FBI, cybersecurity firms warn of spoofing sites, malicious apps, DDoS, weak Wi‑Fi; travelers face pickpocketing, card fraud, kidnappings in host cities.

Travelers and fans attending the 2026 FIFA World Cup across the United States, Mexico, and Canada face a surge in cyber threats centered on phishing, fraudulent ticketing, distributed denial-of-service (DDoS) attacks, and targeting of tournament infrastructure.

Multiple cybersecurity firms and government agencies have issued urgent warnings about the evolving threat landscape.

The FBI has warned that cyber threat actors are conducting spoofing attacks, with more than 174 fake World Cup websites detected impersonating official FIFA portals. Millions of phishing emails have targeted tournament staff, broadcasters, and officials, attempting to steal credentials and financial information.

Preparing for the cyber chaos

Commercial firms such as Palo Alto Networks’ Unit 42 have released comprehensive advisories highlighting the tournament’s massive attack surface. The firm warns fans about fake FIFA websites, fraudulent ticketing portals, credential-stuffing attacks on travel and accommodation accounts, and malicious apps distributed through fake schedules. Scammers are also distributing malware through sideloaded applications that fans install thinking they are legitimate. The firm recommends disabling Wi‑Fi auto-join, removing networks after use, and keeping mobile devices fully patched.

Radware’s strategic cybersecurity advisory for the 2026 World Cup emphasizes that attackers are leveraging cloned ticketing sites, fake visa offers, and coordinated DDoS attacks to disrupt services during high-profile matches. The advisory notes that vendors and venues supporting tournament operations are also being targeted, with potential impacts extending beyond individual fans to critical infrastructure.

Kaspersky has released a report claiming that 17% of public hotspots across Mexico City, Guadalajara, and Monterrey had weak or no encryption upon being tested. Only 2.9% were using the latest WPA3 protocol. Even 45% of networks labeled “secure” still exposed WPS, an outdated feature vulnerable to exploitation.

Key protection measures from security experts

  • Buy tickets only from official FIFA channels and verify every website URL
  • Avoid clicking links in unsolicited emails or messages
  • Enable multi-factor authentication on all accounts, especially travel and payment services
  • Do not sideload apps; verify every FIFA app against official stores
  • Keep devices and applications fully updated with security patches
  • Disable file sharing and AirDrop on devices
  • Use strong, unique passwords with two-factor authentication
  • Avoid public Wi-Fi hotspots if possible: use your own prepaid internet connectivity plans, and turn on your VPN to encrypt data

Finally, do not forget the non-cyber threats that always lurk in every crowded event venue: Government travel advisories and local security reports confirm that pickpocketing, bag snatching, credit/debit card fraud/cloning, ATM fraud, express kidnappings, car-jackings, and (face-to-face) scams are the most common non-cyber threats for visitors to Mexico City, Guadalajara, and Monterrey.