Threat Actors Spoof FIFA Sites to Steal Personal Data

Ahead of the 2026 FIFA World Cup, threat actors are actively spoofing official FIFA websites. They are targeting unsuspecting users to steal sensitive personal data, including names, home addresses, and phone numbers.

According to the FBI, attackers are creating highly convincing replica websites that mimic the legitimate FIFA domain, www.fifa.com, using techniques such as typo-squatting and domain impersonation.

Fake FIFA Sites Steals

The warning, issued by the Federal Bureau of Investigation (FBI) under Alert I-052726-PSA on May 27, 2026, highlights a growing wave of phishing infrastructure targeting the global excitement surrounding the tournament.

These malicious domains often include subtle misspellings or alternative top-level domains, allowing them to evade casual detection.

Examples identified include FIFA. [cab], FIFA. []pink, FIFA [.]pub, fifa[.]ceo, and more deceptive variants such as wvvw-fifa[.]com and fifa-com[.]com.

These spoofed platforms are engineered to appear legitimate, often replicating official branding, ticket portals, and career pages.

In many cases, users are lured into interacting with fake ticket sales, hospitality packages, or job opportunities linked to the World Cup.

Once users engage, they are prompted to submit personally identifiable information (PII), including full names, residential addresses, email accounts, and phone numbers. In more advanced scenarios, financial data may also be collected.

The FBI notes that threat actors leverage this stolen information for identity theft, financial fraud, and account takeover attacks.

Victims may unknowingly enable attackers to create fraudulent accounts in their name or conduct unauthorized transactions.

Additionally, some campaigns may involve layered scams in which victims are redirected via malicious advertisements or search engine “sponsored” results that prioritize attacker-controlled domains.

A notable tactic observed in this campaign is the abuse of subdomain impersonation and employment-related lures.

Domains such as jobs-fifa[.]com, fifa-careerhub[.]com, and fifaworldcup-careers[.]com are specifically crafted to target job seekers hoping to work with FIFA during the World Cup.

Similarly, fake ticketing platforms like fifa-ticket[.]live and worldcup26ticket[.]com attempted to exploit high-demand ticket sales. The infrastructure supporting these attacks is expected to expand significantly as the tournament approaches.

The FBI warns that new malicious domains will continue to emerge, increasing the attack surface and making detection more challenging for average users.

From a technical perspective, this campaign underscores the continued effectiveness of social engineering combined with domain-based deception.

Attackers rely heavily on user trust, visual similarity, and urgency-driven interactions. The use of alternative top-level domains such as .xyz, .online, and .shop further complicates traditional filtering mechanisms, especially when paired with HTTPS certificates that give a false sense of legitimacy.

Security experts emphasize that direct navigation to official domains remains one of the most effective defenses.

Users are advised to enter URLs manually rather than relying on search engines, as malicious actors frequently manipulate paid search results.

Bookmarking verified websites and avoiding unsolicited links are also critical preventive measures. The FBI encourages victims or individuals who encounter suspicious domains to report incidents to the Internet Crime Complaint Center (IC3).

Reports should include details such as the fraudulent domain, interaction history, and any financial transactions associated with the incident.

As global events like the FIFA World Cup attract massive online engagement, they also present lucrative opportunities for cybercriminals.

This campaign highlights the importance of vigilance, domain awareness, and proactive cybersecurity practices in mitigating phishing and identity theft risks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.