Cybercriminals Are Targeting the FIFA World Cup 2026

KnowBe4 Threat Lab | Jul 2, 2026

Lead Analysts: Jeewan Singh Jalal and Louis Tiley

KnowBe4 ThreatLabs tracked phishing campaign activity from the first week of April through June 22, 2026 — covering the pre-tournament build-up, tournament kickoff and the first twelve days of live match play. Our latest intelligence adds crucial mid-tournament telemetry (June 15-22), a newly identified reply-back campaign track and additional infrastructure intelligence.

The Scale of the Problem

Every major global event generates a parallel wave of opportunistic fraud. The FIFA World Cup 2026 is no exception. KnowBe4 ThreatLabs began tracking World Cup-themed phishing activity from the first week of April 2026. What we found was a sustained, accelerating campaign that reached peak intensity in the final days before kickoff and has continued to escalate throughout the tournament itself.

Pre-Tournament Headline Figures (April 5 - June 11, 2026)

  • "World Cup"-branded phishing attacks increased 13-fold in the six weeks leading up to the June 11 opening fixture, with the sharpest acceleration in the final seven days.
  • Average daily attack volume jumped 850% in the week immediately before the tournament started.
  • On June 4, one in every 185 phishing emails carried "World Cup" branding — the highest single-day rate recorded in the pre-tournament window.
  • On June 8, one in every 513 phishing emails spoofed the FIFA brand in the sender display name. At baseline in early May, that figure was 1 in every 3,000+.
  • A stark drop-off over the June 6–7 weekend followed by a sharp Monday rebound confirms that campaigns are explicitly targeting business inboxes during working hours.

Fig. 1 — Weekly average 'World Cup' subject phish as % of total commodity attacks (Apr 5 - May 10, 2026)

Fig. 2 — Daily "World Cup" subject commodity phish events (Apr 5 - May 14, 2026). April 13 spike at 1.57%

Mid-Tournament Update (June 15-22, 2026)

Twelve days into live tournament play, the data confirms a critical trend: rather than peaking on opening day and tapering off, the campaign's activity has steadily escalated.

  • Mid-tournament World Cup-themed phishing has surged to a 22-fold baseline escalation, representing an average of 0.246% of all tracked phishing traffic across June 15-22 versus the 0.011% rate recorded when tracking commenced in late April.
  • Volume dropped to near-zero on June 20 (0.009%) before recovering to 0.41% by June 22. This volatility confirms match-day synchronization: threat actors are timing campaign bursts to coincide with specific fixtures.
  • On June 22, one in every 161 phishing threats leveraged tournament-themed sender names FIFA at 0.43% and generic World Cup at 0.19%.
  • The "FIFA" brand name is currently running two times more frequently than generic World Cup lures (0.24% vs 0.11%, June 15-22). Attackers have shifted to the governing body as the stronger trust signal.

Fig. 3 — Daily “World Cup” subject phish events (May 14 - Jun 22, 2026). June 7 peak at 1.13%

Fig. 4 — Daily “FIFA” subject phish events (May 14 - Jun 22, 2026). June 1 peak 0.51%, June 10 at 0.44%

Display Name Spoofing Dominates

Across the full observation window, attackers are heavily favoring display name impersonation over lookalike domain registration — running two-three-times higher than domain-based spoofing. Standard domain reputation filtering provides no protection against this vector.

  • FIFA Domain Impersonation, week of June 2-7: 0.09% weighted average (June 3 at 0.12%, June 4 at 0.14%).
  • FIFA Display Name weekly average, week of June 4: climbed to a record 0.109%.
  • FIFA Display Name single-day peak, June 8: 0.195%.
  • FIFA sender name impersonation nearly tripled in 72 hours mid-tournament: 0.14% on June 19 → 0.43% by June 22.
  • Display name manipulation is currently at 6× its original campaign baseline - 0.24% average June 15–22 versus 0.04% at tracking commencement.
  • The week starting June 11 averaged 0.31%, surpassing the 0.29% pre-tournament peak - FIFA sender spoofing intensified after kickoff, not before it.

Fig. 5 — Daily “FIFA” display name phish events (May 14 – Jun 22). Peak: June 10 at 0.74%, June 22 at 0.43%

Dual-Track Brand Strategy: “World Cup” vs. “FIFA”

  • "World Cup" lures peaked pre-tournament - hitting 0.55% on June 4 - then declined as the tournament began.
  • "FIFA" authority branding reached its zenith mid-tournament - peaking at 0.74% on June 10, the highest value in the FIFA display name dataset.
  • Generic "World Cup" display name spoofing surged 3.8-fold over 72 hours mid-tournament: 0.05% on June 19 → 0.19% by June 22.

