Seven Red Flags to Watch Out for to Avoid a 2026 World Cup Ticket Scam

By Assaf Morag, Cybersecurity Researcher

The “country” of Velmoraon has no flag, no FIFA ranking, and no population. However, a scammer online has tickets available for the upcoming Germany and Velmoraon match. This instance wasn’t an outlier. In fact, before that, he had also confirmed availability for an Italy vs. Russia match that doesn’t exist (Italy did not qualify, and Russia is suspended from international competition). He went on to provide a photoshopped ticket with the Milano Cortina 2026 Winter Olympics logo instead of the FIFA World Cup logo. 

Across dozens of engagements with suspected threat actors across social media, we encountered the same pattern: every ticket is available, every price is negotiable, every identity is fabricated, and every payment method is fast and irreversible. What makes this wave of scams particularly dangerous is not just the volume, but the level of coordination and realism. From polished fake websites and AI-generated identities to convincing social engineering tactics and fast, irreversible payment methods, today’s ticket scams are designed to mimic legitimate transactions with alarming accuracy. For the average fan, the line between real and fake is becoming increasingly difficult to distinguish.

About this World Cup Series

The United States, Canada, and Mexico have been selected to host the 2026 FIFA World Cup. As of early April 2026, the lineup of all 48 teams set to compete in the final stage is now complete. 

How are threat actors responding? What’s already emerging across deep and dark web communities?

This blog is part of Flare’s World Cup 2026 Cybercrime Series, a collection of focused research pieces examining the evolving threat landscape surrounding the tournament. The series explores key areas including phishing infrastructure, fraud and scams, infostealer attacks, illegal streaming services, illicit betting platforms, insider threats, and other cybercriminal activities targeting the 2026 World Cup. 

Key Findings About World Cup Ticket Scammers

• 100% of suspected scammers had newly created social media profiles (days to months old), while legitimate scalpers consistently operated from accounts dating back to 2007-2018. The scammer profiles followed a repeatable pattern: attractive photos, North American names and affiliations, and dozens of identical replies across ticket trading groups saying, “I got 4 tickets.”
• Scammers confirmed availability for entirely fictitious matches without hesitation, including games involving teams that did not qualify (Italy), teams suspended from competition (Russia), and a country that does not exist (Velmoraon). This confirms that these actors have no tickets to sell and are operating from scripts rather than actual inventory.
• Multiple scammers shared identical bank account details, indicating either coordinated fraud groups or shared mule account services. We traced the names and payment identifiers from these conversations to fresh stealer logs and leaked credential lists, revealing an underground supply chain where compromised identities and pre-aged social media accounts fuel the scam ecosystem.
• Every scammer pushed fast, irreversible payment methods (Zelle, Apple Pay, PayPal Friends and Family, Chime, cryptocurrency, gift cards) and specifically instructed victims to avoid buyer-protected payment options. When pressed for bank transfers, scammers offered cryptocurrency or gift cards as alternatives.
• Price flexibility is the clearest behavioral red flag. Scammers accepted 40-50% discounts without negotiation, agreed to incorrect math that further reduced totals, and claimed to sell tickets below their own stated purchase price. Legitimate scalpers negotiate to protect their margins; scammers agree to anything because they are selling nothing.

When Millions of Dollars are Involved…Scammers Exploit Buyers

The supply and demand imbalance for the 2026 World Cup tickets is massive. 

The 1994 United States World Cup drew the largest crowd, with a total attendance of 3,587,538 fans, and this record is expected to be broken this year. According to Reuters, FIFA mentioned there are just over seven million tickets for the entire tournament, while FIFA also mentioned that there were, thus far, over 500 million ticket requests submitted (with some fans submitting multiple ticket requests).

Where demand outpaces supply at this scale, crime flourishes. In this case, cybercrime exploits online transactions, fast and difficult-to-reverse payments, and strong layers of anonymity.

Who is Exploiting Fans?

