FBI Warns of Active Spoofing Campaign Targeting 2026 FIFA World Cup Fans
On May 27, 2026, the FBI issued Public Service Announcement Alert I-052726-PSA, warning of an ongoing spoofing campaign exploiting the upcoming 2026 FIFA World Cup. Threat actors are creating fraudulent websites mimicking the official FIFA platform to deceive users seeking tickets, merchandise, or employment opportunities related to the tournament.
The campaign primarily aims to harvest personally identifiable information (PII), including names, addresses, email credentials, and financial data. Attackers also facilitate fraudulent transactions, such as selling fake tickets and counterfeit hospitality packages. The tactics rely on typosquatting and domain spoofing, with malicious domains using slight variations of fifa.com examples include fifa[.]pink, fifa-ticket[.]live, and wvvw-fifa[.]com. Subdomain impersonation, such as jobs-fifa[.]com, is also being used to target job seekers.
The FBI expects the threat to intensify as the tournament nears, with new fraudulent domains likely appearing in search results, sponsored ads, and phishing emails. Threat intelligence firm bfore.ai has already identified 498 suspicious FIFA-themed domains, highlighting the scale of the operation.
The campaign underscores the risks of brand impersonation and event-driven phishing, particularly during high-profile global events where heightened public interest can lower user vigilance. Organizations are advised to monitor newly registered domains, implement DNS filtering, and deploy threat intelligence feeds to detect emerging threats. Victims are urged to report incidents to the FBI’s Internet Crime Complaint Center (IC3).
Source: https://cyberpress.org/threat-actors-spoof-fifa-websites/
FIFA TPRM report: https://www.rankiteo.com/company/fifa
"id": "fif1779956651",
"linkid": "fifa",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'World Cup fans, job seekers, '
'ticket buyers',
'industry': 'Sports/Entertainment',
'location': 'Global',
'name': 'FIFA',
'size': 'Large',
'type': 'Sports Organization'}],
'attack_vector': 'Typosquatting, Domain Spoofing, Subdomain Impersonation, '
'Phishing Emails, Sponsored Ads',
'customer_advisories': 'Victims urged to report incidents to the FBI’s '
'Internet Crime Complaint Center (IC3).',
'data_breach': {'personally_identifiable_information': 'Names, Addresses, '
'Email credentials',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally identifiable '
'information (PII), Financial '
'data, Email credentials'},
'date_detected': '2026-05-27',
'date_publicly_disclosed': '2026-05-27',
'description': 'The FBI issued a warning about an ongoing spoofing campaign '
'exploiting the upcoming 2026 FIFA World Cup. Threat actors '
'are creating fraudulent websites mimicking the official FIFA '
'platform to deceive users seeking tickets, merchandise, or '
'employment opportunities. The campaign aims to harvest '
'personally identifiable information (PII) and facilitate '
'fraudulent transactions, such as selling fake tickets and '
'counterfeit hospitality packages.',
'impact': {'brand_reputation_impact': 'High (FIFA brand impersonation)',
'data_compromised': 'Personally identifiable information (PII), '
'Financial data, Email credentials',
'identity_theft_risk': 'High',
'payment_information_risk': 'High'},
'investigation_status': 'Ongoing',
'lessons_learned': 'High-profile global events increase the risk of brand '
'impersonation and event-driven phishing. Organizations '
'should monitor newly registered domains and implement DNS '
'filtering.',
'motivation': 'Financial gain, Data harvesting',
'post_incident_analysis': {'corrective_actions': 'DNS filtering, Threat '
'intelligence feeds, User '
'education',
'root_causes': 'Lack of user vigilance, '
'Exploitation of high-profile event '
'interest, Newly registered '
'malicious domains'},
'recommendations': 'Monitor newly registered domains, implement DNS '
'filtering, deploy threat intelligence feeds, educate '
'users on phishing risks, report incidents to IC3.',
'references': [{'date_accessed': '2026-05-27',
'source': 'FBI Public Service Announcement Alert '
'I-052726-PSA'},
{'source': 'bfore.ai'}],
'response': {'communication_strategy': 'Public Service Announcement (PSA)',
'containment_measures': 'DNS filtering, Threat intelligence '
'feeds',
'law_enforcement_notified': 'FBI',
'third_party_assistance': 'bfore.ai (threat intelligence)'},
'stakeholder_advisories': 'Organizations advised to monitor domains and '
'implement threat intelligence feeds.',
'title': 'FBI Warns of Active Spoofing Campaign Targeting 2026 FIFA World Cup '
'Fans',
'type': 'Spoofing, Phishing, Brand Impersonation',
'vulnerability_exploited': 'Lack of user vigilance, Newly registered '
'malicious domains'}