Press Release
Major global sporting events have always attracted opportunistic fraud. The 2026 FIFA World Cup, played across the United States, Canada, and Mexico, is no exception. Every major cybersecurity vendor, and the FBI itself, has published warnings about the surge in FIFA-branded scam domains ahead of the tournament. That coverage has focused almost entirely on fan-facing fraud such as fake ticket sites, counterfeit merchandise stores, and phishing emails targeting supporters. But what CUJO AI’s Security Research Laboratory has unearthed is a separate, targeted campaign employing fake FIFA job portals designed to harvest corporate credentials from would-be job applicants.
The targeting mechanism no one is talking about
The researchers identified 21 domains posing as FIFA recruitment pages. These sites presented as professional-looking careers portals, carrying official FIFA branding, stolen recruiter profiles with photographs and job titles, and an invitation to schedule a 30-minute phone call via Google Calendar (Figure 1). Examples included fifa-careerhub[.]com, fifa-careerportal[.]com, and fifajobs[.]com.
Figure 1: A fake FIFA recruitment portal presenting official branding, a stolen recruiter identity, and a Google Calendar booking prompt.
When attempting to sign in with a personal email address, the form returned the message “Please use your work or business email” (Figure 2). Personal email providers that triggered this response included: gmail.com, googlemail.com, yahoo.com, msn.com, icloud.com, live.com, hotmail.com, outlook.com, protonmail.com, and aol.com. This mechanism was clearly designed to coerce victims into exposing their corporate login credentials and is inline with the campaign’s objective to access corporate Google Workspace accounts.
Figure 2: The email validation error returned when a personal email address is submitted. The JavaScript filter accepts only work or business email domains.
What happens after the email check passes
Applicants who passed the email check were then sent to a page impersonating a Google Calendar booking interface, where they were prompted to sign in with their Google Workspace account. This page hosted a malicious sign-in service that then sent the victim’s login credentials to a backend server hosted on “fifa2026back”. The backend domain was accessed via an obfuscated string that replaced each letter “a” with the characters “eq”, a technique commonly used to avoid detection by automated keyword-matching systems.
Victims were likely directed to these pages via social media posts and phishing messages framed as outreach from FIFA recruiting contacts. Research published by Group-IB covering the broader 2026 FIFA fraud landscape documents similar referral mechanisms across multiple campaigns targeting the tournament.
WHOIS records for the 21 identified domains revealed that most were registered via name.com between April and May 2026. All registrant countries in the dataset were the United States.
By the time of CUJO AI’s analysis, most of the domains had been replaced by parking pages serving generic search links through a commercial domain monetisation service (Figure 3). This pattern is common to short-lived phishing campaigns where infrastructure is stood down after the active window closes, with registered domains held for future use or left to generate residual ad revenue.
Figure 3: A parked page returned by one of the identified domains, indicating the active campaign phase had concluded.
A broader pattern: the same kit, different brands
The phishing kit deployed in this operation was not specific to FIFA. The same infrastructure and approach have been used in campaigns impersonating Heineken, Hilton, Coca-Cola, Netflix, PepsiCo, Delta, and Spotify, each using a different stolen recruiter identity sourced from LinkedIn. Arctic Wolf identified at least ten FIFA-specific phishing domains active as of late May 2026.
The timing of domain registrations is shown in Figure 4, based on WHOIS creation dates across the identified domain set. The concentration in April and May 2026 aligns with a measurable increase in FIFA-related threat traffic observed across CUJO AI-protected networks during the same period.
Figure 4: FIFA-related scam domain registrations per month, based on WHOIS creation dates.
The operator’s position: visibility before the credential is submitted
DNS lookups to these fake job portals, and the subsequent traffic to credential-harvesting backends, passed through network operator infrastructure regardless of whether the operator was aware of the campaign. Every subscriber who searched for a FIFA job and clicked on one of these domains generated a DNS query on the operator’s network before any interaction with the malicious site had taken place.
This is precisely where the benefits of network-layer intelligence shine. Operators who can see DNS resolution patterns in real time, and who have access to aggregated threat signals across large network footprints, are afforded the opportunity to identify and block these domains before a single credential is entered. Operators without that visibility are dependent on endpoint security, which in a BYOD or remote-work context may not be deployed on the device the employee is using when they fall for the scam.
Regulatory pressure is moving in the same direction with NIS2 and the UK’s Online Safety Act both pushing operators toward more active roles in the detection and blocking of harmful traffic on their networks.
What this campaign reveals
For operators, the takeaway of our research is that phishing campaigns are becoming more selective, more targeted, and more focused on corporate access than ever before.
Every interaction with these domains began on the operator’s network. Long before credentials were entered, DNS requests, domain lookups, and traffic patterns provided signals that a campaign was active. Operators with visibility into those signals have an opportunity to disrupt attacks before they reached enterprise accounts.
The 2026 FIFA World Cup will be remembered for the matches played on the field. But for network operators and security teams, it may also be remembered as a case study in how modern phishing campaigns identify, qualify, and target victims long before credential thefts occur.