Fig. 6 — Daily "World Cup" display name phish events (May 14 – Jun 22). Pre-tournament peak June 4 at 0.55%

Key Intelligence: The shift from “World Cup” to “FIFA” as the dominant brand once matches went live is a deliberate tactical switch. FIFA communications are expected by targets during the tournament; the governing body name is the higher-trust signal in a live-match context.

PHISH ALERT: Impostor League — Fraudulent FIFA Recruiting Campaigns

The most technically sophisticated campaign we tracked targets job seekers, not ticket buyers. We are tracking a polished recruiting and survey scam impersonating official FIFA HR and Talent Acquisition teams, weaponizing calendar-booking and fake survey workflows to harvest credentials and steal payment card data.

The attack surface is not incidental. FIFA is actively hiring thousands of staff and volunteers for a 48-team, 16-city tournament. Candidates in application mode expect to share resume data, authenticate and book interviews making them significantly more vulnerable than a generic target.

The Attack Chain

Step 1 - The Outreach

Targets receive highly customized emails spoofing legitimate FIFA recruitment communications. Senders abuse AWS application services and third-party help-desk platforms to slip past SPF/DKIM filters. Specifically observed infrastructure:

  • worldcup2026fifa[.]awsapps[.]com - AWS WorkMail/SES abuse for initial outreach.
  • fifa-jobs[.]us2[.]desk365[.]com - Desk365 helpdesk platform abuse.

Because these are technically legitimate sending services with valid SPF records, emails arrive at the inbox with a clean authentication pass.

Fig. 7 — “An Opportunity to Connect:” recruiting lure from worldcup2026fifa[.]awsapps[.]com. Note 'View Calendar Availability' CTA - no attachment, sending domain passes SPF.

Step 2 - The Booking Bait

The email bypasses standard attachment payloads entirely. Instead, it presents a low-friction call to action — “View Calendar Availability” or “Select a time here” — to book a preliminary interview. There is no attachment for scanners to detonate.

Fig. 8 — “FIFA – Invitation to Explore New Roles:” second recruiting variant with calendar CTA. Sent from an unrelated domain with FIFA display name spoofing.

Step 3 - Redirection and Fingerprinting

Clicking the calendar link redirects the victim through transactional tracking links (cl[.]s13[.]exct[.]net) onto branded landing pages. Two directly observed:

  • fifahiring[.]com
  • fifa-careerhub[.]com

The redirect chain obscures the final destination from URL scanners that inspect links at delivery time.

Step 4 - The SSO Phish

To finalize the interview slot, the victim is prompted to authenticate via Google or Microsoft SSO (“Continue with Google”). The moment they attempt to sign in, corporate or personal credentials are harvested in real time.

Step 5 - Survey Track: Card Harvesting

A parallel track presents a fake survey with Facebook-style dynamic testimonials to build trust. On completion, the kit redirects victims to otakusignalflow[.]com to cover a nominal shipping fee of €2.35 — capturing raw card numbers, CVVs, and expiry dates in real time.

Fig. 9 — Full card-harvest chain: (top-left) FIFA Mystery Box lure; (top-right) otakusignalflow[.]com payment capture page; (bottom) survey pages with fake testimonials.

Fake FIFA Jobs Portal: fifaworldcup-jobs[.]com

The recruiting campaign is further supported by a convincing fake FIFA careers portal at fifaworldcup-jobs[.]com, presenting plausible job categories including FIFA World Cup Sponsorship Packages, Free Remote Posting and FIFA World Cup Event Jobs. The domain triggers browser TLS warnings for users with certificate inspection active.

Fig. 10 — fifaworldcup-jobs[.]com fake FIFA careers portal. Left: job listing categories. Right: “Your connection isn't private” browser warning indicating non-standard TLS configuration.

Commodity Phishing: Ticket Scams, Watch Parties and Travel Fraud

Below the targeted recruiting campaign sits a much higher-volume commodity layer: mass-generated, automated phishing designed to hit as many inboxes as possible, exploiting the genuine scarcity of World Cup tickets and the cultural pull of the tournament.

Characteristics

  • High volume, automated, and opportunistic — designed to target en masse rather than specific individuals or organisations.
  • Typically mimic spam by impersonating trusted brands and organizations.
  • Utilise polymorphic tactics to randomise links, email metadata, display names and sender addresses per send to bypass detection products.
  • Primarily use credential-harvesting links, often hidden within email bodies or attachments.

Primary Lure Themes Observed

Most attacks focus on buying, selling and transferring tickets through presale draws or sponsored ticket offers. This method is effective because tickets to high-demand matches are genuinely scarce and carry significant price premiums.

A regional variation has also been noted: U.S.-region traffic is dominated by ticket-transfer fraud. UK-region traffic shows higher volumes of marketing and engagement lures — sponsored watch parties, events and merchandise discounts.

