Threat Actors Spoofing FIFA Websites in Advance of the 2026 World Cup — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 29, 2026

Severity: HIGH | View Full Scam Details

Beware in 2026: FIFA Scam Alert in India—Threat Actors Spoofing FIFA Websites Ahead of World Cup

Fraudsters are targeting Indian football fans by spoofing FIFA websites, aiming to steal personal and financial information before the 2026 World Cup.

What Is the Threat Actors Spoofing FIFA Websites in Advance of the 2026 World Cup?

As excitement builds for the 2026 FIFA World Cup, cybercriminals have reportedly begun impersonating FIFA’s official websites to carry out phishing attacks. These fraudsters create fake platforms closely resembling official FIFA portals, promising early ticket sales, exclusive merchandise, and World Cup updates. The scam primarily targets Indian football enthusiasts eager to secure tickets or participate in World Cup-related offers.

The challenge is significant given India's growing online sports fan base and increased digital payments usage such as UPI and net banking for event purchases. According to public complaints and advisories from CERT-In, these phishing attempts have been observed rising over the past few months. The scam is considered high severity with a risk score rating of 7 out of 10 because victims may lose money, have bank accounts compromised, or suffer data theft.

While RBI has not issued a specific advisory about the FIFA spoofing scam, its general warnings about phishing and UPI fraud remain highly relevant. CERT-In and the India's I4C (Indian Cyber Crime Coordination Centre) urge citizens to verify all links and avoid sharing OTPs or bank details on unknown websites.

How This Scam Works — Step by Step

1. Initial Contact via Email or Social Media: Victims receive WhatsApp messages, emails, or SMS links claiming to be from FIFA, offering priority access to World Cup tickets or exclusive merchandise.

2. Fake Website Visit: Clicking the link takes the user to a spoofed FIFA-like website designed to look almost identical to the official site but with a slightly different URL.

3. Request for Personal Details: The fake site asks users to register by entering details such as name, phone number, Aadhaar number, and payment information including UPI IDs or debit card details.

4. Phishing for UPI OTP or Bank Credentials: Upon payment, users are prompted to enter an OTP supposedly for transaction verification. Fraudsters steal this OTP to authorize unauthorized transactions or SIM swap to intercept future OTPs.

5. Financial Loss or Identity Theft: Victims find money debited from their bank accounts or UPI wallets without authorization. Sometimes, stolen Aadhaar details are used for fraudulent credit or loan applications.

This scam spreads mainly through social media sharing and forwarded WhatsApp messages common in India, especially in regional language groups, making it widespread among diverse demographics.

Real Warning Signs to Watch For

• URLs that are slightly misspelled or use uncommon domain extensions (e.g., co instead of com).
• Messages pressuring immediate action, often claiming “tickets selling fast” or “exclusive time-limited offers.”
• Requests for sensitive data such as Aadhaar number, bank details, or OTP on a website or over chat.
• Poor grammar or awkward phrasing in official-looking emails or messages.
• Websites not secured by HTTPS (no padlock icon in the browser).
• Payment requests before official ticket sales begin via verified channels.
• Unexpected WhatsApp forwards from unknown or newly added contacts.

What Happens to Victims

Victims can lose hundreds or thousands of INR quickly through unauthorized UPI transactions or fraudulent card payments. Unlike reversing bank transfers where possible, UPI payments authorized with OTP are often difficult to reclaim once completed. Moreover, misuse of stolen Aadhaar information can lead to long-term financial and identity risks including fake loans or credit cards taken in the victim's name.

Emotionally, victims face distress and anxiety, especially when personal financial data is breached. In India, SIM swapping linked to these scams also causes loss of access to mobile banking apps and two-factor authentication, complicating account recovery.

What RBI and CERT-In Say

RBI’s guidelines emphasise always verifying the authenticity of transaction requests, especially those involving OTPs and UPI payments. They remind users not to share OTPs or PINs with anyone and to ensure official websites are accessed directly, not via forwarded links.

CERT-In has issued general warnings about phishing websites mimicking legitimate brands, urging users to check URLs carefully and report suspicious cyber incidents via the cybercrime.gov.in portal.

The 1930 National Cybercrime Reporting Portal helpline is also available to assist victims with filing complaints for prompt investigation.

How to Protect Yourself

1. Access FIFA websites only through verified official links or mobile apps.
2. Never click links received from unknown or unsolicited WhatsApp or email messages.
3. Avoid sharing OTPs, Aadhaar details, or bank credentials on any website except official bank portals.
4. Verify website URLs carefully—check for HTTPS and domain accuracy.
5. Enable UPI transaction limits and alerts through your bank’s official app.
6. Use two-factor authentication with app-based authenticators instead of SMS OTPs where possible.
7. Report suspicious messages or websites immediately to CERT-In and BharatSecure.app for awareness.

What to Do If You’ve Been Targeted

• Immediately contact your bank to block or freeze suspicious accounts or cards.
• File a complaint with the National Cybercrime Reporting Portal at cybercrime.gov.in or call the 1930 helpline.
• Change your bank and UPI app passwords, and check transaction history for unauthorized payments.
• If SIM swap is suspected, visit your mobile service provider urgently to re-secure your phone number.
• Report the phishing website link and message details to BharatSecure.app to help others stay safe.

Frequently Asked Questions

Q: How do I know if a FIFA website is fake?
Check URLs carefully for misspellings or unusual domain names and look for HTTPS with a padlock icon. Official FIFA communications will direct you to authentic domains and avoid asking for sensitive information like OTPs.

Q: Can I get my money back after paying on a fake FIFA site?
Recovering funds from unauthorized UPI or card payments can be difficult. Contact your bank immediately to report the fraud and request transaction reversal. RBI guidelines recommend prompt reporting for the best chance of recovery.

Q: What should I do if I shared Aadhaar or bank details on such a site?
Report to the cybercrime portal and your bank to monitor for misuse. You may also consider Aadhaar locking/unlocking options provided by UIDAI to prevent identity theft.

For any suspicious messages or offers related to FIFA 2026 or other events, always verify on BharatSecure.app and report fraudulent incidents at the 1930 helpline to stay protected.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.