking product renders, and inconsistent branding to advertise fake FIFA World Cup 2026 sticker albums and collectibles.

Some pages contained obvious typos, such as “WordCup” instead of “World Cup,” while still imitating official Panini branding. Multiple versions of the same ads ran simultaneously across Facebook and Instagram, a common tactic to maximize reach and test audience engagement.
FIFA Lottery and Giveaway Email Scams
Bitdefender Antispam Lab identified multiple email scam campaigns impersonating FIFA World Cup 2026 organizations. These emails falsely claimed recipients had won cash prizes through FIFA lotteries, online giveaways, or promotional draws connected to the tournament.
Some messages promised winnings of up to $2 million and instructed victims to contact supposed “claims agents” or verification offices to process their reward.
The scam emails impersonated:
- FIFA Legal and Compliance Division
- FIFA World Cup 2026 Local Organizing Committee
- FIFA Awards promotional programs
To appear credible, the emails included reference numbers, ticket IDs, office addresses, legal terminology, and “confidential” PIN codes. One version asked recipients to contact a purported claims agent in South Africa through a free Gmail address. Another version requested passport or national identification details early in the process, introducing the risk of identity theft in addition to financial fraud.
These campaigns follow the classic advance-fee and lottery scam structure. FIFA branding and World Cup references make them more convincing to fans who expect promotions, ticket draw offers, and giveaways during tournament season. FIFA does not conduct unsolicited cash prize giveaways via email.
IPTV Piracy and Fake Football App Scams
Researchers uncovered coordinated IPTV piracy operations targeting fans seeking live match streams. In Portugal, two services named UniTV and Xtream IPTV shared overlapping infrastructure and entities, suggesting a single operator managing multiple IPTV brands at once. This structure lets operators continue functioning even if one service gets disrupted or removed.
Researchers also identified coordinated fake football app campaigns connected to “Goal Rush” and “BEST APP,” which deployed dozens of fake entities across multiple simultaneous operations. Some used Cyrillic character spoofing to evade automated moderation and detection tools, indicating an advanced and organized approach rather than isolated scam activity.
How to Stay Safe From FIFA World Cup 2026 Scams
Both the FBI and Bitdefender recommend these steps to avoid falling victim:
- Type fifa.com directly into your browser’s address bar instead of relying on search results or ads.
- Avoid sponsored search results. Paid ads in search engines can lead directly to fake pages designed to impersonate the official FIFA site.
- Verify the URL ends in .com and reads exactly as www.fifa.com before entering any information.
- Use bookmarks to navigate to official FIFA and tournament-related websites.
- Navigate subdomains from the official FIFA homepage rather than typing them directly into the address bar.
- Avoid clicking on links sent via direct messages on any platform, including WhatsApp and Telegram.
- Never enter payment or personal data unless you have independently verified the site is authentic.
- Treat countdown timers and urgency messages as warning signs rather than reasons to hurry.
- Be cautious with football-related ads on social media, especially those offering steep discounts, free prizes, or limited-time deals.
- Use a security solution on desktop and mobile to block phishing pages, fake storefronts, and malicious redirects distributed through social media ads.
How to Report a FIFA World Cup Scam
If you or someone you know interacted with a fake FIFA website, file a complaint with the FBI’s Internet Crime Complaint Center at IC3.gov. Include the following in your report:
- The fake domain name you visited
- A full description of your interaction, including what information you provided
- Financial transaction details such as payment method, amount, account numbers, and any receiving cryptocurrency addresses
If you submitted payment details to a suspicious site, contact your bank or card provider immediately. Keep screenshots, receipts, and any email correspondence as evidence. Monitor your accounts closely for follow-up phishing attempts. Treat any passport or personal identification shared with suspicious sites as potentially compromised and contact the relevant authorities.
Frequently Asked Questions
What are FIFA World Cup 2026 phishing sites?
These are fake websites that impersonate the official FIFA website (www.fifa.com) to steal personal and financial information from visitors. Attackers build them using slightly misspelled domain names or alternative top-level domain extensions like .org, .xyz, or .live instead of the legitimate .com address.
How do I know if a FIFA website is fake?
Check that the URL reads exactly www.fifa.com. Any variation in spelling, subdomain structure, or domain extension is a sign of a fraudulent site. The FBI has already identified dozens of fake domains in use and expects more to appear throughout the 2026 tournament.
Did the FBI warn about fake FIFA sites for the 2026 World Cup?
Yes. The FBI issued a formal public service announcement on May 27, 2026, warning the public about typosquatting attacks against the FIFA website. The announcement lists known fake domains and instructions for reporting incidents to IC3.
What should I do if I entered payment details on a fake FIFA site?
Contact your bank or card provider immediately to report the transaction and request a chargeback if possible. File a complaint with the FBI’s Internet Crime Complaint Center at IC3.gov and include all relevant details about the transaction and the fake domain.
Are FIFA lottery emails real?
No. FIFA does not send unsolicited lottery or cash prize emails. Any email claiming you won a FIFA prize, giveaway, or promotional draw is a scam. Do not respond, share personal information, or contact any claims agents listed in the message.
How are cybercriminals advertising fake FIFA merchandise?
Through paid ads on Facebook, Instagram, Google Search, Telegram, and WhatsApp. The ads use realistic product imagery, countdown timers, and pressure phrases to push users toward fake storefronts that collect payment data without delivering any real products.
