The 2026 FIFA World Cup kicks off this weekend, and numerous related scams are already circulating even before the tournament begins. 

Attackers are exploiting the ticket shortage, the hype, and the high volume of searches to deceive fans.

According to recent investigations, more than 4,300 fraudulent FIFA-related domains have been registered since August 2025. 

Another source counted more than 13,000 World Cup-themed domains, of which 8.8% were malicious. Another lure used was unofficial streaming apps, especially for Android users. 

According to the report, these apps impersonate popular services like RojaDirecta and can install banking trojans capable of overlaying fake screens, stealing one-time codes, and controlling the device.

CSIRT-CAN recommends that you only buy tickets from fifa.com, as you should not trust advertisements or social media links. If possible, enable multi-factor authentication, be wary of cryptocurrency payments, and avoid logging into your banking or email accounts using open Wi-Fi networks in host cities.