Key Points
- The FBI warned that attackers are impersonating FIFA websites through lookalike domains to steal victims’ personal and financial data and sell fake tickets to the World Cup.
- This activity highlights how brand impersonation has scaled, with attackers rapidly deploying hundreds of fake sites faster than organizations can detect and take them down.
- IANS Faculty say organizations should proactively hunt for lookalike domains, deliver specific user warnings, and prepare fraud operations for predictable surges tied to major events.
From Kickoff to Clickbait: Phishing Takes the Field At the World Cup
The FBI is blowing the whistle on a surge of threat actors using fake websites to impersonate FIFA in order to steal personal and financial information and sell fake tickets ahead of the World Cup.
The bureau says the fake domains mimic the official FIFA website, using subtle spelling changes that users are likely to miss -- like “fiffa.com” -- to trick unsuspecting fans.
The websites collect visitor data like names, email addresses, phone numbers and credit card numbers.
Cybersecurity companies like Group-IB and Bitedefender found that the World Cup malvertising campaigns are being promoted on Google Search, Facebook ads, Telegram and WhatsApp. Group-IB attributed one operation to Ghost Stadium, a Chinese threat actor that is using more than 300 phishing websites for World Cup ticket fraud.
Threat actors kickstarted their fraudulent activity in February and targeted fans across the globe with ads for fake merchandise, tickets and streaming services, according to Bitedenfender.
"The World Cup will drive a ton of sponsorship and requires a lot of partners to pull off events this large. Whenever this much money is flowing back and forth, criminals see an opportunity to get some of it redirected into their own accounts.” Adrian Sanabria, IANS Faculty.
Big Picture
The bigger story isn’t just about opportunistic attackers taking advantage of the World Cup. This illustrates how brand impersonation -- especially when tied to major events -- has scaled. Attackers can flood the field with fake pages before organization can detect them and take them down, expanding the risk from isolated scams to a broader enterprise exposure.
“For enterprises the exposure is two-sided. Employees buying tickets or merchandise on corporate cards from corporate devices land the brand in the breach surface alongside their personal data. And any company with a brand adjacent to the World Cup (sponsors, hospitality, travel, payments) sees their own domains imitated in the same wave,” said George Gerchow
AI has made it easy for attackers to clone sites, shifting the risk to how quickly companies can identify them before they impact customers. Cloned sites could harm organizations' reputations as it is a vehicle for fraud, tricking clients into scams and phishing attacks that could have blowback for your business.
"The same dynamic exists for every major brand. The question isn’t whether someone can clone your login page, spoof your domain, or imitate your customer portal. AI makes this trivial. The question is whether you discover it before your customers do.” Jeff Brown, IANS Faculty.
This is not a surprise counterattack-- it’s a scheduled kickoff that fraud teams should anticipate. Every organization has its version of the World Cup. Determine your ‘World Cup’ when attackers are likely to target you and plan for it.
"The bigger pattern is that every major event is now a phishing event by construction. World Cup this year, Super Bowl LX next, Winter Olympics in 2030. Build the muscle once and you spend the next decade reusing it rather than reacting to each new fraud cycle from scratch.” George Gerchow, IANS Faculty.
IANS Faculty Recommendations
- Hunt your own lookalikes: Run domain-permutation scans against your brand, products, and upcoming launches. Have takedown processes ready before you need them.
- Name the lure: Generic awareness messaging rarely changes behavior, but specific warnings can. “Don’t click sponsored search results for World Cup tickets. Instead type fifa.com directly.” People remember concrete guidance.
- Pressure-test fraud operations: If your business handles payments, identity verification, or claims processing, this is a scheduled stress test. Staff accordingly and tune detection models before the volume arrives.
- Stand up brand protection: if you have any World Cup-adjacent exposure (sponsorship, hospitality, payments, travel). Doppel, ZeroFox, BlueVoyant, or similar. The value is in the takedown velocity, not the dashboard. Pair it with a DMARC and DNS monitoring sweep so look-alike domains and email spoofs hit your queue before they hit your customers.
- Only buy via known channels: For high-risk events, type website names directly or through saved bookmarks, never through search-engine sponsored results or social-media links. Use a virtual or single-use card so payment data exposure is contained if a site turns out to be fake.
Authors & Contributors
Nuria Diaz Munoz, Author, IANS News
George Gerchow, IANS Faculty
Jeff Brown, IANS Faculty
Adrian Sanabria, IANS Faculty
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.