Threat actors are oftentimes opportunistic, and this year’s World Cup presents an attractive opportunity for them indeed. Fortinet’s FortiGuard Labs released its FIFA World Cup 2026 Threat Report, tracking the growth of cybercriminal infrastructure being developed to exploit fans across the globe. 

Key Threats

• Ticketing scams are one of the highest-risk lures. Fans who cannot secure tickets through official channels may turn to resale groups, social media, or other unofficial opportunities. Malicious actors capitalize on ticket scarcity by promoting illegitimate, limited-time deals to trick victims into making impulsive decisions. The research identified several counterfeit ticketing sites impersonating official FIFA sites. 
• FIFA-related impersonation on social media is expanding the attack surface. Misinformation, ticket scams, fraudulent promotions and more can be spread across social media channels. The report discovered more than 1,700 fraudulent, FIFA-themed accounts, with 90% of them hosted in Facebook or Instagram. 
• Malware is a concern, especially via malicious apps. Fake or trojanized software is being delivered via FIFA-related third-party sites or through malicious apps. In an era of betting apps and livestreaming tools, fans could be at greater risk. This threat could expose victims to credential theft, spyware, remote access tools, or other malware. 
• Temporary workers, contractors, etc. are targeted in fraudulent job postings. Like many large events, the World Cup requires temporary workers, contractors and other event-specific roles. Those looking for job opportunities may also be targets of opportunistic threat actors directing users to fraudulent job applications designed to steal credentials. 
• Credential exposure is a potential point of leverage for cybercriminals. 260 FIFA employee credentials and more than 270,000 from users of FIFA-related websites were discovered in stealer log data. While this doesn’t indicate all credentials are being abused, it could provide access to cybercriminals aiming for account takeovers, impersonation, fraud, credential stuffing, and targeting phishing. 

Security Leaders Weigh In 

Anne Cutler, Cybersecurity Evangelist at Keeper Security: 

The World Cup creates one of the most dangerous cyberattack windows on the planet. Billions of people across dozens of time zones, all emotionally invested — and all searching, clicking and transacting online, at the same time. That creates an incredible operational window for criminal networks. Fraudulent websites mimicking official FIFA ticketing and merchandise platforms are already live, built to harvest credit card details and personal information before victims realize something is wrong. 

AI is what makes this cycle more dangerous than any before it. Phishing emails that are grammatically perfect, contextually accurate, and personalized with your name and your team — can be written by an AI tool in seconds. A text message from a friend or family member urgently asking for money for tickets may not be who you think.  

Deepfake videos, fabricated audio and AI-generated messages have made impersonation attacks almost indistinguishable from the real thing. The old advice about looking for bad spelling and awkward phrasing is obsolete. These attacks are engineered to exploit the excitement of a tournament of this scale, and they work precisely because people are less guarded when their attention is elsewhere. 

Attackers know exactly who to target. They don’t need to phish blindly when LinkedIn reveals your name, your employer and your title. They know you’re probably watching the match. They know the accounts you’re creating right now for streaming and ticketing almost certainly share a password with another more valuable account. Those credentials get harvested, verified and deployed weeks or months later — long after the final whistle and long after anyone connects the breach to a World Cup ticketing site. A fan who cuts corners in June becomes the entry point in September. 

Whether you’re an individual fan or an IT leader, the playbook is the same: go directly to official sites, use strong and unique passwords on every account, and enable multi-factor authentication everywhere possible. Don’t conduct any transactions involving personal or financial information over public Wi-Fi. Cybercriminals are counting on the chaos of a tournament like this to catch people off guard. Don’t give them the opening. 

Collin Hogue-Spears, Senior Director of Solution Management at Black Duck: 

The defense playbook is fairly simple, five controls long. However, the attack surface is three countries, sixteen host cities, and every vendor that shares a domain with the tournament brand. Over a third of FIFA’s own sponsors and suppliers have no Domain-based Message Authentication, Reporting, and Conformance (DMARC) record on their mail domains, which means a criminal crew does not need to forge anything to spoof them. Paris 2024 saw 140 successful cyber incidents at roughly a quarter of this footprint. The hard part is not knowing what to do. It is counting how many places have to do it. 