Not all threats are created equal. From advanced cybercriminal infrastructures to low-tech fraudsters and profit-driven scalpers, each group exploits fan demand in different ways:

Cybercriminals

Highly organized and technically advanced actors operating at scale. They build phishing ecosystems, deploy malware (mobile and desktop), and leverage mule bank accounts. Their operations resemble full-stack enterprises as they are complete with infrastructure, automation, and monetization pipelines targeting World Cup demand. They typically aim for high-value payouts, seeking to extract thousands of dollars from each fraud incident.

Scammers and Fraudsters

Low-tech but highly effective actors who rely on psychology rather than technology. They exploit urgency, trust, and fan excitement, posing as sellers, agencies, or “insiders” to manipulate victims into sending money. Their strength lies in social engineering, not infrastructure. They typically pursue smaller, more frequent gains and often offer tickets below market value to quickly build trust and secure fast payments.

Ticket Scalpers

Operating in the gray zone between legitimate resale and illegality, their primary goal is profit, buying tickets in bulk and reselling at inflated prices and sometimes bending rules or violating platform policies or national laws. While not always malicious, their activity can overlap with fraud when authenticity or delivery cannot be guaranteed. They aim for moderate profits, typically reselling tickets at a 10%–30% markup to capitalize on demand while staying attractive to buyers.

How Scams are Currently Operating 

Scammers exploit every available digital channel, combining simple social engineering with accessible online platforms to reach large audiences and convert interest into fast payments. The following sections outline the main channels and tactics currently being used to deceive fans and monetize the hype:

Malicious Websites

Cybercriminals create convincing fake websites that impersonate official World Cup ticketing, merchandise, or travel platforms. These sites are designed to steal payments and sensitive data, often promoted through ads, social media, or search results to appear legitimate. Once a fan makes a purchase, they either receive nothing or are redirected into further fraud or phishing flows.

Facebook

A major hub for semi-organized fraud. Scammers operate through groups, Marketplace listings, and personal profiles, offering tickets at attractive prices. While some listings are legitimate, many use fake proofs, recycled images, and social validation (comments/likes) to build trust and pressure victims into quick payments.

Dozens of 2026 World Cup ticket trading groups

Instagram

Fraudsters create accounts impersonating official FIFA pages or trusted sellers, using highly visual polished graphics, fake testimonials, and sponsored posts. They rely heavily on direct messages (DMs) to move conversations off-platform and close deals quickly.

WhatsApp

After initial contact on social media, victims are pushed to WhatsApp where scammers apply pressure, share fake tickets or confirmations, and request instant payments (often via bank transfer or digital wallets). The private nature of the platform reduces visibility and increases success rates as a conversion channel. 

Telegram

A mix of cybercrime and fraud at scale. Telegram channels and groups are used to distribute phishing links, sell “verified” tickets, share leaked databases, or coordinate operations. The platform’s anonymity and large audience capabilities make it ideal for both high-tech actors and low-tech scammers.

Ticket Scalping

We observed tools and scripts shared on platforms like GitHub that automate monitoring and purchasing, giving scalpers an unfair advantage over regular fans. While some activity is legitimate, it frequently overlaps with fraud, especially when tickets are resold multiple times, are non-transferable, or simply do not exist. 

Does the Ticket Pass the Test? 

Before examining specific examples, understand that most FIFA 2026 ticket scams follow a repeatable pattern. The seller is too available, the ticket isn’t the main focus (but rather the deal), the price is too flexible, the proof arrives too quickly, and the payment method is usually fast and difficult to reverse. These red flags may look small on their own, but together they often reveal a fraudulent transaction before any money is sent.

Seven Red Flags

It is strongly discouraged to trade tickets outside the official FIFA resale platform. However, if you decide to do so, it’s safer to use platforms you are already familiar with and have successfully used in the past. 

In our experience, engaging with sellers across various social media platforms quickly revealed just how many scammers operate in this space, and how certain patterns can help distinguish legitimate offers from fraudulent ones. Below are examples to avoid, both within and outside these platforms. Based on dozens of conversations with suspected scammers, we identified a consistent and repeatable scam pattern:

1. “I’ve Got Everything You’re Looking for”

In conversations with multiple threat actors, a consistent pattern emerged: even before discussing the specific match or seating category, they confirmed that the tickets were available for sale.

