The World Cup Brings Scams Like Phishing Back To The Centerstage
As the World Cup 2026 is underway, social engineering is back on the menu. Despite all the concerns around the exploitation of frontier AI models like Mythos, low hanging fruit techniques like phishing scams continue to pose the most significant risk to fans.
Just earlier this month, FortiGuard Labs revealed that from January to May 2026, more than 13,000 new FIFA World Cup 2026-themed domains were registered with 8.8% of them marked as malicious. The company found that fake ticketing in particular is one of the highest-risk lures targeting football fans.
Fans who can’t get tickets often resort to resale websites, social media groups, Telegram channels search ads or other marketplaces where hackers target them with bogus offers. All a fraudster needs to do is to trick the target into entering their personal information or credit card details on a counterfeit ticketing site.
On paper, staying safe is as simple as spotting scams, but as AI tools like ChatGPT and Claude become more advanced, threat actors have access to a variety of tools to convince highly convincing phishing scams.
Security As An Afterthought
During the hype of international sporting events, threat actors have ample opportunity to target fans and service providers, and disguise their activities. Just last week, a security researcher shared how they were able to enter the live production Streaming Management panel for the World Cup by logging into a public portal where users can register to become a licensed football agent.
Now digital activity among fans, partners, broadcasters and staff is increasing around the event, threat actors have the opportunity to leverage a diverse range of identity-based attacks, which are becoming harder to spot.
“The threat landscape around these World Cup matches is what we expect to see for most major sporting events: social engineering, fraudulent domains, fake ticket offers, etc. When compared across similar events, threat volume and sophistication at these events tend to get worse each year. But AI is what’s really changing the game for this World Cup,” Seva Ioussoufovitch, security and privacy expert at Info-Tech Research Group told International Business Times via email.
“Broadly speaking, AI has made it easier than ever to produce convincing phishing and fake content at scale,” Ioussoufovitch said. “Many consumers spent the last decade getting used to cues like poor spelling/grammar or unpolished websites, which helped them identify potential threats. These cues won’t help them much in 2026, and might actually lure people into a false sense of security if they encounter a polished scam,” he added.
Not Just a Fan Problem
One of the challenges in dealing with social engineering is it’s often presented as a consumer fraud issue. However, these scams present serious downstream exposure to organizations, as an employee clicking on the wrong link can lead to data exposure that puts a company at risk of a data breach.
“The coverage so far frames social engineering as a fan problem: fake ticket sites, scam links, QR-code fraud. The more serious version targets the people who run the event,” Lucie Cardiet, cyberthreat manager at Vectra AI told International Business Times. “Arctic Wolf has already found fake career sites built to steal Google Workspace accounts and a weaponized ’employee handbook’ PDF aimed at staff at one host city. That’s social engineering aimed at credentials, not card numbers.”
Preventing these types of attacks can be tricker than keeping an eye out for phishing sites and enabling multi-factor authentication. “Social engineering now succeeds even when MFA is on. Adversary-in-the-middle phishing kits relay the real login page and capture the real one-time code and helpdesk visiting talks a support agent into resetting MFA outright. That’s how some of the largest recent intrusions began. So the standard advice, train staff and turn on MFA, is still correct and no longer closes the gap,” Cardiet said.
Cardiet says that the detection question revolves around what a compromised account does after login, and whether companies have the ability to spot a real, authenticated user behaving like an intruder. Thus using AI-driven tools to detect malicious activity can be one of the most effective ways to contain such an incident.
Staying Safe
While prevention of cyber incidents isn’t always possible thanks to the sophistication of modern phishing scams– it is preferable to the exposure presented by a breach. Johnathan Selby, Tech and Media Practice Lead at Founder Shield warns that the biggest cybersecurity threat at the World Cup isn’t a direct system hack, but “emotional social engineering.”
In practice, that means “employees letting their guard down on corporate devices to check scores, buy tickets, or watch streams. Threat actors likely use typosquatted FIFA domains, fake corporate hospitality invoices, and local ‘smashing’ (SMS phishing) to steal credentials and trigger unauthorized wire transfers,” Selby told International Business Times.
After a breach, it’s not just physical containment that organizations have to worry about; but the financial fallout. With the global average cost of a data breach costing $4.4 million, the impact of a single incident can be devastating.
Selby also points out the implications on the insurance side, recommending that companies have specific social engineering and funds transfer fraud endorsements on their cyber insurance and crime policies, as standard policies often exclude losses where an employee was tricked into voluntarily parting with funds or data.
In any case, fans and employees alike need to keep an eye out for cyber scams this World Cup, and be cautious of buying tickets and even installing apps related to the event. It only takes one simple mistake to give a hacker access to high value information.
For this reason, Ioussoufovitch recommended triple-checking tickets and buying through official channels, treating “too good to be true” offers with skepticism, and making sure to use unique passwords and MFA so that the blast radius of a single bad incident is relatively contained.
