Before the First Whistle: How Cyber Criminals Are Targeting World Cup 2026 — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 18, 2026

Severity: MEDIUM | View Full Scam Details

Before the First Whistle 2026: How Phishing Scams Target Indian Cricket Fans Ahead of the World Cup

As excitement builds for the 2026 Cricket World Cup, phishing scams are already tricking Indian fans by exploiting their passion for the game.

What Is the Before the First Whistle Scam Targeting World Cup 2026?

This emerging cybercrime, dubbed the "Before the First Whistle" phishing scam, targets cricket enthusiasts eagerly awaiting the 2026 World Cup. Fraudsters send fake messages and emails promising early ticket sales, exclusive merchandise, or behind-the-scenes content to lure victims into revealing sensitive information or making payments.

In India, where cricket is almost a religion, scammers exploit this emotion using WhatsApp forwards, SMS, and even fake websites mimicking official tournament portals. The scam has begun spreading across multiple states, with early reports logged through CERT-In and complaints reaching the Indian Cyber Crime Coordination Centre (I4C).

While the scam's overall risk remains medium (risk score 5/10), authorities including the RBI and CERT-In warn the public to remain vigilant ahead of the hype. The stakes are high because many victims lose money through fake UPI payments or fall prey to identity theft, putting their Aadhaar-linked financial accounts at risk.

How This Scam Works — Step by Step

1. Initial Contact via WhatsApp or SMS: Victims receive a message claiming to offer pre-sale World Cup tickets, offers on official merchandise, or special access passes. The message often includes a suspicious link.

2. Call to Action: The link directs users to a fake website designed to look like the official World Cup or cricket board’s portal, asking for personal details such as phone number, Aadhaar number, or bank UPI PIN.

3. Request for Payment: After submitting details, visitors are asked to make a payment via UPI or credit/debit card to "confirm" their booking or claim their prize. The payment page appears genuine but is controlled by scammers.

4. Data Harvest and Financial Theft: Once payments go through, money is siphoned off directly from victims’ accounts or through manipulated UPI transactions. In some cases, personal data is sold on the dark web, increasing risks of SIM swapping or Aadhaar misuse.

5. Follow-up Scam Calls: Victims often get follow-up calls from fraudsters posing as customer support, demanding more personal information or "verification" to complete the transaction, deepening the fraud.

Real Warning Signs to Watch For

• Messages or links promising early World Cup tickets before official sales begin.
• Requests for sensitive information like Aadhaar number, UPI PIN, or OTP to "confirm" participation.
• URLs that look suspicious or have misspelled official cricket or tournament website names.
• Payment requests via UPI or QR codes not linked to official vendors.
• Urgency language: phrases like “limited seats,” “act now,” or “offer expires soon.”
• Unsolicited WhatsApp forwards or SMS from unknown numbers.
• Follow-up calls pressuring you to share more personal data or bank details.

What Happens to Victims

Victims often suffer immediate financial loss as their UPI-linked accounts get drained. Since UPI payments are instant and irreversible, recovering money is difficult without quick action. Some face identity theft where their Aadhaar details are misused to open bank accounts or take loans fraudulently.

Victims also experience emotional stress — anxiety over stolen money, loss of trust in online transactions, and the daunting process of filing police complaints in India. SIM swap attacks following data theft can leave victims cut off from their bank OTPs, further increasing their vulnerability.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has issued advisories cautioning users about fake websites and phishing messages related to major events. They emphasize never sharing UPI PINs or OTPs with anyone and verifying website URLs before making payments.

CERT-In advises users to be skeptical of unsolicited messages promising offers and to report suspicious links. The Ministry of Electronics and IT has set up the 1930 cybercrime helpline for reporting such scams, and the Indian Cyber Crime Coordination Centre (I4C) continues monitoring scam trends.

The RBI helpline (1800-11-22-99) and CERT-In’s official channels are recommended contacts for victims needing prompt assistance.

How to Protect Yourself

1. Wait for official announcements: Only trust ticket sales on authentic ICC or BCCI websites and verified partners.
2. Never share Aadhaar, UPI PIN, OTP, or bank details over calls or messages.
3. Verify URLs: Look for secure HTTPS and check domain names carefully.
4. Use RBI-approved UPI apps: Avoid scanning QR codes or making payments from unknown sources.
5. Ignore pressure tactics: Legitimate vendors do not force you to act immediately.
6. Install security apps and keep your phone updated: CERT-In recommends this to block malicious links.
7. Report suspicious messages immediately to BharatSecure.app or the 1930 cybercrime helpline.

What to Do If You've Been Targeted

• Immediately block the sender and stop all payments.
• Contact your bank to freeze your account or UPI transactions.
• Change all banking app passwords and PINs promptly.
• File a complaint on the National Cyber Crime Reporting Portal at cybercrime.gov.in.
• Call the 1930 cybercrime helpline for guidance and assistance.
• Inform your telecom provider if you suspect SIM swap attempts.
• Report the scam details to BharatSecure.app for awareness and support.

Frequently Asked Questions

Q: Can I get my money back if I fall victim to this World Cup phishing scam?
A: UPI payments are typically irreversible, so recovering lost money is challenging. Immediate reporting to your bank and the cybercrime helpline can sometimes help contain further losses, but prevention is critical.

Q: How can I verify if a World Cup-related message is genuine?
A: Check for official verification like tick marks on social media, visit only trusted websites such as ICC or BCCI’s official portals, and avoid clicking suspicious links in messages.

Q: What should I do if I mistakenly shared my UPI PIN or OTP?
A: Immediately change your PIN within the app and inform your bank. Report the incident to the cybercrime helpline 1930 and file a complaint online at cybercrime.gov.in to initiate investigation.

As the 2026 Cricket World Cup excitement grows, so will online scams. Always double-check suspicious messages and protect your data. When in doubt, verify suspicious links and offers at BharatSecure.app — your trusted partner against digital fraud. Stay safe, stay informed!