Keen for the World Cup? Scammers are too

As World Cup fever sweeps Australia and the globe, consumers are being warned to watch out for sophisticated scams targeting fans of the world game. 

People wanting to buy tickets, merchandise or even simply see when their favourite team is playing are being tricked unwittingly into visiting fraudulent websites that may steal their details and data.

The warning has come from the US Federal Bureau of Investigation, which has sounded the alarm about highly believable domain names that include the words ‘fifa’ ‘ticket’ ‘help’ and ‘services’. 

Closer to home, the NSW Government has also issued similar warnings to fans. 

Here are some common scams to watch out for.

Impersonating real websites

Some websites use a technique called ‘typo squatting’, where scammers mimic a legitimate website, such as the official fifa.com, and misspell the address (like fiffa.com) or add a variation (.help instead of .com).

The NSW Government is warning consumers that fake sites can appear professional, using official logos and realistic login or payment pages, but entering details can lead to identity theft or financial loss.

Cybersecurity company Group-IB has identified more than 4300 domains impersonating FIFA, and says some are sophisticated operations with “pixel-perfect” clones of the official website.

Scammers are tricking unsuspecting fans with images stolen from FIFA’s real-time match page, providing translation in 11 languages, and even emulating the same authentication system for logging in.

Group-IB says most of the fake FIFA web addresses it identified were dormant but ready to be activated once the World Cup drew closer.

This tactic doesn’t just target FIFA sites. Merchandise, hospitality and even job-listing sites have been cloned by scammers to take people’s money and information.

Scammers may also pay to get the top spot in internet searches, so carefully read the site address in sponsored results.

How to avoid these scams:

• Carefully check the spelling of the web address: Is it the original site or a copy?
• Be vigilant: A professional-looking site might still be a scam.
• Never enter your login or personal details into a website you don’t trust. Even a Google login within another site may be counterfeit.
• Use website checking tools like urlscan.io to assess legitimacy, but be aware that some scam sites may still slip through undetected.

Scammers on social media

Fraudsters are also exploiting Meta-owned platforms like Facebook and Instagram to market their scams.

Research from cybersecurity company Bitdefender this year found 55 soccer-related ad campaigns on Meta platforms, spruiking fake merchandise and luring users to sites designed to trick them into handing over information.

Many social media ads for fake products also use AI-generated imagery to lure unsuspecting users.

Cybersecurity company Fortinet also found fake ticket resale sites being spruiked on Telegram channels.

One scam directed users to a fraudulent website, which then sent payment details to their email address, extra layers that Fortinet says help the scam avoid detection.

Fortinet identified emails supposedly from FIFA notifying ticketholders of a change in seating. Recipients were directed to click a link and enter their login details on a fake FIFA site.

What to watch out for:

• The NSW Government warns consumers not to click links from unknown ads, emails or texts.

• Don’t trust social media sites to scrutinise ads on their platforms. Just because it is on Facebook or Instagram doesn’t mean it is safe.

• Scam ads may pressure consumers with “limited time” or “last-minute deals”. These are psychological tactics meant to create a sense of urgency. Don’t rush into anything; slow down and check suspicious-looking ads and sites.

---

Rachel Hynes