Scam Warning During FIFA World Cup 2022


With the FIFA World Cup 2022 in Qatar kicking off on November 20, the event is one of this year’s most important global events that will attract hundreds of millions of football fans from all over the world. As a result of the buzz surrounding the event, online fraudsters are expected to invariably leverage the event to defraud not only sports fans, as ESET has reported before.

 To protect and warn consumers from falling prey to such scams, ESET researchers have examined the methods that scammers are using in the run-up to the upcoming edition of the quadrennial tournament.

 Lottery scams

 Lottery scams are a tried-and-tested variety of scam. Criminals make victims believe they won a cash prize or a ticket or hospitality package to watch a match in person. The real intention, however, is typically the same: get you to hand over your personal data or money or unwittingly download info-stealing malware into your device.

 ESET researchers have detected a number of global phishing campaigns that seek to trick people into thinking that they won a lottery prize. To collect your “winnings”, it appears that you only need to fill in a few fields via a form and provide personal details, such as your full name, date of birth, and phone number.

 As in the example below, the announcement may come complete with the name of a contact person who will, supposedly, help you claim your prize. At some point, the agent will let you know that before you can actually claim your winnings there is some tax or fee to be paid. Once the transfer is completed, the scammers have accomplished their objectives: they’ve stolen your money and personal information for follow-on fraud or in order to sell it to other crooks.

Figure 1. Fake lottery win announcement that uses the World Cup as a lure

 Rogue websites and ticket scams

 There are also a more convincing variety of phishing fraud that involves rogue websites posing as the real ones. Links to them are also distributed through spam emails, via fake social media profiles or in discussion forums.

 Regardless of whether these sites are spitting images of legitimate sites or not, the key thing is that they are designed to steal personal and financial datalogin credentials and other sensitive information, or as a way to install malware on victims’ devices.

 For example, the website below poses as the official World Cup site, including in its mimicking of the real URL – (take note of the .pro top-level domain in the imposter website shown below). The cybercriminals also created a ‘gateway’ for people to buy their tickets, where the victim must first supply their personal data. Once stolen, this data can be misused or sold immediately to other fraudsters.

Figure 2. Fake copy of the official FIFA World Cup website

 A number of people have already reported being contacted via email by “FIFA officials” who offered tickets for sale. Meanwhile, Reddit users are sharing message exchanges with people offering fake printed tickets. 

Figure 3. Scammers trying to resell “tickets” on Reddit. Source: Reddit.

 In particular, consumers who are still looking to buy tickets to watch any of the games need to beware of scammers. It is worth mentioning that Qatar 2022 only has digital tickets, with the only exception being last-minute, over-the-counter purchases that can only be done in person directly at two possible offices in Doha, Qatar. Resale of unauthorised tickets is prohibited in Qatar and penalties can be very severe. The only way to resell tickets and purchase them is through the official FIFA ticket resale platform.

 Other ways to get scammed

 Beyond traditional methods of scam, a crypto token that was recently launched and received accusations of being a cryptocurrency scam because of the sudden drop it suffered after a sustained rise. Even though its founders have assured that the accusations are false, it is always advisable to be careful when investing money.

 Messages sent via WhatsApp and involving bogus giveaways, fake social media profiles or even malicious ads that redirect you to rogue websites are very common ways to catch consumers by surprise. One must always be on the lookout for suspicious ads and messages and don’t fall for unexpected windfalls. As we have seen in other cases, scammers often take advantage of major events, trending topics or emergencies to ramp up their criminal activity.

 Tips to stay safe

  • You can’t win a lottery if you didn’t buy a ticket. If someone tries to convince you otherwise, it is a scam.
  • Don’t pay someone in order to receive a prize. Advance fee schemes are a way of stealing your money. 
  • Look out for phishing attacks. Don’t click on links or attachments in emails or other messages unless you’re sure they’re legitimate, especially if the messages are unsolicited and request your personal data. 
  • Similarly, watch out for rogue websites. Pay attention to the websites you visit, and always search for grammar and spelling mistakes, weird URLs or a lack of security certificates or other signs that something is amiss, especially if that website is asking for your money or personal information.
  • Don’t hand over your personal information to whoever asks for it – it could be misused for fraud right away or further sold on the dark web.
  • Use two-factor authentication on all accounts, especially those containing your sensitive information. This reduces the chances of hackers cracking them open with stolen/phished passwords.
  • Use reputable, multi-layered security software with anti-phishing capabilities.