Jun 30
/
Latest News
Fraud Networks Built Months Ahead of FIFA World Cup 2026, Check Point Warns
Cybercriminals had already constructed and deployed large portions of their fraud infrastructure before the FIFA World Cup 2026 kicked off on June 11, according to new findings from Check Point Research.
Threat actors prepared months in advance, coordinating activity across financial services, transportation, hospitality, and gambling sectors and operating in at least ten languages. One of the most concerning findings is that more than one‑third of official FIFA partners lack sufficient DMARC enforcement, leaving them unable to block email impersonation. With airlines, hotels, broadcasters, merchandise vendors, and catering companies all part of the sprawling World Cup supply chain, every procurement email becomes a potential interception point—especially under the high‑pressure, high‑volume conditions of a global tournament.
Fraudulent sportsbook apps surged dramatically as the event approached. A controlled comparison across eight major brands found zero impersonator apps in the 2025 baseline period but 64 in the pre‑tournament window—roughly 60 times higher. Most activity was concentrated on Google Play, with at least five developer accounts publishing multi‑brand spoofed apps within hours or days of each other. Beyond app stores, Russian‑language Telegram channels posed as tipster services, funneling users through referral links to generate commissions on fraudulent deposits.
Travel and hospitality scams were also staged well ahead of kickoff. Check Point tracked FIFA‑themed lookalike domains registered between November 2025 and May 2026, with April alone accounting for 21.9% of all registrations. Hotels and lodging brands made up 56% of targets, while travel and tour companies accounted for another 27%. Many domains used the .top TLD—favored by phishing actors for its low cost and lax abuse response—and some were configured with MX records, enabling email interception and password‑reset hijacking.
Check Point reports a 99% takedown success rate and an average remediation time of 12 hours for this type of pre‑positioned infrastructure. The company warns that organizations in financial services, travel, hospitality, and gambling should treat the current period as elevated—not because threats began with the opening match, but because attackers were already in place long before it started.
Threat actors prepared months in advance, coordinating activity across financial services, transportation, hospitality, and gambling sectors and operating in at least ten languages. One of the most concerning findings is that more than one‑third of official FIFA partners lack sufficient DMARC enforcement, leaving them unable to block email impersonation. With airlines, hotels, broadcasters, merchandise vendors, and catering companies all part of the sprawling World Cup supply chain, every procurement email becomes a potential interception point—especially under the high‑pressure, high‑volume conditions of a global tournament.
Fraudulent sportsbook apps surged dramatically as the event approached. A controlled comparison across eight major brands found zero impersonator apps in the 2025 baseline period but 64 in the pre‑tournament window—roughly 60 times higher. Most activity was concentrated on Google Play, with at least five developer accounts publishing multi‑brand spoofed apps within hours or days of each other. Beyond app stores, Russian‑language Telegram channels posed as tipster services, funneling users through referral links to generate commissions on fraudulent deposits.
Travel and hospitality scams were also staged well ahead of kickoff. Check Point tracked FIFA‑themed lookalike domains registered between November 2025 and May 2026, with April alone accounting for 21.9% of all registrations. Hotels and lodging brands made up 56% of targets, while travel and tour companies accounted for another 27%. Many domains used the .top TLD—favored by phishing actors for its low cost and lax abuse response—and some were configured with MX records, enabling email interception and password‑reset hijacking.
Check Point reports a 99% takedown success rate and an average remediation time of 12 hours for this type of pre‑positioned infrastructure. The company warns that organizations in financial services, travel, hospitality, and gambling should treat the current period as elevated—not because threats began with the opening match, but because attackers were already in place long before it started.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.