Millions of football fans around the world are gearing up for the World Cup, and cybercriminals are seizing the moment to exploit the heightened interest.
Experts at Kaspersky have uncovered various types of scams that mimic official tournament resources or leverage the event for unsafe purposes, putting users’ data and finances at significant risk.
On one of the fraudulent websites discovered, users are offered the option to buy tickets for FIFA World Cup matches, with payments accepted in almost any currency. However, after completing the fake registration and payment steps, users risk not only losing money from their bank cards but also exposing sensitive personal data to attackers.
The site uses the official colour scheme of the 2026 tournament to mislead users. In addition, the scammers offer ways to contact them, either directly on the site or via messaging apps.
An example of a phishing website offering to “purchase” tickets for the FIFA World Cup.
Another website offers users the chance to purchase “official merchandise” for the 2026 tournament, featuring images of mascot plush toys and T-shirts, with a wide selection available for “purchase”.
To make the offer more enticing, the site highlights steep discounts.
Additionally, to appear more credible, the scammers have added a “Trusted store” badge at the bottom of the page, along with a registration form that requests personal and banking details.
An example of a fake website prompting users to buy FIFA 2026 merchandise.
Another attack scenario involves fraudulent email campaigns, in which attackers attempt to trick users into sending money or click a phishing link.
To increase the chances of engagement, the emails feature compelling subject lines and persuasive messaging.
In one of the examples identified, fans received emails allegedly sent by official representatives of the event regarding a fake decision from a dispute resolution chamber. The link provided in the email leads to a phishing page.
In some cases, users are targeted with scam emails claiming they have “won” a $500 000 grant to cover tickets, flights and accommodation, followed by instructions to contact the sender to claim the “prize” funds.
Kaspersky also reports email spam and unsolicited ads related to the sale of competition-themed merchandise and souvenirs, some of them might turn out to be a scam.
“Unfortunately, major sporting events that attract large audiences are never overlooked by scammers,” says Anna Lazaricheva, senior spam analyst at Kaspersky. “Seemingly harmless or even appealing emails can often conceal not only dangerous links and malicious attachments.
“In some cases, careless interaction with such messages can lead to serious device infections. We recommend that users ignore any suspicious emails and websites to protect their financial assets and keep their devices and personal data secure.”