All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
Millions of fans are following the FIFA World Cup this month, but cybercriminals are watching too.
A phishing campaign tied to the 2026 FIFA World Cup is targeting fans with fake prize and giveaway emails designed to steal personal details and payment card information, according to threat intelligence and security consulting team Unit 42.[1]
The scam uses the FIFA craze as bait. Fans receive emails with personalized subject lines (look out for "<Your name>, Your Champion Award Awaits!") that appear legitimate and promise a World Cup-related reward, prize, or promotion. But instead of leading to a real giveaway, the links send victims through a chain of redirects before landing on a fake checkout page.
That page asks for information such as a name, home address, and full payment card details. Once entered, that information goes to the attackers.
The biggest red flag: Being asked to pay for a free prize
How to avoid World Cup phishing scams
Why this World Cup scam is hard to spot
The campaign is more sophisticated than a basic fake email.
The X account for Unit 42 posted that the phishing emails were built to pass standard authentication checks, which can help them slip past spam filters and appear more trustworthy to recipients. You can see the scam in all its moving parts here:
It all starts with an email that passes authentication. From there, you're redirected to a geo-cloaked redirector, which then takes you to a fake reward checkout.
Users are bounced through several redirects during the scam, a trick that makes it harder for automated security tools to inspect the original link and immediately flag the final destination as malicious.
The campaign also uses geo-cloaking, meaning visitors may see different content depending on their location. Someone in a region targeted by the attackers may be shown the fake World Cup reward page, while someone else may see harmless or unrelated content.
That helps scammers hide the phishing page from researchers, security crawlers, and users outside their target areas.
The biggest red flag: Being asked to pay for a free prize
The fake World Cup page is designed to look like a reward or prize checkout. But the goal is to collect sensitive information, not send fans a giveaway.
A legitimate prize offer should not require you to enter your full payment card details just to claim something that is supposedly free.
That is the key warning sign in this scam. If an email says you won tickets, merchandise, cash, or another World Cup prize, but then asks for card information, treat it as suspicious.
How to avoid World Cup phishing scams
Here are some tips to keep you ahead of World Cup scams this year:
- Do not click links in unsolicited emails promising World Cup tickets, merchandise, giveaways, or cash prizes. Instead, visit official websites directly by typing the address into your browser.
- Check the sender’s email address carefully, especially for misspellings, unusual domains, or addresses that do not match the organization they claim to represent.
- On desktop, hover over links before clicking to see where they really lead. Be careful with shortened links or URLs that redirect through multiple unfamiliar websites.
- Never enter payment card details to claim a free prize. If a promotion is real, it should clearly explain who is running it, what the terms are, and why any payment information is required.
If you already entered payment information on a suspicious World Cup prize page, contact your card issuer right away. You may need to cancel the card, dispute charges, or monitor the account for fraud.
You can also report the phishing email to your employer’s security team, your email provider, or a fraud reporting service so others are less likely to fall for the same trap.
The World Cup gives fans plenty to get excited about. But that excitement is exactly what scammers are trying to exploit. The safest move is simple: when a prize sounds too easy, too urgent, or asks for too much information, do not take the bait.