World Cup Phishing Network Widens Sharply Arabian Post

Security analysts tracking the activity say the scale of the domain network shows attackers are preparing well before peak match-day traffic. Many domains use combinations of tournament terms, host city references,“official” branding, ticket language, team names and retail-style phrases designed to appear legitimate in search results or paid advertisements. Some pages are built to steal login credentials and card data, while others appear designed to collect deposits, harvest passport details or push victims into unauthorised betting and crypto schemes.

The 222-domain footprint also reflects a shift in tactics. Rather than relying on a handful of obvious fake pages, operators are spreading campaigns across many domains and IP addresses. That makes blocking harder for defenders because individual domains can be retired, redirected or replaced without dismantling the wider network. Several domains remain dormant before activation, a tactic known as domain ageing, which can allow fraudulent sites to appear less suspicious when they later begin hosting phishing pages.

Ticket demand remains the main pressure point. FIFA has repeatedly warned fans to use official channels, with the global interest in the expanded 48-team tournament likely to keep resale scams active. Fraudulent portals typically imitate the look of real ticketing pages, add countdown timers or“limited availability” messages, then direct users into payment flows that either steal funds outright or capture account and card details for later abuse.

Travel-related scams are also increasing. The three-country format has created complex itineraries for supporters crossing borders between host cities. Fraud pages are exploiting that complexity through fake visa assistance sites, accommodation listings, transport apps and package deals. Some sites falsely imply that a special World Cup visa is available, even though visitors must follow ordinary entry procedures for the relevant host country. These pages can be especially damaging because they may collect passport numbers, dates of birth, travel plans and payment details.

Merchandise fraud has become another major strand. Fake storefronts are using tournament logos, national team imagery and heavily discounted jerseys or souvenirs to lure buyers. Discounts of 80 per cent or more, unclear ownership details, poor refund language and pressure-driven sales prompts are common warning signs. Counterfeit retail pages are often supported by social media advertising, search placement and redirect chains that obscure the final destination until the buyer has already clicked.

The threat is not limited to fans. Official partners, sponsors, airlines, hospitality providers, broadcasters and national football bodies face a heightened risk of impersonation. Weak email authentication across parts of the event ecosystem can allow spoofed messages to reach consumers or commercial partners. Attackers may use fake sponsorship proposals, supplier invoices, accommodation offers or media accreditation messages to target businesses handling tournament-related payments.

Cybersecurity firms have also identified malicious sites using World Cup themes to promote unauthorised betting pools, fake prize draws and crypto tokens falsely implying links to the tournament. These campaigns rely less on technical sophistication than on timing, brand recognition and urgency. The use of AI-generated product images, polished copy and automated translation has made many scam sites harder for ordinary users to spot at a glance.