LONDON: Saudi fans travelling to the 2026 FIFA World Cup have been urged to stay vigilant against impersonation scams, as cybersecurity firms warned of a surge in fraud targeting supporters ahead of the tournament.
Group-IB said on Thursday it uncovered a “massive, sophisticated” fraud campaign targeting fans, while Proofpoint warned Saudi supporters heading to the event to be on guard against impersonation attempts.
Researchers said they identified more than 4,300 fraudulent domains impersonating FIFA’s official web presence, six parallel fraud schemes and four independent threat actors, and estimated potential losses could run into the billions of dollars.
The tournament will be staged across 16 cities in the US, Canada and Mexico from June 11 to July 19, 2026.
FIFA expects more than 6 million fans to attend matches, with ticket demand already far outstripping supply.
The football organization said more than 150 million tickets were requested in the first 15 days of sales alone, making this edition roughly 30 times oversubscribed compared with previous tournaments, and sharply increasing the risk of fraud.
“This enormous demand and the urgency it creates among fans to secure tickets has made the football tournament a magnet for fraud,” said Group-IB, who called the campaign a “sprawling ecosystem of fraud activity targeting its global audience.”
A fan of US receives a Panini World Cup 2026 Album prior to the international friendly match between US and Senegal at Bank of America Stadium on May 31, 2026 in Charlotte, North Carolina. (AFP/File)
Researchers said thousands of fraudulent domains have been registered since August 2025, with more than 300 actively deploying phishing infrastructure and about 3,800 parked and ready for activation.
At the center of the campaign is a group it calls GHOST STADIUM, a Chinese-speaking, profit-driven operation using the same phishing kit across hundreds of sites, according to the firm.
The fake pages closely mimic fifa.com and replicate FIFA’s single sign-on login, including a genuine client ID copied from the live site.
They also load images directly from FIFA’s own servers, making the pages appear authentic and harder for standard security tools to flag.
Researchers said fraudsters are heavily using Facebook ads, fake urgency and sharply discounted ticket offers to lure victims into cloned login portals, where their details can be stolen and their FIFA accounts accessed.
Mascots of the World Cup Maple the Moose, Zayu the Jaguar and Clutch the Bald Eagle entertain the fans prior to the FIFA World Cup 2026 Play-Off tournament final match between Iraq and Bolivia at Estadio Monterrey on March 31, 2026 in Guadalupe, Mexico. (AFP/File)
Group-IB said more than 2,500 valid FIFA account credential pairs are already circulating on dark-web markets, in part because of infostealer malware campaigns.
The company estimated losses from premium and hospitality ticket fraud alone at between $71 million and $474 million, warning the wider campaign could generate losses in the billions.
Beyond ticketing, cybercriminals are also targeting fan merchandise and streaming platforms, particularly in Latin American markets, where counterfeit storefronts and malicious sites are being used to spread malware.
It is not just Group-IB. Proofpoint said on Friday that more than 36 percent of official sponsors, suppliers, partners and supporters linked to the tournament do not have adequate email security protections in place to guard against domain impersonation.
The California-based firm, which has expanded across the Middle East in recent years and opened a local data center in Saudi Arabia in 2025, warned that Saudi fans should step up their vigilance as it expects a surge in attacks.
Abdulah Aljandal, Country Manager, Saudi Arabia at Proofpoint. (Supplied)
“As more Saudi fans travel to support our Green Falcons in the US, awareness becomes just as important as technology. Taking a moment to verify links, offers, and payment requests through official channels can make a major difference in avoiding fraud,” Abdullah Aljandal, country manager for Saudi Arabia at Proofpoint, told Arab News.
He said major events tend to attract cybercriminals, who impersonate brands and official partners to send fake offers designed to steal personal or financial information.
“AI is also making these scams more convincing and easier to scale, with highly personalized phishing emails and fake communications becoming harder for people to identify.”
“With Saudi Arabia preparing to welcome the world for the FIFA World Cup 2034, digital trust and cybersecurity awareness will play an increasingly important role in delivering a safe, seamless, and world-class fan experience across the Kingdom for organizations, partners, and fans alike.”
