FortiGuard Labs research found more than 13,000 FIFA World Cup 2026-themed domains registered from January to May 2026, with about 8.8% identified as malicious or suspicious, showing that cybercriminals are already preparing scams ahead of the global sporting event.
The research from Fortinet’s FortiGuard Labs shows threat actors are using the tournament’s popularity to target fans, businesses, and organizations through fake ticket websites, social media impersonation, malicious apps, fake job offers, and credential theft campaigns.
The FIFA World Cup 2026, which began on June 11, is expected to drive massive online activity as fans search for tickets, travel packages, merchandise, livestreams, betting platforms, and event updates. This demand creates opportunities for attackers to trick users into sharing personal information, login credentials, and payment details.
Fortinet identified several types of FIFA-related cyber threats, including fake ticketing and resale platforms, counterfeit merchandise stores, malicious streaming and betting applications, fake recruitment pages, cryptocurrency scams, and phishing campaigns.
Ticket scams remain one of the biggest risks because attackers take advantage of limited availability and fan urgency. FortiGuard Labs found counterfeit websites copying FIFA branding and using fake checkout pages designed to collect sensitive information such as names, account details, and payment data.
The research also identified more than 1,700 suspected FIFA-related impersonation accounts and channels across social media and messaging platforms, with nearly 90% found on Facebook and Instagram. These accounts can be used to distribute fake promotions, phishing links, malware, and fraudulent ticket offers.
“Social media scams are particularly convincing because they often appear within legitimate conversations,” the report noted. “For instance, a fake ticket seller in a fan group, a livestream link shared just before a match, or an account with FIFA branding can seem credible enough to prompt a click.”
FortiGuard Labs also warned about malicious applications disguised as World Cup-related tools, including fake livestream apps, score trackers, and betting applications. These downloads may expose users to spyware, credential theft, and other malware risks, especially when installed from unofficial sources.
Beyond fans, organizations involved in sports, travel, hospitality, media, retail, finance, government, and transportation are also potential targets. The research found fake FIFA-related job advertisements and sponsor recruitment posts used to steal credentials through phishing pages that copied legitimate login screens.
FortiGuard Labs detected more than 4,600 FIFA-related URLs appearing in stealer logs connected to malware families such as Vidar, LummaC2, and RedLine. The research also uncovered more than 260 FIFA employee credentials and over 270,000 credentials from users and fans visiting FIFA-related websites in stealer log data.
Fortinet advised organizations to monitor for fake domains, brand impersonation, credential leaks, and suspicious online activity ahead of the tournament. Fans should use official ticket channels, avoid unofficial apps, verify job offers, and be cautious of urgent payment requests or links promising exclusive World Cup access.