As the FIFA World Cup 2026™ in the United States, Canada, and Mexico draws closer, anticipation is building toward fever pitch. Many soccer fans may still be hunting for tickets, merchandise, travel and hospitality packages – and scammers know exactly how to exploit this demand. In other words, many people are already in the state of mind that scammers count on: interested, impatient and, indeed, maybe a little worried that the tickets or other goods will sell out. Which is ultimately what makes these scams so effective.
ESET researchers in Latin America recently spotted a number of websites that are built for this very moment. Posing as the FIFA association or the official World Cup website, the imposter sites target people looking for tickets and merchandise, then steer them through fake registration and payment flows that steal their money and personal data. The series of steps is often actually the same as on the genuine World Cup website: register, add tickets for a game, jerseys or other merchandise to the cart, and pay.
Some victims may reach these websites through sponsored search results, while others click on ads on social media or links in email messages forwarded by someone who didn’t check the address properly. Whatever the scenario, here’s what you should know about fake FIFA- and World Cup-themed websites – and how to avoid scoring an ‘own goal.’
First sample
One of the fake sites, hosted at https://***fifa26[.]shop, uses a domain that looks close enough to FIFA and the 2026 World Cup to catch a hurried visitor. Indeed, many sites set up in the run-up to major events will rely on a common trick known as typosquatting, which involves on a domain name that closely resembles the legitimate one, but contains small additions or involves other changes in the domain name that the victim often won't notice.
The trickery doesn’t stop there, however. The site also copies the look and feel of FIFA’s official site, including the colors, layout, navigation and ticketing flow, all in order to make the victim feel that the experience is legitimate.
And here, for comparison, is the legitimate website:
But back to the fake website – here’s what happens if you want to “purchase” tickets or merchandise. Much like the official FIFA site, the imposter site also asks you to register. If you expect to create a FIFA ID before buying tickets, a fake registration form may not look strange at first. It also asks for the usual things such as your name, email address, and phone number. Nothing about that feels unusual if you believe you are on FIFA’s official website.
Meanwhile, Figure 5 shows the registration step on the official website.
The bogus website also offers what appears to be official merchandise. The point is to keep you inside a familiar shopping routine long enough for the payment page to feel like the next expected step.
It allows you to select any product and add it to the shopping cart:
Once you enter your card details, it goes straight to the people behind the fake site – and there’s no jersey coming from FIFA, of course.
The ticket flow works the same way. After registration, the bogus site lets you select supposed World Cup matches, move toward checkout, and reach a payment page.
You can choose the desired match, in any stage of the tournament:
And then, it leads to the shopping cart. Once entered into the form, your payments details would travel into the hands of the cybercriminal behind the bogus site.
The obvious loss is money, but the quieter loss is financial and identity data. A full name, email address, phone number and reused password can be misused by attackers beyond any single fraudulent website. If the same password opens your email or social media account, the fake FIFA registration can become the first step in another, and quite possibly even more damaging, attack.
Four more sites riffing on the same theme
Another fake site, https://****26-fifa[.]com, follows the same pattern. The domain is World Cup-themed, the site uses FIFA’s visuals, and the visitor is pushed toward registration before being offered purported tickets and merchandise.
The fake World Cup websites in general, including the menu tabs and other visual cues, are designed to look as closely as possible the official one. The top-level domain names matter, too – a .shop or .store domain may make a fake website feel like a retail offshoot, especially when the rest of the URL address contains “fifa” and everything about the site looks polished.
Tactics for staying safe
Crucially, FIFA has made it clear that World Cup tickets can only be bought via three official channels – fifa.com/tickets, fifa.com/hospitality, and special Qatar Airways travel packages (which may actually be sold out by now). It follows then that you’re best off steering clear of various third-party sellers or social media listings.
- Go to FIFA’s official website directly. Type the address yourself; i.e., start from FIFA.com or FIFA’s ticketing portal, not from an ad, a social media post or a link someone has sent to you.
- Look closely at the domain name before entering any information. Extra characters, words, odd endings and near-matches could be the only visible clue that the site is not what it claims to be.
- Be careful with offers built around pressure: “limited tickets,” “VIP access,” “discounts,” “last chance,” or anything that rushes you into action and makes checking feel like a delay you can’t afford.
- Avoid reusing passwords. If a fake registration page steals a password that you also use for your email, social media or banking account, the problem could follow you way beyond the fake site.
- And don’t let a checkout flow reassure you. A working cart and a payment form don’t prove that the seller is legitimate.
- Protect all your accounts with strong, unique passwords and two-factor authentication, as well as use security software on all your devices.
The countdown to the World Cup gives criminals a ready-made audience: countless people hunting for tickets, merchandise and various last-minute opportunities. The fake FIFA sites show how that demand is being turned into a phishing flow, one familiar click at a time. Stay safe!
