FBI Flags 13,000 Fake FIFA Domains Before World Cup Hits Dallas

The FBI issued a public service announcement on May 27 warning that threat actors have registered more than 13,000 FIFA World Cup-themed domains since January 2026, with nearly 9 percent confirmed malicious. AT&T Stadium in Arlington is hosting nine World Cup matches starting June 14, and your employees are going to be buying tickets, streaming games, and clicking on World Cup content at work for the next month. That makes this warning directly relevant to every business in DFW.

What the FBI Found

The FBI’s Internet Crime Complaint Center (IC3) identified several distinct threat campaigns tied to the 2026 World Cup.

13,000+ fraudulent domains registered since January 2026 use typosquatting and lookalike tactics to impersonate FIFA’s official site. Examples include fifa.cab, fifa.pink, and filfa.org. Fortinet’s threat research confirmed that Group-IB tracked over 4,300 fraudulent FIFA domains total, with another 3,800 parked and ready to activate as the tournament approaches.

Ghost Stadium, a Chinese-speaking phishing operation, is running more than 300 fraudulent sites that replicate FIFA’s real login page down to the PingIdentity single sign-on client ID. These sites capture FIFA account credentials, which attackers then use to purchase legitimate tickets with stolen payment methods or resell access to compromised accounts.

Fake sponsor job offers are arriving through calendar meeting invitations, not email. Domains like jobs-fifa.com and fifa-hr.com impersonate recruiting pages for FIFA sponsors including Coca-Cola, Marriott, PepsiCo, and Delta. Calendar invitations bypass most email security filters because calendar protocols handle them differently than standard messages, so these reach employee inboxes at a higher rate than traditional phishing emails.

Fake streaming sites are distributing Android banking trojans called Massiv and Perseus. These apps overlay fake bank login screens on top of legitimate banking apps, intercept MFA codes via SMS, and read data from password managers. An employee who installs one of these apps on a personal phone used for work email exposes corporate credentials too.

1,700+ spoofed social media accounts, with 90 percent on Facebook and Instagram, are driving traffic to phishing pages through fake ticket giveaways, fraudulent merchandise deals, and counterfeit streaming links.

Why DFW Businesses Have Specific Exposure

This isn’t a general cybersecurity bulletin. Dallas-Fort Worth has direct, measurable risk.

AT&T Stadium in Arlington is one of 16 host venues, with nine matches scheduled between June 14 and the semifinals. England vs. Croatia, Argentina vs. Austria, and multiple knockout-round games will draw heavy local attention. Employee engagement with World Cup content, from ticket searches to restaurant reservations near the stadium, will spike across every company in the metroplex.

The business risk comes from company devices and corporate email accounts intersecting with this wave of fraudulent content. An employee searching for last-minute tickets on a work laptop can land on a credential-harvesting site. A calendar invitation offering “exclusive FIFA hospitality packages” can deliver malware. A fake streaming link shared in a team chat can compromise a browser session.

The FBI estimates ticket fraud losses alone could range from $71 million to $474 million across the tournament. That number reflects consumer losses, but the credential theft and malware distribution behind those scams affect businesses directly. A compromised employee account is a compromised employee account, regardless of whether the initial lure was a phishing email or a fake FIFA ticket site.

How These Scams Reach Your Employees

Understanding the specific techniques helps you communicate the risk clearly to your team.

Typosquatted domains are the foundation of this campaign. Attackers register domains that look nearly identical to fifa.com, using slight misspellings, different TLDs, or added words. Your employees won’t notice the difference between fifa.com and filfa.org when they’re looking for tickets during lunch. Standard email security tools catch many phishing emails, but they can’t stop someone from typing a bad URL directly into their browser.

Calendar invite phishing is the technique most likely to catch companies off guard. Unlike email phishing, calendar invitations often bypass spam filters entirely. The invitation shows up as a meeting request, not a suspicious email. When the employee clicks to view details, they land on a credential-harvesting page. If your team has seen our coverage of device code phishing, the principle is similar: attackers exploit trust in legitimate platform features that employees don’t think to question.

Mobile malware from fake streaming apps targets the personal devices your employees use to check work email, access Teams, or approve MFA prompts. Banking trojans like Massiv and Perseus don’t just steal banking credentials. They intercept SMS-based MFA codes, overlay fake login screens on top of any app, and exfiltrate saved passwords. A compromised personal phone with access to corporate M365 becomes a corporate security incident.

Social media lures act as the traffic driver for everything else. The 1,700+ fake accounts post about free tickets, exclusive merchandise drops, and “early access” streaming links. Employees who follow these accounts or click these links on company networks bring threat actor infrastructure directly into your environment.

What to Tell Your Employees Before June 14

Send this to your team before the tournament starts. A short, direct message works better than a policy document.

• Only use fifa.com for tickets and account management. Type the URL directly into the browser. Do not click links from emails, social media posts, or text messages claiming to be FIFA. Bookmark the official site now.

• Treat any FIFA-related calendar invitation from an unknown sender as suspicious. Legitimate FIFA communications don’t arrive as calendar meeting invites offering jobs, hospitality, or ticket deals. If you receive one, don’t click any links in it. Forward it to IT.

• Do not install streaming apps from outside official app stores. If a website asks you to download an APK file or sideload an app to watch World Cup matches, it’s distributing malware. Use official broadcasters (Fox, Telemundo, and Peacock have the U.S. broadcast rights).

• Do not enter your work email or password on any FIFA-themed website. There is no legitimate reason a FIFA ticket site would need your corporate credentials. If a site asks for a work login, close the tab and report it.

• Be skeptical of World Cup deals on social media. Fake accounts outnumber real FIFA accounts on Facebook and Instagram right now. Merchandise deals, ticket giveaways, and “VIP experiences” from unverified accounts are almost certainly bait.

What Your IT Team Should Do This Week

Beyond employee communication, there are technical steps that reduce your company’s exposure before the first match.

Block known malicious FIFA domains at the DNS level. If you use DNS filtering through your managed IT provider or endpoint protection platform, add the indicator-of-compromise lists from the FBI PSA and Fortinet’s threat research. This prevents employee devices from resolving known bad domains even if someone clicks a link.

Review endpoint protection on mobile devices used for work. If employees access M365, Teams, or company email on personal phones, confirm those devices are enrolled in your MDM solution with endpoint detection active. An unmanaged phone with access to corporate data is a blind spot you can close this week.

Flag calendar invitations from FIFA-themed external domains. Configure mail flow rules in Exchange Online or Google Workspace to flag or quarantine calendar invitations containing “FIFA,” “World Cup,” or “fifa” in the organizer domain when the sender is external and not from fifa.com.

Check for compromised credentials. Infostealer malware campaigns (Vidar, LummaC2, RedLine) have been actively harvesting credentials from users who visited fraudulent FIFA sites. Check whether any of your employee email addresses appear in recent infostealer logs through your threat intelligence provider or dark web monitoring service.

Run a quick security awareness reminder. A five-minute briefing or a single email costs nothing and meaningfully reduces the chance an employee becomes the entry point. The QR code phishing surge earlier this year showed how quickly new phishing vectors exploit gaps in awareness.

Act Before the Opening Whistle

The World Cup kicks off June 11 in Mexico City. Dallas matches start June 14. The fake domains, phishing infrastructure, and malware distribution are already live. Every day between now and then is a day your employees are exposed to this campaign without knowing about it.

Send the employee checklist this week. Brief your IT team. Block the domains. The cost of doing all of this is an hour of work. The cost of skipping it is a compromised account or malware infection that started with a fake ticket link.