Criminals have registered dozens of lookalike FIFA domains to harvest fans’ personal and banking data. The same tactic threatens any brand with customers online.
The 2026 FIFA World Cup kicked off last week, with billions of fans worldwide turning to the tournament, and millions scrambling for tickets, hospitality packages and last-minute travel.
That demand is exactly what criminals are counting on. With official tickets scarce and prices high, fraudsters have built convincing fake versions of FIFA and tournament ticketing websites designed to take fans’ money and personal data.
The threat is serious enough that the FBI issued a public warning on 27 May. Its Internet Crime Complaint Center (IC3) named dozens of spoofed FIFA-related domains set up to harvest victims’ names, home addresses, phone numbers, email addresses and banking details, and warned that criminals can use that information to open fraudulent accounts in victims’ names, as well as selling counterfeit tickets and hospitality packages. (FBI PSA, 27 May 2026: ic3.gov/PSA/2026/PSA260527)
The FBI’s own examples show how varied the fakes are. Blatant ticket lures such as worldcup26ticket[.]com and fifa-ticket[.]live sit alongside near-perfect typosquats like wvvw-fifa[.]com, which replaces the “w” with two v’s, and filfa[.]org, just one letter from the real address. (The domains are shown here in a deliberately broken form so they cannot be clicked.)
These are not crude scams. They are lookalike domains: web addresses built to impersonate a trusted brand so closely that fans hand over their details without a second thought. The harm happens on the fake site, not in an email inbox, and by the time the real brand finds out, the damage is done.
The problem extends far beyond football. Any organisation with customers online, including retailers, banks, SaaS platforms and professional services, can have its brand impersonated the same way, with the same consequences for customers and reputation.
“A major event like the World Cup is a gift to criminals: huge demand, time pressure, and a trusted brand to hide behind,” said James Bending, co-founder of DefendDomain. “But it’s the same tactic we see used against ordinary businesses every week. A lookalikedomain gets registered, a fake site goes live, and customers get caught. The good news is that this infrastructure is visible while it’s being built, so if you can spot the impersonating domain at the point it’s registered, before it’s weaponised, you can shut it down before anyone gets hurt.”
DefendDomain works with companies to protect against domain-based impersonation, detecting and disrupting lookalike domains, cloned websites and fraudulent certificates before they are used to attack customers. The UK company was named Cyber Security Start-up Company of the Year at the 2026 TEISS Awards.
For fans, the FBI’s advice is simple: use only official FIFA channels for tickets and travel, check web addresses carefully, and be wary of deals that look too good to be true.
About DefendDomain
DefendDomain is a four-layer, AI-powered brand protection platform that detects and disrupts domain
impersonation, phishing and content theft before they damage a business. It combines proactive domain
monitoring, invisible website markers, content fingerprinting and real-time certificate scanning to catch
threats before they are weaponised