Scams goal soccer followers with pretend World Cup tickets, merchandise

Be careful for bogus World Cup web sites that mimic official ticket and merchandise flows to steal cash and private information

22 Could 2026
 • 
,
5 min. learn

Because the FIFA World Cup 2026™ in the US, Canada, and Mexico attracts nearer, anticipation is constructing towards fever pitch. Many soccer followers should still be attempting to find tickets, merchandise, journey and hospitality packages – and scammers know precisely how you can exploit this demand. In different phrases, many individuals are already within the way of thinking that scammers depend on: , impatient and, certainly, possibly somewhat frightened that the tickets or different items will promote out. Which is in the end what makes these scams so efficient.

ESET researchers in Latin America lately noticed various web sites which can be constructed for this very second. Posing because the FIFA affiliation or the official World Cup web site, the imposter websites goal individuals searching for tickets and merchandise, then steer them via pretend registration and fee flows that steal their cash and private information. The collection of steps is usually really the identical as on the real World Cup web site: register, add tickets for a sport, jerseys or different merchandise to the cart, and pay.

Some victims could attain these web sites via sponsored search outcomes, whereas others click on on adverts on social media or hyperlinks in e-mail messages forwarded by somebody who didn’t verify the deal with correctly. Regardless of the situation, right here’s what you need to find out about pretend FIFA- and World Cup-themed web sites – and how you can keep away from scoring an ‘personal objective.’

First pattern

One of many pretend websites, hosted at https://***fifa26[.]store, makes use of a site that appears shut sufficient to FIFA and the 2026 World Cup to catch a hurried customer. Certainly, many websites arrange within the run-up to main occasions will depend on a typical trick generally known as typosquatting, which includes on a site identify that carefully resembles the authentic one, however incorporates small additions or includes different adjustments within the area identify that the sufferer typically will not discover.

The trickery doesn’t cease there, nonetheless. The location additionally copies the appear and feel of FIFA’s official web site, together with the colours, structure, navigation and ticketing movement, all to be able to make the sufferer really feel that the expertise is authentic.

And right here, for comparability, is the authentic web site:

However again to the pretend web site – right here’s what occurs if you wish to “buy” tickets or merchandise. Very like the official FIFA web site, the imposter web site additionally asks you to register. In case you anticipate to create a FIFA ID earlier than shopping for tickets, a pretend registration kind could not look unusual at first. It additionally asks for the standard issues reminiscent of your identify, e-mail deal with, and cellphone quantity. Nothing about that feels uncommon when you consider you might be on FIFA’s official web site.

In the meantime, Determine 5 reveals the registration step on the official web site.

The bogus web site additionally affords what seems to be official merchandise. The purpose is to maintain you inside a well-known buying routine lengthy sufficient for the fee web page to really feel like the following anticipated step.

It permits you to choose any product and add it to the buying cart:

When you enter your card particulars, it goes straight to the individuals behind the pretend web site – and there’s no jersey coming from FIFA, after all.

The ticket movement works the identical approach. After registration, the bogus web site lets you choose supposed World Cup matches, transfer towards checkout, and attain a fee web page. 

You’ll be able to select the specified match, in any stage of the event:

After which, it results in the buying cart. As soon as entered into the shape, your funds particulars would journey into the arms of the cybercriminal behind the bogus web site. 

The apparent loss is cash, however the quieter loss is monetary and identification information. A full identify, e-mail deal with, cellphone quantity and reused password could be misused by attackers past any single fraudulent web site. If the identical password opens your e-mail or social media account, the pretend FIFA registration can grow to be step one in one other, and fairly probably much more damaging, assault. 

4 extra websites riffing on the identical theme

One other pretend web site, https://****26-fifa[.]com, follows the identical sample. The area is World Cup-themed, the location makes use of FIFA’s visuals, and the customer is pushed towards registration earlier than being provided purported tickets and merchandise.

The pretend World Cup web sites on the whole, together with the menu tabs and different visible cues, are designed to look as carefully as attainable the official one. The highest-level domains matter, too – a .store or .retailer area could make a pretend web site really feel like a retail offshoot, particularly when the remainder of the URL deal with incorporates “fifa” and all the pieces concerning the web site appears polished.

Ways for staying secure

Crucially, FIFA has made it clear that World Cup tickets can solely be purchased by way of three official channels – fifa.com/tickets, fifa.com/hospitality, and particular Qatar Airways journey packages (which can really be offered out by now). It follows then that you just’re greatest off steering clear of assorted third-party sellers or social media listings.

• Go to FIFA’s official web site immediately. Sort the deal with your self; i.e., begin from FIFA.com or FIFA’s ticketing portal, not from an advert, a social media put up or a hyperlink somebody has despatched to you.
• Look carefully on the area identify earlier than getting into any data. Additional characters, phrases, odd endings and near-matches could possibly be the one seen clue that the location shouldn’t be what it claims to be.
• Watch out with affords constructed round strain: “restricted tickets,” “VIP entry,” “reductions,” “final likelihood,” or something that rushes you into motion and makes checking really feel like a delay you’ll be able to’t afford.
• Keep away from reusing passwords. If a pretend registration web page steals a password that you just additionally use to your e-mail, social media or banking account, the issue might observe you approach past the pretend web site.
• And don’t let a checkout movement reassure you. A working cart and a fee kind don’t show that the vendor is authentic.
• Shield all of your accounts with robust, distinctive passwords and two-factor authentication, in addition to use safety software program on all of your gadgets.

The countdown to the World Cup provides criminals a ready-made viewers: numerous individuals attempting to find tickets, merchandise and varied last-minute alternatives. The pretend FIFA websites present how that demand is being changed into a phishing movement, one acquainted click on at a time. Keep secure!