The scammer claims to have tickets, even though we never discussed any specific ones

It’s possible that these are genuine ticket resellers, so we tested them. 

Test 1: Wrong Date and Stadium

We asked for tickets for the Uruguay vs. Spain game (which exists), but we mentioned the wrong date and stadium. The scammer confirmed having those tickets.

Test 2: Unlikely Group Stage Pairing

We  asked about the Uruguay vs. Jordan game (while they both qualified for the World Cup, they typically do not play against each other in the group stage). The scammer once again claimed to have those tickets. 

Test 3: Teams that Didn’t Qualify

We asked for Italy vs. Belgium tickets (Italy didn’t qualify for the 2026 World Cup), and the scammer allegedly had these tickets. Next, we asked for the Italy vs. Russia game tickets (Russia is suspended from international competition). This didn’t stop the scammer from offering 12 tickets. 

A fake ticket offered for two teams ineligible to play in the World Cup, for the wrong date

The ticket shown above features a Winter Olympics logo, lists two teams that cannot compete, and is scheduled for a date when neither event is taking place.

Test 4: A Fictional Country

We simply invented the country of Velmoraon, a central European nation with 2.5 million citizens. We asked to see Velmoraon play against Germany.

Scammer replies to having tickets for the match between Germany and the made-up country of Velmoraon

2. Extreme Price Flexibility

The price will always match your budget, or come in just below it. Even if the official FIFA price is $700 per ticket, tell a scammer your budget is $100 and suddenly it’s “your lucky day.”

Below you can see an example of a ticket that should retail at $130, and the scammer offered it for $80, even though they paid $90 for it. 

The scammer declared that each ticket costs $80

Mention of originally paying $90 and was preparing to sell it at a loss

In this space, there are really only two types of sellers. “Legitimate” ticket scalpers will negotiate hard and sell only if they profit, often well above market value. 

There are no friendly sellers, no helpful strangers, no “long-lost cousins” offering you a deal. Scammers are willing to offer steep discounts because, in reality, they’re selling nothing.

In the example below, the scammer initially offers tickets at $250 each, and they immediately agree to our message that our budget is only $150. That’s a 40% discount without any real negotiation.

Our deliberate math error for turning 5 × $150 into $675 instead of $750, isn’t questioned at all, and the total drops to nearly 50% off. 

This isn’t how legitimate scalpers behave. Real sellers negotiate and protect their margins. This is classic scammer behavior: someone willing to “earn” anything they can from the interaction, even if it makes no economic sense.

Message exchange with no negotiation or pushback on a math error

In the end, you’ll transfer money (often to mule accounts) and receive either nothing at all, or worse, convincing fake tickets. Those fakes may carry you all the way to the stadium gate, full of excitement, only to leave you angry and disappointed when you’re turned away.

3. The Multiple Seller Syndrome

Across all engagements, we requested multiple payment options from each scammer. When they provided details (such as bank accounts, PayPal, Zelle, Apple Pay, and associated Facebook profiles), there was a consistent mismatch in identities.

In one case, we were speaking with “Jozy,” who was using an email under the name “Mark,” and a bank account belonging to “Jorge Gonzales.” The claimed locations were equally inconsistent, ranging from North Dakota to Mexico to Eastern Europe.

This pattern of fragmented identities was typically explained with excuses such as “it’s my fiancé,” “my friend,” or “my partner.” These inconsistencies are a strong indicator of fraudulent activity.

4. Psychological Manipulation

Scammers employ psychological manipulation throughout the entire conversation to reduce suspicion, control the interaction, distract the victim, and ultimately pressure them into making mistakes. For example, many scammers quickly suggest using the official FIFA platform to appear legitimate, while simultaneously steering the process in their favor.

