Scams goal soccer followers with pretend World Cup tickets, merchandise

Be careful for bogus World Cup web sites that mimic official ticket and merchandise flows to steal cash and private knowledge

22 Might 2026
 • 
,
5 min. learn

Because the FIFA World Cup 2026™ in the USA, Canada, and Mexico attracts nearer, anticipation is constructing towards fever pitch. Many soccer followers should be trying to find tickets, merchandise, journey and hospitality packages – and scammers know precisely learn how to exploit this demand. In different phrases, many individuals are already within the mind-set that scammers depend on: , impatient and, certainly, possibly a bit fearful that the tickets or different items will promote out. Which is finally what makes these scams so efficient.

ESET researchers in Latin America not too long ago noticed quite a few web sites which are constructed for this very second. Posing because the FIFA affiliation or the official World Cup web site, the imposter websites goal folks in search of tickets and merchandise, then steer them by means of pretend registration and cost flows that steal their cash and private knowledge. The collection of steps is commonly truly the identical as on the real World Cup web site: register, add tickets for a sport, jerseys or different merchandise to the cart, and pay.

Some victims might attain these web sites by means of sponsored search outcomes, whereas others click on on advertisements on social media or hyperlinks in e mail messages forwarded by somebody who didn’t test the deal with correctly. Regardless of the situation, right here’s what it’s best to find out about pretend FIFA- and World Cup-themed web sites – and learn how to keep away from scoring an ‘personal objective.’

First pattern

One of many pretend websites, hosted at https://***fifa26[.]store, makes use of a website that appears shut sufficient to FIFA and the 2026 World Cup to catch a hurried customer. Certainly, many websites arrange within the run-up to main occasions will depend on a typical trick often called typosquatting, which includes on a website title that intently resembles the respectable one, however incorporates small additions or includes different modifications within the area title that the sufferer usually will not discover.

The trickery doesn’t cease there, nonetheless. The positioning additionally copies the appear and feel of FIFA’s official website, together with the colours, structure, navigation and ticketing movement, all with a view to make the sufferer really feel that the expertise is respectable.

And right here, for comparability, is the respectable web site:

However again to the pretend web site – right here’s what occurs if you wish to “buy” tickets or merchandise. Very like the official FIFA website, the imposter website additionally asks you to register. For those who anticipate to create a FIFA ID earlier than shopping for tickets, a pretend registration kind might not look unusual at first. It additionally asks for the same old issues comparable to your title, e mail deal with, and telephone quantity. Nothing about that feels uncommon should you consider you might be on FIFA’s official web site.

In the meantime, Determine 5 reveals the registration step on the official web site.

The bogus web site additionally presents what seems to be official merchandise. The purpose is to maintain you inside a well-known buying routine lengthy sufficient for the cost web page to really feel like the subsequent anticipated step.

It lets you choose any product and add it to the buying cart:

When you enter your card particulars, it goes straight to the folks behind the pretend website – and there’s no jersey coming from FIFA, in fact.

The ticket movement works the identical manner. After registration, the bogus website lets you choose supposed World Cup matches, transfer towards checkout, and attain a cost web page. 

You may select the specified match, in any stage of the event:

After which, it results in the buying cart. As soon as entered into the shape, your funds particulars would journey into the fingers of the cybercriminal behind the bogus website. 

The plain loss is cash, however the quieter loss is monetary and identification knowledge. A full title, e mail deal with, telephone quantity and reused password could be misused by attackers past any single fraudulent web site. If the identical password opens your e mail or social media account, the pretend FIFA registration can turn out to be step one in one other, and fairly probably much more damaging, assault. 

4 extra websites riffing on the identical theme

One other pretend website, https://****26-fifa[.]com, follows the identical sample. The area is World Cup-themed, the positioning makes use of FIFA’s visuals, and the customer is pushed towards registration earlier than being supplied purported tickets and merchandise.

The pretend World Cup web sites basically, together with the menu tabs and different visible cues, are designed to look as intently as attainable the official one. The highest-level domains matter, too – a .store or .retailer area might make a pretend web site really feel like a retail offshoot, particularly when the remainder of the URL deal with incorporates “fifa” and all the things concerning the website appears to be like polished.

Ways for staying secure

Crucially, FIFA has made it clear that World Cup tickets can solely be purchased by way of three official channels – fifa.com/tickets, fifa.com/hospitality, and particular Qatar Airways journey packages (which can truly be offered out by now). It follows then that you just’re finest off steering clear of varied third-party sellers or social media listings.

• Go to FIFA’s official web site straight. Sort the deal with your self; i.e., begin from FIFA.com or FIFA’s ticketing portal, not from an advert, a social media put up or a hyperlink somebody has despatched to you.
• Look intently on the area title earlier than getting into any data. Further characters, phrases, odd endings and near-matches may very well be the one seen clue that the positioning shouldn’t be what it claims to be.
• Watch out with presents constructed round stress: “restricted tickets,” “VIP entry,” “reductions,” “final likelihood,” or something that rushes you into motion and makes checking really feel like a delay you possibly can’t afford.
• Keep away from reusing passwords. If a pretend registration web page steals a password that you just additionally use in your e mail, social media or banking account, the issue might observe you manner past the pretend website.
• And don’t let a checkout movement reassure you. A working cart and a cost kind don’t show that the vendor is respectable.
• Shield all of your accounts with robust, distinctive passwords and two-factor authentication, in addition to use safety software program on all of your gadgets.

The countdown to the World Cup provides criminals a ready-made viewers: numerous folks trying to find tickets, merchandise and numerous last-minute alternatives. The pretend FIFA websites present how that demand is being was a phishing movement, one acquainted click on at a time. Keep secure!