World Cup 2026 scams targeting football fans online
By Dan Kauna, June 8, 2026The 2026 FIFA World Cup kicks off on June 11, 2026 and while millions of football fans are busy planning watch parties and following their favourite squads, a separate group is watching just as closely: cybercriminals.
Security researchers, the FBI, and multiple cybersecurity firms have published urgent warnings this week describing a fraud infrastructure that was already operational well before the first whistle.
Researchers identified more than 4,300 fraudulent domains impersonating FIFA’s official web presence, six parallel fraud schemes and four independent threat actors, with estimated potential losses running into the billions of dollars.
For Kenyan fans following the action online, buying streaming access, placing bets, or engaging football communities on WhatsApp – the threat is real and immediate.
Researchers at Frontiers in Computer Science note that phishing “is considered one of the most pressing cybersecurity threats for all internet users, regardless of their technical understanding and how cautious they are,” with criminals continuously refining their methods as digital platforms grow.
The scams already running
At the most visible level are fake ticketing sites – pages that copy FIFA’s logo, colours and login system so closely that the fake pages load images directly from FIFA’s own servers, making them appear authentic and harder for standard security tools to flag.
Researchers also found counterfeit merchandise shops, bogus streaming sites that take a subscription fee and then install malware, and fake betting platforms that collect passport scans and selfies for identity theft.
Mario Micucci, a cybersecurity researcher at ESET Latin America, explains how streaming fraud works: “The objective is to steal access credentials, cards, and banking data, among other sensitive and personal information,” he says of platforms that lure users with free or cheap match access before harvesting their data.
On WhatsApp and Telegram, the version Kenyan fans are most likely to encounter involves match prediction groups.
These channels promise inside tips, often backed by fake testimonials and urgent countdown timers, before directing members to fraudulent betting platforms that mirror legitimate bookmakers.
Law enforcement specifically flagged cryptocurrency, wire transfers, peer-to-peer payment apps and gift cards as the payment methods most commonly demanded – all difficult or impossible to reverse once sent.
How to protect yourself
Always access FIFA ticketing and official content through ‘fifa.com’ typed directly into your browser – never through a link in a WhatsApp message, SMS, or sponsored social media post.
Authorities advised fans to purchase tickets only through FIFA’s official channels and to avoid relying on links distributed through social media posts, messaging apps, text messages, or sponsored advertisements.
Check the full URL carefully before entering any personal data. Criminals use typo-squatting (domain names that closely resemble legitimate websites but contain small spelling changes) to deceive users who are searching quickly or clicking in haste.
A site ending in ‘.shop’, ‘.store’ or ‘.site’ claiming to sell World Cup tickets should be treated as a red flag.
For streaming, only use verified platforms you already know. In Kenya, that means DSTV Now, SuperSport, or any broadcaster that holds confirmed rights.
Streaming applications distributed outside official app stores can request invasive permissions that allow the extraction of data from your device. If an app asks for access to your contacts, messages or banking details to watch a football match, delete it.
Finally, if someone in a WhatsApp group is promising match predictions for a fee, or directing you to a betting site you have never heard of, report and exit. No genuine tipster needs your M-Pesa PIN or ID scan.
The World Cup is 104 matches of football spread across three countries. Enjoy every minute of it, just make sure the only thing at stake is bragging rights, not your money or information.