Cybercriminals Ramp Up FIFA World Cup 2026 Phishing Campaigns

Hoxhunt researchers say World Cup-themed phishing lures have become the company’s most-spoofed sporting event on record, reflecting a broader rise in AI-driven social engineering.

Key Highlights

  • Hoxhunt observed a nearly 500% increase in FIFA World Cup 2026-themed phishing attacks between April and June.
  • Researchers found AI-driven, event-based phishing lures were 42% more likely to attract clicks than non-temporal campaigns.
  • Security experts say organizations should strengthen identity security and employee awareness as attackers increasingly exploit major global events.

Cybercriminals dramatically increased their use of FIFA World Cup 2026-themed phishing campaigns in the months leading up to the tournament, according to new research from Hoxhunt, highlighting how major global events continue to provide fertile ground for social engineering attacks.

The Helsinki-based human risk management platform said it observed a nearly 500% increase in FIFA World Cup-themed phishing attacks targeting employees between April and June 2026, with the sharpest spike occurring around the tournament kickoff period. According to the company, the World Cup has become the most-spoofed entertainment or sporting event it has recorded in phishing campaigns.

Hoxhunt said low but consistent campaign activity began as early as February before accelerating sharply in May and continuing into June. The company identified two dominant campaign types: fake marketing recruitment offers aimed at marketing professionals and prize or bundle scams impersonating Coca-Cola World Cup promotions.

Attackers weaponize the calendar

The findings reflect what Hoxhunt describes as a broader shift toward temporal phishing attacks that exploit current events and seasonal moments when people are more likely to expect related communications.

“AI has ushered in the era of calendar-based social engineering,” said Mika Aalto, co-founder and CEO of Hoxhunt. “Just as legitimate marketing teams use automation platforms to launch personalized campaigns around major cultural events and seasonal buying patterns, cybercriminals are using AI to orchestrate phishing campaigns around the moments that matter most to their targets. The World Cup, tax season, annual bonus announcements, open enrollment, Black Friday — every event that drives legitimate communication now creates an opportunity for attackers to blend in.”

According to Hoxhunt’s phishing simulation data, temporal phishing attacks are 42% more likely to draw clicks than non-temporal phishing simulations.

The company said those campaigns capitalize on periods when employees already expect unusual or time-sensitive communications. During tax season, for example, workers anticipate messages related to payroll, compliance or refunds. During the World Cup, they may expect emails about promotions, travel, sponsorships, recruiting, events, tickets or giveaways, making malicious messages appear more believable.

Aalto said organizations need to adjust their defenses to reflect this changing threat landscape.

“The World Cup is a preview of where social engineering is headed as attackers are learning to weaponize the calendar,” he said. “Tax season, sporting events, product launches, mergers, payroll cycles — every meaningful moment has become part of the attack surface. The organizations that adapt their training as quickly as attackers adapt their lures will stay ahead.”

Hoxhunt also reported that FIFA-themed phishing threats were distributed relatively evenly across global regions, suggesting attackers are casting a wide net rather than concentrating on specific geographies. By comparison, phishing campaigns tied to the Paris 2024 Olympics and Eurovision 2026 occurred at significantly lower volumes.

The findings align with other recent cybersecurity research focused on sports-related threats.

Zimperium zLabs recently reported a sharp increase in mobile-targeted phishing campaigns exploiting interest in the FIFA World Cup 2026. Separately, Darktrace found that 57% of professional sports organizations experienced multiple cyber incidents during the past 12 months. The cybersecurity company’s research also found that 72% of sports organizations believe AI will increase cyber risk over the next year as AI adoption expands across stadium operations, ticketing, fan engagement and business operations. Darktrace added that its sports-sector customers receive nearly 20% more phishing emails than organizations in other industries.

Identity risks extend beyond the initial click

Rex Booth, chief information security officer at SailPoint, said AI is making phishing campaigns increasingly difficult for users to distinguish from legitimate communications.

“The danger of many phishing schemes, like those during the 2026 FIFA World Cup, lies in their ability to grant attackers access to credentials, enabling them to pretend to be trusted insiders,” Booth said. “With AI now in play, these campaigns are becoming ever more sophisticated and difficult to spot. This makes it imperative for users to adopt robust identity security best practices, including changing passwords frequently and enabling multi-factor authentication, and for organizations to prioritize identity as the new control plane.”

Booth added that while many AI-assisted attacks still require human involvement, organizations should prepare for increasingly autonomous threats as artificial intelligence capabilities continue to evolve.

For defenders, Hoxhunt’s findings suggest that security awareness efforts should increasingly mirror the timing of current events. Rather than relying solely on generic phishing education, organizations may need to tailor employee training around major cultural, sporting and business events that attackers are likely to exploit. As the World Cup data illustrates, cybercriminals are increasingly aligning phishing campaigns with moments when legitimate communications are already expected, making those attacks more difficult for employees to recognize.

About the Author

Rodney Bosch

Rodney Bosch

Contributor

Rodney Bosch is a seasoned journalist and Editor-in-Chief of SecurityInfoWatch.com, covering the full spectrum of the security industry. Drawing on years of experience in both B2B and newspaper journalism, he provides clear, credible reporting and analysis on the technologies, companies, and trends shaping today’s security marketplace.

Quiz

mktg-icon Your Competitive Edge, Delivered

Stay ahead of the curve with weekly insights into emerging technologies, cybersecurity, and digital transformation. TechEDGE brings you expert perspectives, real-world applications, and the innovations driving tomorrow’s breakthroughs, so you’re always equipped to lead the next wave of change.

marketing-image