A niche but growing angle surrounds travel, parking and transport at U.S. stadiums, where car-dependent infrastructure creates demand for ride-hailing and parking services. Currently low volume, but expected to scale as the knockout stages attract larger audiences.

Additional lure categories we anticipate but have not yet seen at a significant volume: betting tips and sweepstakes; malicious links to pirate live streaming sites.

Polymorphic Evasion - Documented Examples

Example 1 - FIFA World Cup 26™ Ticket Transfer Lure

  • FIFA ticketing impersonation.
  • Polymorphic elements: random six-character suffix appended to the display name.
  • Rotating subject lines: "FIFA World Cup 26™ - Transfer of Ticket(s)" and "Win tickets FIFA World Cup 2026 Final."
  • Hyperlink payload leads to a credential harvesting page.
  • Observed sender domain: noreply@worldcuptickets.worldcupfifa[.]com

Fig. 11 — FIFA ticket transfer phishing email from worldcuptickets.worldcupfifa[.]com. Real FIFA partner logos (Aramco, Adidas, Visa, Coca-Cola, Hyundai) included to increase perceived legitimacy.

Example 2 - Office Watch Party Lure

  • Social engineering via artificial urgency and generic greetings.
  • Mass-generated phishing focused on bulk volume, not personalization.
  • Link payload leads to a credential harvesting page.
  • Observed sender: watchparty@watchfootballlive[.]com

Fig. 12 — Watch Party phishing email. Email client flags 'External email', 'First time sender', and 'This email shows strong signs of phishing'.

Example 3 - Multi-Language International Lure

A German-language variant of the FIFA Mystery Box survey scam was observed, sent from info@grupotrabajopn[.]info and reported June 15, 2026. This confirms the campaign is operating across multiple language markets beyond English-speaking targets.

Fig. 13 — German-language FIFA Mystery Box phishing email (Jun 15, 2026) from grupotrabajopn[.]info. Subject: “[EXT]:[FIFA] Wichtige Nachricht für Sie von FIFA World Cup 2026™.” Confirms multi-language targeting.



NEW: Reply-Back and Advance-Fee Fraud Campaigns

A third distinct campaign track was identified in the updated telemetry. Unlike the recruiting and commodity campaigns, these emails contain no malicious links or attachments — making them largely invisible to automated email security tools that scan for technical payload indicators.

How the Campaign Operates

1. The Bait

Users are enticed with high-value rewards tied to the tournament — ranging from modest incentives (e.g., $50 cash vouchers or free match access) to extravagant VIP luxury ticket packages valued at $8,000+. These lures are designed to trigger excitement, create urgency and lower psychological defenses.

2. The Call to Action - The “Reply-Back”

These emails contain no malicious links or attachments. The call to action instructs the victim to reply directly to the sender or manually email a secondary attacker-controlled address to “claim” their prize. There is no technical payload for scanners to inspect.

3. Why It Bypasses Security Filters

  • Modern email security scrutinises URLs and file attachments. By forcing a purely text-based reply, the initial delivery is “clean” — passing automated scanning without triggering any technical indicator.
  • The moment a user replies, they confirm to the attacker that the account is active, monitored and that the user is susceptible to this specific social engineering lure.

4. The Hook - How the Trap Closes

Once the victim engages, follow-up emails deploy one of two payloads:

  • Credential Harvesting: Demanding corporate login credentials to "confirm registration status."
  • Advance-Fee Fraud: PII collection for "identity verification" followed by a wire transfer demand for fictitious "taxes, registration, or processing fees."

Fig. 14 — Advance-fee fraud email posing as “United Nations Compensation Commission,” leveraging FIFA World Cup 2026 context. Sent via canadiansoccerleague[.]org infrastructure. Requests full PII and bank account details.

Defender note: Reply-back campaigns have no payload for scanners to inspect. Detection requires body-level behavioral analysis — specifically, unsolicited prize or reward offers with a reply-only CTA. User awareness training is the primary control against this vector.

Indicators of Compromise

All indicators are defanged. Do not resolve or interact with them from production environments. Query using passive DNS, historical WHOIS, Shodan, or sandboxed scanners only. Do not submit raw victim PII to public scanning engines.

