FBI Warns of Fake FIFA and World Cup Websites Stealing Personal Data and Selling Counterfeit Tickets

What the FBI Said

On June 16, the FBI released a public service announcement warning soccer fans and anyone following the North America-hosted World Cup to scrutinize any website claiming to be affiliated with FIFA or the tournament before entering personal data.

According to the FBI's statement, scammers have built spoofed websites engineered to look like FIFA's official site. The goal: capture names, home addresses, phone numbers, email addresses, and banking credentials from people who think they're on a legitimate page.

The FBI described the threat plainly: once that information is collected, it can be used to open fraudulent accounts in a victim's name, drain accounts, or resell the data.

How the Scams Work

The spoofing tactics are straightforward but effective. Fraudulent domains alter the official URL slightly — a transposed letter, an added word, or a swapped top-level domain. The FBI specifically flagged unusual extensions including ".blue," ".beer," and ".city" showing up in World Cup-related fake domains.

Dozens of fraudulent domains have been identified by the bureau. They cluster around high-demand categories: FIFA merchandise, job listings, and most prominently, ticket sales.

Counterfeit ticket sales are a particular risk. Fans searching for last-minute access to sold-out matches are exactly the kind of motivated, distracted buyer these operations target. A fake ticket site that looks credible enough can extract full payment before anyone realizes the tickets don't exist.

The Scope Is Not Theoretical

The FBI noted it has already identified individuals engaged in these activities — collecting personal information, selling counterfeit tickets or "hospitality products," and running related malicious operations. The announcement did not name suspects or specify whether charges have been filed. No indictments were publicly announced alongside the June 16 notice.

This article was authored by Jack Phillips via The Epoch Times and republished by ZeroHedge, both outlets that lean right editorially. Neither outlet's framing materially diverges from the FBI's own public statement, which is the primary document. The facts as reported track directly to what the bureau said.

The Strongest Counter-Concern

Some digital-rights advocates raise a legitimate concern whenever the FBI issues broad cybersecurity warnings tied to major events: the guidance can be vague enough that it creates general internet anxiety without giving users actionable, specific threat intelligence. Critics in this space argue that law enforcement agencies sometimes publicize threat warnings that are long on alarm and short on the specific domains or indicators of compromise that would let ordinary users actually protect themselves.

That concern has some merit in general, but in this case the FBI's announcement does provide concrete protective steps and notes that dozens of specific domains have been identified. Whether the bureau publicly releases that full domain list matters. If it doesn't, the warning is harder to act on than it could be.

What You Can Actually Do

The FBI's guidance is specific:

• Type FIFA's official URL directly into your browser. Do NOT click links from search results, social media, or unsolicited emails.
• Verify the full URL before entering any personal or financial information.
• Treat any domain extension that isn't .com or .org with skepticism when it comes to ticketing or merchandise.
• If you've already entered information on a site you now doubt, contact your bank immediately and consider a credit freeze.

FIFA's official website is fifa.com. Anything that isn't that exact domain should be verified independently before you type a single character of personal data.

The Broader Pattern

This isn't unique to the World Cup. The FBI and its international partners have documented the same playbook around the Super Bowl, the Olympics, and major concert tours. Large, emotionally charged ticketed events create predictable surges in consumer urgency. Urgency is the primary tool scammers rely on.

With the World Cup group stage already underway as of mid-June 2026, the window for this fraud is open right now. Fans looking to buy tickets for knockout-round matches are the next wave of potential targets.

The unresolved question is whether the FBI will publish the full list of identified fraudulent domains publicly, or whether that information stays internal to law enforcement. Transparency on that list would give cybersecurity researchers and browser safety tools something concrete to block and give fans something more useful than general caution.