Early in the conversation, they often ask, “Do you have an email?” which is a seemingly unnecessary question given that the interaction is already taking place on social media, where email is a basic registration condition. This is not a coincidence. It allows them to shift the conversation to a more controlled channel and lower the victim’s guard. They then propose completing the transfer via the FIFA platform, requesting the victim’s email and full name, while creating urgency to push for a quick decision and finalize the payment.

Threat actors shows a ticket transfer screenshot supposedly from the FIFA website, prior to even confirming the match details

When asked to complete the transaction through the official FIFA resale platform, many scammers avoid the request altogether, change the subject, or push alternative payment methods. If pressed, they may eventually refuse outright.

Presumably a ticket transfer screenshot from the FIFA website, prior to confirming price

In cases where victims claim payment has already been sent, scammers respond by immediately emailing “tickets” and arguing that there is no need to use the official FIFA transfer mechanism. This conveniently bypasses the only process that would verify the tickets’ authenticity.

Some scammers used reverse psychology, claiming they had heard that many buyers are scammers who steal tickets from innocent vendors. They assured us they did not suspect we were scammers, but that we could trust them in return.

5. Fake “Proof”

In all conversations, we eventually asked for proof that the tickets were real and actually existed. In most cases, scammers responded confidently and took approximately 5–10 minutes to produce a photoshopped ticket.

Fake tickets presented as proof

In one instance, a scammer even pointed out that the date and time of a fictitious match between Italy and Russia were incorrect, highlighting the fabricated nature of the ticket.

The scammer pointed out that the date was incorrect, while conveniently ignoring that the match is fake since Italy did not qualify and Russia is suspended

Many scammers got creative with the fake tickets they showed us, for example “Cup” missing from the name of the ticket (for a fictitious game). 

A fake ticket presented to us when asking for proof

A scammer claimed to be an “official FIFA retailer” after our ask for proof.

A fake ticket seller ID card 

This entire concept is fake:

• There is no official verified FIFA ticket seller
• The QR code is fake
• The ID number isn’t aligned with anything related to FIFA
• The picture is computer generated
• The World Cup logo is fake

6. Irreversible Payment Methods

It seems that scammers often push “instant” payment methods because they are fast, hard to reverse, and offer limited buyer protection. Here’s what each method typically requires, and how recoverable the funds are:

Apple Pay

• What you need: Phone number or email (linked to Apple ID) 
• Traceability: Moderate (tied to device/account) 
• Chargeback: Very limited (depends on bank/card used behind it) 

Zelle

• What you need: Email or phone number 
• Traceability: Moderate (linked to bank account) 
• Chargeback: No buyer protection (banks rarely reverse if authorized) 

Chime

• What you need: $Cashtag, phone, or email 
• Traceability: Moderate 
• Chargeback: Very limited (similar to bank transfers) 

PayPal (Friends & Family)

• What you need: Email address 
• Traceability: Moderate 
• Chargeback: No protection under “Friends & Family.” (We were specifically instructed to choose the Friends & Family option)

We were often asked for our geo-location. We were then offered local payment platforms/methods:

Interac e-Transfer (Canada)

• What you need: Email or phone number 
• Traceability: Moderate 
• Chargeback: Very difficult once deposited

Pix (Brazil)

• What you need: CPF/CNPJ, phone number, email, or Pix key 
• Traceability: High (linked to a verified bank account) 
• Chargeback: Extremely difficult once completed 

In some cases we took demanded to make a bank transfer. Some of the scammers offered creative alternatives:

Crypto (Bitcoin, USDT, etc.)

• What you need: Wallet address 
• Traceability: Low–Moderate (public ledger, but pseudonymous) 
• Chargeback: Irreversible 

Gift Cards (Amazon, Apple, etc.)

• What you need: Gift card codes 
• Traceability: Low 
• Chargeback: Irreversible once redeemed 

Instant Bank Transfer / Wire

• What you need: IBAN / account details 
• Traceability: High 
• Chargeback: Very difficult once sent

7. New Profiles

We spoke with dozens of FIFA ticket resellers, and in all of the cases, the scammers had fairly new profiles (from few days to a couple of months) while the tickets scalpers had fairly old profiles dating back to 2007-2018.

