Threat Intelligence Bulletin: FIFA 2026 World Cup

Threat Intelligence Bulletin: FIFA 2026 World Cup

Written by: Dominic Kearne 

The 2026 FIFA World Cup, hosted across Canada, Mexico and the United States, begins on 11th June in Mexico City and ends with the final in New Jersey on 19th July. The tournament features 48 national teams and is one of the world’s largest sporting events.

Due to its global profile, the World Cup presents an elevated cyber threat landscape driven largely by opportunistic attacks. Peripheral channels such as unofficial streaming platforms, mobile apps, promotional campaigns and ticket resale sites are expected to be heavily exploited for phishing, fraud and malware distribution, using event branding to increase credibility.

Importantly, organisations and individuals with no direct connection to the World Cup may still be targeted. Cyber criminals are likely to exploit increased public interest through phishing emails, fake ticketing websites and impersonation of official services, as well as spikes in online traffic linked to the event.

Organisational Exposure Considerations

Brand impersonation and event-themed phishing: Increased use of World Cup branding in phishing campaigns targeting employees and clients, including fake sponsorship offers, prize draws, travel packages, and merchandise scams designed to harvest credentials or financial information.

Indicators: urgent/time-limited messaging, impersonation of trusted sports bodies or known brands, newly registered lookalike domains, and login or payment prompts on unfamiliar sites.

Credential stuffing and account takeover attempts: Opportunistic use of previously breached credentials against corporate and customer-facing systems, often amplified during major global events when user vigilance is lower.

Indicators: spikes in failed logins, unusual geographic access patterns, password reset bursts, and automated login attempts.

Third-party and supplier targeting: Increased risk to marketing agencies, media platforms, logistics providers, and other partners involved in campaign delivery, which may be leveraged as an indirect access path into primary organisations.

Indicators: anomalous access from trusted vendors, unexpected API activity, or compromised third-party accounts.

Increased scanning and opportunistic exploitation activity: Global events typically correlate with elevated automated scanning, bot traffic, and opportunistic exploitation attempts across exposed services.

Indicators: increased port scanning, unusual request patterns, spikes in blocked traffic, and probing of externally facing applications.

Fan-Facing and Peripheral Threats

Malicious apps and fake streaming sites: Rogue mobile apps and websites claiming to provide live streams, scores, or “exclusive content”, often used to deliver malware or steal credentials.

Indicators: unofficial app stores, phishing links via messaging apps, shortened URLs advertising “free live access” and sideloaded Android Package Kits (installing an app manually, rather than downloading it from an official store).

Social engineering campaigns tied to tournament hype: Broad fraud campaigns leveraging excitement around fixtures, including fake competitions, giveaways, and promotional offers.

Indicators: unsolicited prize notifications, requests for login/payment details, and low-quality or rapidly spun-up landing pages.

Payment and cryptocurrency fraud spikes: Increased scam activity tied to betting, fake merchandise, and “VIP access” schemes, often requiring irreversible payment methods.

Indicators: crypto-only payments, aggressive urgency tactics, and newly created payment portals with limited reputation.

Ticketing fraud and fake resale ecosystems: Fraudulent ticket platforms, cloned resale listings, and marketplace scams exploiting demand for World Cup access, even where organisations are not directly selling tickets.

Indicators: lookalike domains, sudden spikes in resale listings, unusual payment flows, and inconsistent ticket transfer behaviour.

Ekco Precautionary Actions During the World Cup

Throughout the World Cup, Ekco will be protecting clients through the following:

Brand and domain monitoring: Tracking typo-squatting, impersonation domains, and phishing infrastructure leveraging World Cup themes and client branding.

Open-source and threat intelligence monitoring: Monitoring social media, forums, and underground channels for emerging scams, fake apps, and fraud campaigns linked to the tournament.

Threat actor focus: Prioritising financially motivated cybercriminal groups, phishing-as-a-service operators, credential stuffing botnets, and opportunistic extortion actors.

Infrastructure monitoring: Monitoring client-facing assets for abnormal traffic patterns, scanning activity, credential abuse, and potential denial-of-service precursors.