Don't let the scammers score, warns Yubico

​​​​​​​​​​​​

As football fans gear up for the 2026 Football World Championship, cybercriminals are preparing too.  Scammers are exploiting the excitement with fake merchandise stores, ticket resale scams and other targeted attacks.  With more than 4,300 fraudulent domains impersonating FIFA’s official website, Nic Sarginson, Principal Product Manager at Yubico, explains how fans can stay safe from cybercrime.
 
“Fans looking for tickets – whether to attend the tournament or for screenings – should remain wary of deals that look too good to be true or create a false sense of urgency, both of which are telltale signs of a potential phishing attempt.  Cyber criminals exploit this pressure to increase quick decision-making, tricking consumers into clicking malicious links or entering credentials on fake ticketing websites without verifying legitimacy.”
 
“This rise in event-driven scams is unsurprising given that passwords unfortunately remain the dominant form of authentication for many event ticketing platforms.  Alarmingly, our survey found this inherently insecure and outdated authentication is still the most common method of personal account security (60 percent.  If a password is reused, guessed or phished, hackers can access accounts containing tickets with little resistance.  Attackers can then transfer tickets, change account details or use stored payment methods to make fraudulent purchases.”
 
“The most effective way to avoid ticket scams is to only use official channels.  Fans should avoid digital assets that can be easily copied, such as PDF tickets or QR codes shared via messaging apps.  Synced passkeys – which are often saved directly to your mobile device – are a great starting point, offering a phishing-resistant baseline of defence.  However, fans heading to crowded stadiums, public screenings, or busy pubs must remember that smartphones are prime targets for both traditional pickpockets and cyber criminals.  If your phone is targeted, your primary means of accessing your tickets and accounts could be compromised.”
 
“Passkeys, including hardware-backed passkey options like security keys, offer the strongest level of protection by binding authentication to a specific device and user.  As a phishing-resistant authentication method, they ensure that even if a user is tricked into visiting a fake site, their credentials cannot be reused.  This is because once a passkey is registered with a site in place of a password, not only do you need login credentials to gain access, you also need the security key and physical touch of the key once prompted.  By using a hardware security key, fans can fully protect themselves and their precious data, allowing them to focus on enjoying the games rather than worrying about account security.”