Top 5 Fake FIFA Domains Observed

  • worldcuptickets[.]worldcupfifa[.]com
  • fifa[.]click
  • www-fifa[.]net
  • worldcup-tickets[.]live
  • jobs-fifa[.]com

Recruiting Campaign Infrastructure

  • [Domain] worldcup2026fifa[.]awsapps[.]com — Recruiting scam — AWS application services abuse, initial outreach
  • [Domain] fifa-jobs[.]us2[.]desk365[.]com — Recruiting scam — Desk365 helpdesk platform abuse
  • [Domain] fifahiring[.]com — Recruiting scam — branded SSO phishing landing page
  • [Domain] fifa-careerhub[.]com — Recruiting scam — fake scheduling portal / credential harvest
  • [Domain] fifaworldcup-jobs[.]com — Recruiting scam — fake FIFA careers portal
  • [Domain] otakusignalflow[.]com — Live card-harvesting payment gateway (€2.35 shipping fee lure)

Redirect and Tracking Infrastructure

  • [Tracker] cl[.]s13[.]exct[.]net — Transactional tracking redirect — obscures final destination from URL scanners
  • [URL] hxxp://theresultsearch[.]com/ — Redirect / landing page infrastructure
  • [Domain] nowsearchnet[.]com — Redirect infrastructure
  • Campaign Infrastructure Pivots

  • [Domain] canadiansoccerleague[.]org — Impersonation / lure infrastructure — used in advance-fee campaign delivery
  • [Domain] installtec[.]eng[.]br — Phishing email delivery
  • [Domain] manidharipharma[.]online — Campaign infrastructure pivot
  • [Domain] visionspace[.]cfd — Campaign infrastructure pivot
  • [Domain] grupotrabajopn[.]info — Pivot domain — sender in German-language Mystery Box lure (Jun 15)

Infrastructure reuse note: The pivot domains (manidharipharma[.]online, visionspace[.]cfd, grupotrabajopn[.]info, installtec[.]eng[.]br) are structurally unrelated to FIFA but appear in the same campaign infrastructure. Pivoting through passive DNS may surface additional related infrastructure.

What Defenders Should Do

Block and Filter

  • Add all IOCs to gateway blocklists immediately. Prioritise: fifahiring[.]com, fifa-careerhub[.]com, fifaworldcup-jobs[.]com and otakusignalflow[.]com.
  • Create display-name detection rules for "FIFA" and "World Cup" spoofing. Flag any external email where these strings appear in the display name and the sending domain is not a verified FIFA or tournament-official domain. FIFA display name spoofing is now running at six times baseline.
  • Enable time-of-click link analysis. Pre-delivery URL scanning is defeated by the cl[.]s13[.]exct[.]net redirect chain. Time-of-click inspection of the final destination is required.
  • Flag text-only unsolicited prize or reward emails. The reply-back campaign carries no technical payload. Detection requires body-level behavioral analysis.
  • Run a World Cup-themed phishing simulation. Ticket-offer, fake job opportunity and prize/voucher reply-back lures are all active and supported by observed telemetry.
  • Educate your co-workers about FIFA- and World Cup-themed social engineering attacks. Ensure your coworkers understand that any current day exciting headlines are often used by scammers to socially engineer people.

What to Watch for as the Tournament Progresses

  • Pirate streaming sites offering free live match coverage — expected to scale in the knockout stages.
  • Betting tips and sweepstakes lures — expected to spike from the round of 16 onward.
  • Ride-share, parking and stadium transport fraud — specific to U.S.-hosted venues given car-dependent infrastructure.
  • Merchandise and replica kit fraud — fan spending on branded goods increases sharply during the knockout stages.

For real-time updates and ongoing threat intelligence, follow the KnowBe4 ThreatLabs on X:@Kb4Threatlabs

FAQs

What is the FIFA World Cup 2026 phishing scam?

It's a coordinated wave of phishing campaigns exploiting the tournament, including fake FIFA recruiting emails, ticket-transfer scams, and prize-based "reply-back" fraud. KnowBe4 ThreatLabs has tracked a 22-fold increase in World Cup-themed phishing volume since tracking began in April 2026.

How do fake FIFA job recruiting scams work?

Attackers send emails spoofing FIFA HR teams that direct victims to book a fake interview via a calendar link, which then redirects to a spoofed Google or Microsoft SSO login page to steal credentials. A parallel track uses fake surveys and a nominal "shipping fee" to harvest payment card data.

Why is FIFA display name spoofing more common than lookalike domains in this campaign?

Attackers favor impersonating the FIFA name in the sender display field because it bypasses domain reputation filtering, which only screens the sending domain, not the display name. KnowBe4 ThreatLabs found this tactic running two to three times more often than domain-based spoofing.

What is a reply-back phishing scam?

A reply-back scam is a phishing email with no malicious link or attachment, instead instructing the recipient to reply directly to claim a prize or reward. Because there's no technical payload, these emails often pass automated security scans undetected, making user awareness training the primary defense.

How can organizations protect employees from World Cup phishing scams?

Defenders should block known malicious domains, enable time-of-click link analysis to catch redirect chains, and flag unsolicited prize or reward emails for behavioral review. Running a World Cup-themed phishing simulation also helps identify which employees are most susceptible to these active lures.

See KnowBe4 Security Awareness Training in Action

See how you can efficiently safeguard your organization from sophisticated social engineering threats.

Request a Demo

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.