Security leaders at sponsors, broadcasters, and their suppliers have a month to run purple-team exercises against identity and email paths, implement phishing-resistant MFA on every vendor and volunteer account, and enforce DMARC in full on every owned domain. If a company's brand shows up in a counterfeit ticket email in June, they did not lose to a sophisticated adversary. They lost to a checklist you did not finish.

Rex Booth, Chief Information Security Officer at SailPoint:

The true danger of many phishing schemes, like those leading up to and during the 2026 FIFA World Cup, lies in their ability to grant attackers access to credentials, enabling them to masquerade as trusted insiders. With AI in play, these campaigns are becoming ever more sophisticated and tougher to detect. This makes it imperative for users to adopt robust identity security best practices, including changing passwords frequently and enabling multi-factor authentication, and for organizations to prioritize identity as the new control plane. 

We’ve been waiting for this offensive disruption from AI for a while now. Attacks at scale and superhuman speed are the most obvious first step. Fortunately, many campaigns still require human intervention to execute. The more frightening scenario is when adversary AI starts running rampant through your enterprise without the need for action by the victim. 

Mika Aalto, Co-Founder and CEO at Hoxhunt:

Like the Olympics in Paris, the 2026 World Cup is a magnet for social engineering campaigns. More than 150 million ticket requests were filed within the first two weeks of World Cup sales, generating a global state of heightened urgency, emotion, and activity. Attackers exploit these global events to boost their chances of duping victims at scale, and our data shows that temporal phishing attacks do indeed have much higher conversion for cyber criminals. For example, in April, we saw a 400% jump in tax-themed phishing around the filing deadline in the U.S., and our simulations of these attacks had about a 4x greater click rate than non-temporal tax-themed attacks.

Researchers have already uncovered over 4,300 fraudulent domains impersonating FIFA’s official web presence, with one coordinated campaign alone estimated to generate losses ranging from $71 million to nearly half a billion dollars. They are sophisticated, pixel-perfect clones of FIFA’s login portal, distributed through paid Facebook ads using countdown timers and fake pricing to manufacture the same panic you feel when you’re afraid of missing out on tickets you’ve wanted for years.

Kern Smith, Vice President of Global Solutions at Zimperium:

Events like the 2026 FIFA World Cup are no longer just physical or network security challenges; they are mobile security stress tests. 

The tournament is expected to attract approximately 6.5 million fans across the U.S., Canada and Mexico, creating enormous spikes in roaming traffic and dependence on mobile devices for tickets, payments, authentication and communications. Researchers noted that this volume of legitimate mobile activity can make malicious behavior significantly harder to detect as attacks blend into normal traffic patterns. 

The warning signs are already emerging. Recent reporting citing research from Kaspersky highlighted active scam activity targeting World Cup fans through fake ticketing offers, fraudulent accommodation listings and spoofed transportation applications designed to harvest credentials and financial information before travelers even arrive. 

The bigger shift is that attacks increasingly start on the mobile device itself. Mobile-targeted phishing, malicious applications, session hijacking and AI-assisted social engineering allow attackers to bypass traditional controls and operate inside legitimate user activity. 

As cybercriminals adopt a mobile-first attack strategy and use AI to scale attacks faster than security teams can manually investigate, organizations supporting global events should think beyond infrastructure resilience and adopt an edge-to-core approach to defense. Network monitoring remains critical, but it should be paired with real-time visibility into mobile devices and applications to determine whether activity represents a real incident, understand business impact, and accelerate response before disruption spreads. 

For organizations and travelers, the fundamentals still matter: use official ticketing and transportation apps, avoid installing applications from QR codes or links received through messaging channels, update devices before travel, and treat unexpected authentication prompts as indicators to verify before acting. At events like this, security becomes a speed problem as much as a visibility problem.