(Freer via Shutterstock)
The FBI is urging World Cup fans to make sure they're visiting the official FIFA domain when scammers have been flooding the web with thousands of fake, look-alike sites.
The real site is at fifa.com, which has been selling tickets to World Cups games. But to scam unsuspecting users, fraudsters have been creating fake World Cup and FIFA sites using variations of the domain, for example, fifa-com[.]com.
“The FBI has identified actors engaging in this activity to collect personal information, sell fake World Cup tickets and hospitality products, and to possibly facilitate other malicious activity,” the agency's alert says.
The FBI’s advisory specifically flags three dozen “spoofed” sites. “This form of cyberattack — called typo squatting — relies on Internet users making mistakes, such as common typos, when visiting a URL,” the FBI added. “Threat actors may also register illegitimate websites such as jobs-fifa[.]com to impersonate legitimate subdomains.”
(FBI)The scale of threat also appears to be vast. The cybersecurity provider Group-IB has uncovered “over 4,300 fraudulent domains impersonating FIFA's official web presence,” registered since August 2025.
(Group-IB)A Chinese-speaking scam group has been behind over 300 of the fake domains, which involves using a “pixel-perfect clone of the official FIFA website, complete with a replicated single sign-on (SSO) authentication flow, and multi-language support in 11 languages,” Group-IB adds. To lure potential victims, the group has also been advertising the fake FIFA sites using ads on Facebook. In other cases, the fraudsters have been promoting the spoofed sites using fake ticket promotions.
To avoid falling for the fake sites, double check the domain in your browser’s search bar, and be careful of ads or messages promoting FIFA. The FBI adds: “If using a search engine, avoid any ‘sponsored’ results as these can be paid imitators looking to deter traffic from the legitimate FIFA website.”