The scammer profiles followed a consistent pattern: new account, attractive profile photo, listed family members, and bios claiming to be bloggers, influencers, musicians, or artists. All featured North American names and affiliations. All had published dozens of identical replies across trading groups (“I got 4 tickets”). The profiles themselves had few photos but often hundreds of followers.

Similar Facebook comments in response to asks for tickets

Evidence of Organized Operations

Several scammers shared identical bank account details. This indicates either the same threat actor (which is less likely, as they would have recognized our pattern across interactions), a coordinated scammer group, or a shared mule account service providing banking infrastructure to multiple individual scammers.

We traced the names and details of the social media accounts (Facebook, Intagram and Telegram) in fresh stealer logs that were collected in the past week. We also found PayPal, Chime, Zelle and Apple Pay identifiers in old and new leaked credentials lists. 

This indicates a broader underground ecosystem fueling the FIFA 2026 scam operation: freshly opened social media accounts created with “aged” email addresses traded in underground markets, money transfers processed through the payment details of other cybercrime victims, and compromised identities recycled to build convincing seller personas. It is a self-reinforcing cycle where each layer of cybercrime feeds the next.

Another Well Known Attack: Fake Domains

We’ve already covered this topic in a dedicated article. But in the scope of such an article, we felt it’s imperative to briefly remind this subject as well.  The official FIFA website (fifa.com) is the only recommended source for purchasing tickets. Buying from any other website carries inherent risk. 

The official resale system for the 2026 World Cup is designed as a controlled marketplace within the FIFA platform, where fans can securely return or transfer tickets they can no longer use. 

Instead of informal peer-to-peer deals, all legitimate resales happen through FIFA’s official portal, ensuring tickets remain valid, reissued under the new holder’s name, and protected against duplication or fraud. Prices are typically regulated (often capped or aligned with face value, depending on phase and policy), and both buyers and sellers must use their FIFA accounts, which creates traceability and reduces scam risk. Any transaction outside this system falls outside FIFA’s protections and significantly increases the likelihood of fraud.

During our research, we identified multiple websites impersonating the official FIFA site. If you believe you’re on the official site, watch for the following red flags:

The address not being fifa.com:

On the website address bar, the website isn’t fifa.com

If you try logging into the account, the website accepts false login information:

Sign in option on website

Fake details included into sign in page

If the website logs you in, it’s a major red flag, and if not, the website may still not be safe: 

Website allows entry with fake login credentials 

Structured, Repeatable Fraud Ecosystem

At its core, this investigation reveals that FIFA 2026 ticket scams are not random or isolated incidents. They are part of a structured and repeatable fraud ecosystem. Across dozens of interactions, the same patterns emerged again and again: identical scripts, recycled identities, shared payment channels, and consistent psychological tactics. This level of uniformity strongly suggests organized activity, often supported by shared infrastructure such as mule bank accounts, compromised credentials, and pre-aged social media profiles sourced from underground markets.

More importantly, these scams succeed not because they are technically sophisticated, but because they exploit human behavior under pressure. Urgency, excitement, fear of missing out, and perceived trust are far more powerful than malware or exploits. 

Scammers don’t need to hack systems, and instead they simply guide victims into making decisions quickly, bypassing the very safeguards that would otherwise protect them. The moment a transaction moves outside controlled platforms like FIFA’s official resale system, the risk increases dramatically.

Finally, the broader lesson extends beyond soccer tickets. This is a clear example of how modern cybercrime operates: blending low-tech social engineering with scalable digital infrastructure. Whether it’s ticket fraud, phishing, or financial scams, the same principles apply. If something feels too easy, too available, or too good to be true, it almost always is. 

In a landscape where trust is increasingly manufactured, the most effective defense is not just awareness, but skepticism, verification, and discipline in how and where transactions are made.