CJMY
Football fans streaming the World Cup 2026 online are being actively targeted by cybercriminals. Kaspersky has detected at least 336 unique fake domains mimicking official tournament resources since the competition kicked off on 11 June.
The firm warns that fraudulent activity is growing in step with fan engagement — and three distinct scam types are already in circulation.
The threats are not limited to one language or platform. Kaspersky’s researchers have identified fraudulent schemes operating in English, Spanish, and Portuguese, targeting fans across multiple regions who are watching matches or placing bets online.
How fake streaming sites steal your money and data
Fraudulent websites are promising fans free access to live World Cup matches. The setup appears legitimate — users land on a page that looks like a broadcast platform and click “Watch now.” From there, the site prompts them to register with personal details before requesting a cryptocurrency payment for what it calls “lifetime tournament access.”
The danger is twofold. Victims lose both their registration credentials and their cryptocurrency funds in a single interaction. Unlike credit card disputes, cryptocurrency transactions are largely irreversible, making recovery extremely unlikely.
What makes these sites convincing is their design. Attackers invest in building pages that mimic the visual style of official broadcasters, making it harder for casual users to spot the fraud before they have already handed over their details.
Kaspersky’s Senior Web Content Analyst Olga Altukhova notes that this is a deliberate targeting strategy. “Since the start of the tournament, scammers have increasingly focused on the ways fans engage with the event online, as watching matches today requires only an internet connection and a device,” she said.
Fake betting platforms are harvesting personal data at scale
Fraudulent betting and match prediction sites represent a second major threat. Kaspersky identified a Spanish-language platform that asked users for their full name, email address, and phone number simply to create an account. A separate Portuguese-language site displayed a match schedule to appear credible before requesting the same personal information.
This type of data collection carries risks well beyond the fake platform itself. Users who reuse the same password across services are particularly exposed. A compromised email and password combination can unlock access to banking apps, e-commerce accounts, and social media profiles simultaneously.
The multi-language approach shows that these operations are organised and scaled. Attackers are not running one-off scams — they are running parallel campaigns across different regions and languages, targeting the broadest possible audience during peak tournament interest.
Credential theft from fake betting sites is also difficult to detect immediately. Users may not realise their data has been harvested until they notice unauthorised activity on unrelated accounts weeks later.
Phishing emails are adding a third layer of pressure
Beyond fake websites, attackers are also reaching fans directly through their inboxes. Kaspersky observed a campaign targeting users in Australia, with emails advertising football analytics and match winner prediction services. Recipients were asked to pay A$200 for access.
The emails used urgent language to push quick decisions — a classic pressure tactic designed to bypass critical thinking. Urgency cues such as limited-time offers and countdown language are among the most reliable indicators of a phishing attempt, and their presence in these campaigns is deliberate.
Unlike fake websites, phishing emails can bypass users who are careful about which links they click. They arrive in inboxes from addresses that appear credible, often spoofing legitimate-sounding service names. A convincing subject line is enough to get an open, and from there the financial harm can follow quickly.
Kaspersky flagged this email type as particularly risky because the financial loss — paying A$200 for a service that does not exist — is immediate and hard to dispute once the payment clears.
Steps fans can take right now
Kaspersky recommends four practical measures for fans watching or betting online for the remainder of the tournament. First, verify every website before entering personal data — check the URL carefully for misspellings or unusual domain extensions.
Second, use only official and reputable streaming platforms. If a site offers free access to a match that costs money on legitimate services, treat it as a red flag and close the tab.
Third, enable multi-factor authentication on all financial accounts, email, and social media. Regularly review bank statements and app transaction histories for activity you do not recognise.
Fourth, use a security solution that actively blocks phishing links and flags malicious attachments. Kaspersky’s Premium product received an ‘Approved’ certification from AV-Comparatives in 2025 for its anti-phishing capabilities.
The firm is offering up to 23% off Kaspersky Premium until 30 June for users who want to bolster their protection during the tournament.
If you have been targeted — Report it immediately
If you believe you have fallen victim to an online scam — whether through a fake streaming site, fraudulent betting platform or phishing email — contact the National Scam Response Centre (NSRC) immediately. The NSRC hotline at 997 operates 24 hours a day and any call is recognised as an official police report — you do not need to visit a police station separately.
When you call, have your personal details, the scammer’s contact information, a timeline of events and any transaction details ready. Also contact your bank’s 24-hour hotline at the same time — the faster you report, the better the chance of intercepting any funds transferred.
In Malaysia, online financial fraud can also be reported through the Royal Malaysia Police’s Commercial Crime Investigation Department (CCID) portal at ccid.rmp.gov.my.
C. Khor
Maran Perianen
Yalinie Mathan
Add comment