FIFA World Cup 2026 Ticket Scams: How to Spot Fake Sites and Buy Tickets Safely
Days before the June 11 kickoff, the FBI and security researchers say a wave of FIFA-themed fraud is already live — thousands of lookalike domains, fake ticket and streaming sites, and malware. Here is how the scams work, the red flags, and how to buy and watch safely.
The 2026 FIFA World Cup kicks off on June 11 across the United States, Canada and Mexico — and the scams are already here. In the days before the first whistle, the FBI and multiple security firms warned that criminals have flooded the internet with fake FIFA websites, counterfeit ticket and merchandise shops, malware-laced "free stream" pages, and bogus betting sites built to harvest your identity. The excitement around the biggest sporting event on earth is exactly what makes fans easy to rush, and rushing is how people get caught. Here is how the fraud actually works, the warning signs, and the simple rules that keep your money and your data safe.
The scams are already live
On 27 May 2026, the FBI's Internet Crime Complaint Center (IC3) issued a public service announcement warning that "threat actors" were spoofing FIFA websites ahead of the tournament. The bureau said it had identified at least 36 fraudulent domains impersonating FIFA's legitimate sites, built to collect personal information, sell fake tickets and hospitality packages, and set up further fraud. The technique it described is typosquatting: registering a domain that looks almost identical to the real one — an alternate spelling, an extra character, or a different ending — and waiting for fans who mistype a web address or click the wrong link.
Thirty-six is only the verified ticketing slice. Researchers watching the broader picture put the scale far higher, which is where the next section comes in.
Three numbers, three different things
You will see wildly different figures quoted for "fake FIFA domains," and they are not contradictory — they measure different things. Keeping them straight tells you how organised this is.
| The number | What it actually counts |
|---|---|
| 36 | Domains the FBI had confirmed as fraudulent and spoofing FIFA's ticketing, as of its late-May advisory. |
| 4,300+ | Fraudulent FIFA-themed domains the security firm Group-IB had tracked since August 2025 — counterfeit shops, ticket scams and credential-theft pages. |
| ~19,000 | Every domain containing the word "fifa" registered since January 2026. Not all are malicious, but the volume itself is the warning sign. |
Researchers also found this is not a scatter of lone scammers. Group-IB attributed a large cluster to a single Chinese-speaking, money-driven operation it nicknamed GHOST STADIUM, running one phishing kit across more than 300 domains — an assembly line, not a hobby.
The fake ticket sites
The headline scam is the counterfeit ticket shop. A lookalike site copies FIFA's branding, logos and even its login page closely enough to pass a glance. Some appear at the top of search results as paid "sponsored" ads, so fans who Google "World Cup tickets" land on the fake before the real one. Once you are there, the site either takes your card details and personal information and delivers nothing, or it sells a "ticket" that does not exist — sometimes the same seat resold to dozens of people.
The FBI noted the data these sites scrape: name, home address, phone number, email and banking information — everything needed for payment fraud and identity theft, not just the price of a ticket. And because the checkout often pushes you toward crypto, gift cards or a transfer to a personal account, there is no card network standing behind the payment to reverse it.
The fake domains the FBI has named
The FBI published a sample of the spoofed FIFA domains it had already identified, and warned that more will keep appearing right through the tournament. The tricks are worth studying: lookalike misspellings (wvvw-fifa, filfa, ww-fifa), fake "jobs," "hiring" and "careers" addresses to bait people hunting World Cup work, and unusual endings like .sale, .live, .xyz and .pages.dev. None of them is the real site, which is simply fifa.com.
⚠ Examples of fake FIFA domains flagged by the FBI — do not visit any of these
Source: FBI IC3 advisory, 27 May 2026. The list is partial — the FBI expects new fake domains throughout the tournament, so always check the address yourself rather than trusting a familiar-looking name.
Beyond tickets: five ways fans are being hit
Ticket fraud is the lure most people expect. The more dangerous variants are the ones built to take more than a single payment.
