Scams target soccer fans with fake World Cup tickets, merchandise
Cybersecurity & Awareness

Scams target soccer fans with fake World Cup tickets, merchandise

By Write a Comment on Scams target soccer fans with fake World Cup tickets, merchandise

Watch out for bogus World Cup websites that mimic official ticket and merchandise flows to steal money and personal data

22 May 2026

,
5 min. read

As the FIFA World Cup 2026™ in the United States, Canada, and Mexico draws closer, anticipation is building toward fever pitch. Many soccer fans may still be hunting for tickets, merchandise, travel and hospitality packages – and scammers know exactly how to exploit this demand. In other words, many people are already in the state of mind that scammers count on: interested, impatient and, indeed, maybe a little worried that the tickets or other goods will sell out. Which is ultimately what makes these scams so effective.

ESET researchers in Latin America recently spotted a number of websites that are built for this very moment. Posing as the FIFA association or the official World Cup website, the imposter sites target people looking for tickets and merchandise, then steer them through fake registration and payment flows that steal their money and personal data. The series of steps is often actually the same as on the genuine World Cup website: register, add tickets for a game, jerseys or other merchandise to the cart, and pay.

Some victims may reach these websites through sponsored search results, while others click on ads on social media or links in email messages forwarded by someone who didn’t check the address properly. Whatever the scenario, here’s what you should know about fake FIFA- and World Cup-themed websites – and how to avoid scoring an ‘own goal.’

First sample

One of the fake sites, hosted at https://***fifa26[.]shop, uses a domain that looks close enough to FIFA and the 2026 World Cup to catch a hurried visitor. Indeed, many sites set up in the run-up to major events will rely on a common trick known as typosquatting, which involves on a domain name that closely resembles the legitimate one, but contains small additions or involves other changes in the domain name that the victim often won’t notice.

sitio-falso-fifa-mundial-26-1
Figure 1. Fake site impersonating the official FIFA World Cup 2026™ website

The trickery doesn’t stop there, however. The site also copies the look and feel of FIFA’s official site, including the colors, layout, navigation and ticketing flow, all in order to make the victim feel that the experience is legitimate.

sitio-falso-fifa-mundial-26-2
Figure 2. This website is an imposter

And here, for comparison, is the legitimate website:

sitio-falso-fifa-mundial-26-3
Figure 3. Official FIFA World Cup 2026™ website

But back to the fake website – here’s what happens if you want to “purchase” tickets or merchandise. Much like the official FIFA site, the imposter site also asks you to register. If you expect to create a FIFA ID before buying tickets, a fake registration form may not look strange at first. It also asks for the usual things such as your name, email address, and phone number. Nothing about that feels unusual if you believe you are on FIFA’s official website.

sitio-falso-fifa-mundial-26-4
Figure 4. This site does not sell World Cup tickets

Meanwhile, Figure 5 shows the registration step on the official website.

sitio-falso-fifa-mundial-26-5
Figure 5. User registration on the official FIFA website – noe the URL in the green rectangle

The bogus website also offers what appears to be official merchandise. The point is to keep you inside a familiar shopping routine long enough for the payment page to feel like the next expected step.

sitio-falso-fifa-mundial-26-6
Figure 6. Fake FIFA website

sitio-falso-fifa-mundial-26-7
Figure 7. Bogus store offering team jerseys

It allows you to select any product and add it to the shopping cart:

sitio-falso-fifa-mundial-26-8
Figure 8. Fake shopping site posing as the official FIFA online store

Once you enter your card details, it goes straight to the people behind the fake site – and there’s no jersey coming from FIFA, of course.

sitio-falso-fifa-mundial-26-9
Figure 9. “Purchasing” a soccer jersey on the fake phishing site

The ticket flow works the same way. After registration, the bogus site lets you select supposed World Cup matches, move toward checkout, and reach a payment page.

sitio-falso-fifa-mundial-26-10
Figure 10. Fake user registration form for World Cup tickets

You can choose the desired match, in any stage of the tournament:

sitio-falso-fifa-mundial-26-11
Figure 11. Bogus payment gateway for World Cup tickets

And then, it leads to the shopping cart. Once entered into the form, your payments details would travel into the hands of the cybercriminal behind the bogus site.

sitio-falso-fifa-mundial-26-12
Figure 12. Fraudulent page requesting credit card details for a supposed ticket purchase

The obvious loss is money, but the quieter loss is financial and identity data. A full name, email address, phone number and reused password can be misused by attackers beyond any single fraudulent website. If the same password opens your email or social media account, the fake FIFA registration can become the first step in another, and quite possibly even more damaging, attack.

Four more sites riffing on the same theme

Another fake site, https://****26-fifa[.]com, follows the same pattern. The domain is World Cup-themed, the site uses FIFA’s visuals, and the visitor is pushed toward registration before being offered purported tickets and merchandise.

fake-world-cup-websites
Figure 13. Some other fake sites

The fake World Cup websites in general, including the menu tabs and other visual cues, are designed to look as closely as possible the official one.

Why the Domain Names Matter

Hey there, fellow football fan! Let’s talk about staying safe while looking for World Cup tickets. Did you know that the top-level domain names of websites can give you a clue about their legitimacy? A site with a .shop or .store domain might make you think it’s an official retail outlet, especially if it’s selling FIFA-related items. But be cautious, especially if the rest of the URL has “fifa” in it and everything looks too good to be true.

Tips for Keeping Yourself Secure

It’s essential to remember that FIFA has specified only three official channels for purchasing World Cup tickets: fifa.com/tickets, fifa.com/hospitality, and Qatar Airways travel packages. So, steer clear of third-party sellers or social media listings to avoid getting scammed.

  • Always go directly to FIFA’s official website by typing the address yourself. Don’t click on ads or links sent to you by others.

  • Check the domain name carefully before entering any personal information. Look out for extra characters, odd endings, or near-matches that indicate a fake site.

  • Be wary of offers that create a sense of urgency, like “limited tickets” or “last chance.” Don’t let pressure tactics rush you into making a hasty decision.

  • Avoid using the same password for multiple accounts. If a fake site steals your password, it could lead to security issues beyond that site.

  • Don’t be fooled by a seemingly legitimate checkout process. Just because a site has a working cart and payment form doesn’t mean it’s trustworthy.

  • Protect all your accounts with strong, unique passwords and enable two-factor authentication. Also, make sure to use security software on all your devices.

With the World Cup approaching, scammers are taking advantage of fans looking for tickets and merchandise. Stay vigilant and don’t fall for phishing scams disguised as official FIFA sites. Remember, safety first!

Tagged In

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *