A new FBI scam alert warns that cybercriminals are actively blanketing the web with fake FIFA websites – all designed to steal your sensitive personal and financial information in the lead-up to the 2026 FIFA World Cup.

To date, the FBI has identified at least 36 fraudulent domains spoofing legitimate FIFA websites (fifa.com) and warns fans to expect more as the games kick off on June 11th in Mexico City.

Many of the spoofed websites are advertising fake World Cup tickets, official merchandise, and travel packages, all while harvesting personally identifiable information (PII) and financial data.

A spoofed website is designed to mimic a legitimate website, the FBI said, tricking users with slight alterations, including misspelled URLs or other words, alternative top-level domains, suspicious artifacts, and unprofessional or low-quality graphics.

How typosquatting tricks fans

The threat actors have been observed using a spoofing process known as “typo squatting," the FBI’s Cyber Division posted on X.

This is when criminals rely on users to make common “typos” while typing a web address into the browser’s URL bar.

“Using a minor misspelling, such as fiffa[.]com, or alternative top-level domains, such as .org rather than .com, threat actors mimic the legitimate URL,” the Public Service Announcement states.

The FBI is also warning that cyber actors could register illegitimate websites (such as jobs-fifa[.]com) to impersonate legitimate subdomains.

These bogus websites then collect information entered by users, including names, home addresses, phone numbers, email addresses, and banking information.

If a threat actor gains access to a victim's PII, they can create new accounts in the victim's name and ultimately defraud them through identity theft and phishing attacks, the agency states.

The FBI is providing a list of 36 known domains spoofing the legitimate FIFA website, although new research by Group-IB, also released on Wednesday, found more than 4,300 fraudulent domains impersonating FIFA's official website.

One of the more sophisticated actors profiled in the research is GHOST STADIUM – a Chinese-speaking, financially motivated operator said to be running a sophisticated phishing campaign across more than 300 domains.

Group-IB said the Beijing-linked hackers built an exact replica of the official FIFA website down to the pixel, including a fake single sign-on (SSO) authentication flow and multi-language support in 11 languages.

How to protect yourself

When navigating to FIFA’s official website, the agency says users should always try to type “www.fifa.com” directly into the address bar located at the top of their internet browser, rather than using a search engine.

If you are using a search engine, the FBI says to avoid any "sponsored" results, as scammers often use these paid-for results to reroute traffic from legitimate websites.

To make an online fraud complaint or report other suspicious activity, you can contact the FBI’s Internet Crime Complaint Center at www.ic3.gov.

Additionally, when reporting online fraud, the FBI advises gathering as much information as possible, including the fake website domain (i.e., fifa[.]city) and a detailed description of the interaction, such as the information you provided on the website.

For financial transactions, include information such as “the date, type of payment, amount, account numbers involved, the name and address of the receiving financial institution, and/or receiving cryptocurrency addresses,” the FBI said.

The 2026 FIFA World Cup runs from June 11th to July 19th across Canada, Mexico, and the US.

---

Unlock more exclusive Cybernews content on YouTube.