| The scam | How it works |
|---|---|
| Fake ticket sites | Typosquatted FIFA lookalikes harvest your card and personal data; the ticket never arrives, or the seat is sold many times over. |
| Counterfeit merch & social ads | Bitdefender found 55+ football-themed ad campaigns on Facebook and Instagram pushing fake kits, counterfeit Panini stickers and phishing pages dressed as official stores. |
| Malware "streaming" sites | A "cheap" or "free" live-stream takes a subscription fee, then installs banking malware. One strain, Perseus (built on the leaked Cerberus trojan), even reads note-taking apps for saved passwords and crypto recovery phrases. |
| Fake betting sites | Bogus sportsbooks demand a passport scan and a selfie "to verify your account" — handing criminals a ready-made identity-theft kit. |
| Account takeover | A cloned FIFA login captures the credentials to your real account, so attackers can steal or resell tickets you actually bought. |
Red flags: how to spot a fake FIFA site
You do not need to recognise every scam domain — you need to recognise the pattern. Walk away if you see any of these:
- A lookalike web address. Real is
fifa.com. Fakes seen in the wild include shapes like ww-fifa.com, fifa.fund, 26-fifa.com and jobs-fifa.com — an extra character, an odd ending, or a hyphen. - You arrived from an ad or a social post, not by typing the address yourself. Scammers buy "sponsored" search and social placements to outrank the real site.
- Pressure and "private transfer." A seller who says the official process is "too slow" and offers to sell you tickets directly is steering you off the only safe rail.
- Strange payment. Requests for cryptocurrency, gift cards, a bank transfer or a payment-app transfer to a personal account. Legitimate sales take cards.
- "Paper" tickets or screenshots. 2026 World Cup tickets are digital and live in the official FIFA app. Anyone offering a PDF, a photo or a printout is almost certainly a fraud.
- Small glitches. Spelling errors and broken text — a real one spotted by researchers read "FIFA World Cup 2026TOfficial Hospitality" — betray a hastily cloned page.
How to buy and watch safely
The defence is boring and it works: stay on the official rails and never let urgency push you off them.
- Type the address yourself. Go to
fifa.com/ticketsdirectly, or use the official FIFA app — never a search ad or a link in a message. - Resell and buy resale only through FIFA's official marketplace. It is the only channel that guarantees the ticket is real and not duplicated.
- Pay by credit card. Cards come with chargeback rights; crypto, gift cards and bank transfers do not.
- Expect a digital ticket delivered in the FIFA app. If the format is anything else, stop.
- Watch on the official broadcaster for your country. "Free HD stream" sites are the most common malware trap of any major tournament.
- Never upload your passport or a selfie to a betting or ticket site you reached through an ad. Real identity checks do not start with a stranger's link.
If you have already paid
Move fast — the first hours decide whether the money can be stopped.
- Call your card issuer or bank now and ask to dispute the charge or recall the transfer. Speed matters more than the amount.
- If you entered a password, change it everywhere you reused it and turn on two-factor authentication.
- If you installed a "streaming" or "tickets" app, treat the device as compromised: run a security scan, and change your banking and email passwords from a different, clean device. If you keep crypto, move it.
- Report it. In the US, file with the FBI at ic3.gov; in India, call the 1930 helpline fast to trigger a payment freeze. Wherever you are, our how to report cybercrime and recover your money, by country hub has the right channel for your country and the quickest way to stop the money.
- Keep the evidence: the URL, screenshots, payment receipts and any messages, for your bank and investigators.
Frequently asked questions
What is the official World Cup ticket website? FIFA's own site, fifa.com/tickets, and the official FIFA app. Tickets are digital and delivered through the app.
Are resale tickets safe? Only through FIFA's official resale and exchange marketplace. A "spare ticket" sold privately or via an unknown site is the single riskiest way to buy.
How do I spot a fake FIFA site? Check the exact web address, be suspicious if you arrived via an ad, and refuse any sale that wants crypto, gift cards, or offers paper tickets or screenshots.
Is it safe to stream the matches from a free site? Usually not. Many "free stream" pages charge a fee and then install malware. Use the licensed broadcaster in your country.
I already paid a fake site — can I get my money back? If you paid by card, contact your issuer immediately to dispute it; chargebacks are your best chance. Crypto and bank-transfer payments are far harder to recover, which is why scammers prefer them.
Sources
- FBI IC3, Threat Actors Spoofing FIFA Websites in Advance of the 2026 World Cup (27 May 2026)
- Help Net Security, Cybercriminals create ~19,000 FIFA-themed domains ahead of the 2026 World Cup
- The Hacker News, FIFA World Cup 2026 Scams Are Already Live (Group-IB, GHOST STADIUM, Perseus)
- Fortinet FortiGuard Labs, Cybercriminals Are Targeting the FIFA World Cup 2026
- ESET WeLiveSecurity, Foul play: fake FIFA World Cup websites, tickets and merchandise
- FIFA official tickets (fifa.com/tickets)
- FTC Consumer Advice, Scams