With the international soccer tournament scheduled for June and July 2026 in the United States, Canada, and Mexico, threat actors are actively deploying hundreds of phishing sites. These sites mimic the official fifa.com domain but use subtle spelling variations (e.g., fiffa[.]com) and alternative top-level domains (.org, .xyz, .live, .sale). Fake employment portals, such as “jobs-fifa[.]com” or “fifa-hiring[.]com,” are also being used. ### Data Collection and Potential Abuse The **FBI** notes that these fraudulent websites collect sensitive user data, including names, addresses, phone numbers, and banking details. This information can be used for identity theft, fraudulent accounts, and financial scams. Users should exercise extreme caution when interacting with any site claiming affiliation with **FIFA**. ### Malvertising Campaigns The scale of these campaigns is significant. **Group-IB** and **Bitdefender** have reported World Cup-related malvertising campaigns promoted through **Google Search**, **Facebook** ads, **Telegram**, and **WhatsApp**. **Group-IB** researchers have attributed a major operation to a Chinese threat actor tracked as Ghost Stadium. This operation utilizes over 300 phishing sites, clones of the real **FIFA** portal, to commit premium ticket fraud. .jpg) *Source: Group-IB* **Bitdefender** has observed fraudulent activity since February, targeting users in the UK, Portugal, Spain, Algeria, the US, Canada, Mexico, Brazil, Germany, and Australia. These scams involve fake merchandise, kits and collectibles, streaming services, and **Panini** sticker offers.  *Source: Bitdefender* ### Protection Measures To avoid falling victim to these scams, the **FBI** recommends the following: * Manually type fifa.com into your browser. * Avoid sponsored search ads or use an ad blocker. * Verify the URL ends in .com. * Use bookmarks for official **FIFA** sites. * Avoid suspicious links sent via direct messages. * Never enter sensitive data unless the site is verified as authentic. Users who encounter suspicious activity are encouraged to report it to the **FBI’s** **Internet Crime Complaint Center (IC3)**, providing details such as the fake domain used, interaction history, and payment information.