Delete This FIFA World Cup Email Immediately If It Lands in Your Inbox

One click on the wrong World Cup giveaway could hand cybercriminals your name, address, and credit card details.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

Millions of fans are following the FIFA World Cup this month, but cybercriminals are watching too.

A phishing campaign tied to the 2026 FIFA World Cup is targeting fans with fake prize and giveaway emails designed to steal personal details and payment card information, according to threat intelligence and security consulting team Unit 42.[1]

The scam uses the FIFA craze as bait. Fans receive emails with personalized subject lines (look out for "<Your name>, Your Champion Award Awaits!") that appear legitimate and promise a World Cup-related reward, prize, or promotion. But instead of leading to a real giveaway, the links send victims through a chain of redirects before landing on a fake checkout page.

That page asks for information such as a name, home address, and full payment card details. Once entered, that information goes to the attackers.

In this article
Why this World Cup scam is hard to spot
The biggest red flag: Being asked to pay for a free prize
How to avoid World Cup phishing scams

Why this World Cup scam is hard to spot

The campaign is more sophisticated than a basic fake email.

The X account for Unit 42 posted that the phishing emails were built to pass standard authentication checks, which can help them slip past spam filters and appear more trustworthy to recipients. You can see the scam in all its moving parts here:

Unit 42 Unit 42 post on the FIFA phishing scam.

It all starts with an email that passes authentication. From there, you're redirected to a geo-cloaked redirector, which then takes you to a fake reward checkout.

Users are bounced through several redirects during the scam, a trick that makes it harder for automated security tools to inspect the original link and immediately flag the final destination as malicious.

The campaign also uses geo-cloaking, meaning visitors may see different content depending on their location. Someone in a region targeted by the attackers may be shown the fake World Cup reward page, while someone else may see harmless or unrelated content.

That helps scammers hide the phishing page from researchers, security crawlers, and users outside their target areas.

The biggest red flag: Being asked to pay for a free prize

The fake World Cup page is designed to look like a reward or prize checkout. But the goal is to collect sensitive information, not send fans a giveaway.

A legitimate prize offer should not require you to enter your full payment card details just to claim something that is supposedly free.

That is the key warning sign in this scam. If an email says you won tickets, merchandise, cash, or another World Cup prize, but then asks for card information, treat it as suspicious.

Scam emails are only getting harder to spot. Learn more about catching phishing emails here.

How to avoid World Cup phishing scams

Here are some tips to keep you ahead of World Cup scams this year:

  • Do not click links in unsolicited emails promising World Cup tickets, merchandise, giveaways, or cash prizes. Instead, visit official websites directly by typing the address into your browser.
  • Check the sender’s email address carefully, especially for misspellings, unusual domains, or addresses that do not match the organization they claim to represent.
  • On desktop, hover over links before clicking to see where they really lead. Be careful with shortened links or URLs that redirect through multiple unfamiliar websites.
  • Never enter payment card details to claim a free prize. If a promotion is real, it should clearly explain who is running it, what the terms are, and why any payment information is required.

If you already entered payment information on a suspicious World Cup prize page, contact your card issuer right away. You may need to cancel the card, dispute charges, or monitor the account for fraud.

You can also report the phishing email to your employer’s security team, your email provider, or a fraud reporting service so others are less likely to fall for the same trap.

The World Cup gives fans plenty to get excited about. But that excitement is exactly what scammers are trying to exploit. The safest move is simple: when a prize sounds too easy, too urgent, or asks for too much information, do not take the bait.

4.8
Editorial Rating
Get Deal
On Aura Identity Theft's website
2026 Editors’ Choice
Best Overall Identity Theft Protection Service
Identity Protection
Aura Identity Theft
PROMOTION: Save Up to 68%
  • ID theft protection that monitors your SSN, bank accounts, credit cards, and brokerage and retirement accounts for suspicious activity
  • Every plan includes the full feature set, so no additional cost to unlock monitoring, insurance, or restoration
  • Bundles data removal with identity theft protection, antivirus, VPN, and a password manager in one subscription

Author Details
Thomas Kent is a multi-disciplined reporter with over a decade of experience covering online platforms, digital trends, and consumer-facing tech. Tom focuses on digital privacy, data tracking, and user behavior, with a particular interest in how cookies, online surveillance, and platform design shape the modern internet experience. His reporting takes a research-driven, news-focused approach, translating complex technical topics into clear, accessible insights.

Citations

[1] Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns