Welcome to Prevent This, our weekly community newsletter covering cybersecurity for everyone. If you found us through Intruvent Edge, our bi-weekly technical deep dive, welcome. Both live on the same Substack. Feel free to share either one. We’re glad you’re here.

The 2026 FIFA World Cup kicks off June 11 across the United States, Canada, and Mexico. It is the biggest sporting event on earth, the first World Cup in North America in over 30 years, and scammers have been preparing for it longer than most fans have.

The FBI issued a Public Service Announcement last week warning that threat actors have built thousands of fake FIFA websites to steal personal information and sell tickets that do not exist. Researchers at Group-IB found over 4,300 fraudulent domains mimicking fifa.com. One criminal group alone, a Chinese-speaking operation called Ghost Stadium, built pixel-perfect FIFA replicas across 300+ domains in 11 languages.

The World Cup is just the latest target. The same playbook runs year-round against anyone buying tickets to concerts, NFL games, festivals, Broadway shows, and anything else that sells out. One in three Americans has fallen victim to a ticket scam. If you have ever bought a ticket online, this applies to you.

Ticket fraud is surging across the board. Reports of concert ticket scams rose 127% in 2024. One in eight Americans who bought tickets online in the last two years was defrauded. The average loss: $303 per person, according to the Better Business Bureau. For premium events (VIP packages, multi-day festivals, international matches), victims routinely lose over $1,000.

Every major event creates a spike. The World Cup is producing the largest one researchers have ever seen: over 7,000 World Cup-themed domains registered in the last five months, more than 1,000 already live and running scams, and over 1,000 fake social media accounts impersonating FIFA across every major platform. But the tactics are identical whether the target is a World Cup final or a Taylor Swift concert. If you know how to spot the scam once, you can spot it everywhere.

How It Works

Ticket scams fall into three categories, and they all rely on the same thing: you are in a hurry because the event is selling out, and you skip the step where you verify whether the seller is real.

Fake websites account for 38% of ticket fraud reported to the BBB. Scammers build sites that look nearly identical to Ticketmaster, AXS, or an event’s official page. The URLs are close but not quite right: ticktmaster.com instead of ticketmaster.com, or fiffa.com instead of fifa.com. The FBI calls this typosquatting. The sites show real event dates, real venue photos, and real-looking seat maps. When you pay, the money goes to the attacker. The BBB currently lists over 250 reported scams from fake Ticketmaster sites alone.

Social media sellers account for another 52%. Facebook, Instagram, X, TikTok, and resale groups on messaging platforms are flooded with people claiming to have tickets at face value or below. Some post fake screenshots of mobile tickets. Others build trust through comments and DMs over several conversations before sending a payment link. Once you send money through Venmo, Zelle, Cash App, or crypto, it is gone. There is no chargeback. There is no recourse. The seller disappears.

Account takeovers target people who already have tickets. Fake login pages for Ticketmaster, AXS, or FIFA steal your credentials. The attacker changes the password, locks you out, transfers the tickets to their own account, and resells them. At Coachella 2026, fans were stranded at the gates after discovering their StubHub accounts had been hacked and their wristbands sold to someone else.

Who Gets Hit Hardest

Younger buyers. 28% of victims are 25 to 34, and another 26% are 18 to 24. These are the age groups most likely to buy tickets through social media and peer-to-peer payment apps, which are the two highest-risk channels.

The Dutch National Police proved how easy it is to fall for this. They built a fake ticket site, ran ads for “exclusive tickets” to sold-out concerts, and tracked the results. Out of 7,402 people who visited the site, 3,432 tried to buy tickets. Nearly half. The site redirected them to a police warning page instead of taking their money. Most real scam sites do not extend that courtesy.

What Can You Do?

Before You Buy

1. Go directly to the source. Type the venue or ticketing platform’s URL into your browser. Do not click search ads, email links, or social media posts. Scammers buy sponsored search results that appear above the real site. If you are buying World Cup tickets, type fifa.com. If you are buying concert tickets, go to the venue’s website or the official ticketing partner listed there.

2. Verify the URL before entering payment information. Look for misspellings, extra characters, or unusual domain endings. ticketmaster.com is real. ticktmaster.com, ticketmaster-sales.net, and ticketmasterofficial.org are not.

3. Use authorized resale platforms only. If the event is sold out, stick to the official resale marketplace (Ticketmaster’s resale platform, AXS’s official resale, FIFA’s resale portal). These verify ticket authenticity before completing the transfer.

When You Pay

1. Pay with a credit card. Credit cards offer fraud protection and chargeback rights. Debit cards pull directly from your bank account and are harder to dispute. Wire transfers, Zelle, Venmo, Cash App, crypto, and gift cards are irreversible. If a seller will only accept one of those, walk away.

2. Be suspicious of “deals.” Sold-out events do not have discount tickets floating around the internet. If the price is significantly below face value, the tickets do not exist. If the price is significantly above face value and the seller is not on an authorized resale platform, you have no guarantee of authenticity.

After You Buy

1. Lock down your ticketing accounts. Enable multi-factor authentication on Ticketmaster, AXS, StubHub, and any event-specific account (FIFA, etc.). Use a unique password for each. Account takeovers are how people lose tickets they already paid for.

2. Do not click login links from emails or texts. Go directly to the platform and log in from there. Phishing emails impersonating ticketing companies are common around major events.

3. Be wary of “ticket transfer” messages. If you receive an unexpected notification that your tickets have been transferred, log into your account immediately (directly, not through the notification link) and check.

The Bottom Line

One in three Americans has been scammed buying tickets. The average loss is $303. The World Cup is producing the largest ticket fraud operation ever documented online, with thousands of fake websites and organized criminal groups targeting fans worldwide. But the techniques are the same ones used against concert-goers, football fans, and festival attendees every week of the year. Learn to spot it now and you are protected for everything that comes after.

The defense is the same whether you are buying World Cup tickets or floor seats to see your favorite artist:

1. Go to the source. Type the URL yourself. Never click an ad or a link.

2. Pay with a credit card. Never Zelle, Venmo, crypto, or gift cards.

3. If it is sold out everywhere except one random website offering a deal, that website is the scam.

Share this with anyone who buys tickets online. That is most of us.

If you or someone you know has been victimized:

• FBI IC3: ic3.gov

• FTC: ReportFraud.ftc.gov or 877-382-4357

• Your credit card company: Dispute the charge immediately

• BBB Scam Tracker: bbb.org/scamtracker

Sources

• FBI IC3: Threat Actors Spoofing FIFA Websites (May 27, 2026)

• AARP: How to Avoid Sports and Concert Ticket Scams

• Surfshark: Concert Ticket Fraud Research (127% increase, BBB data)

• Malwarebytes: Dutch Police Fake Ticket Experiment

• The Record: Ghost Stadium / Group-IB

• FTC: StubHub $10M Settlement (April 2026)

• CyberandFraudHub: Avoiding Ticket Scams

• BleepingComputer: FBI Warns of Fake FIFA Websites

Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For our bi-weekly technical deep dive, check out Intruvent Edge.