The 2026 FIFA World Cup is already drawing fraudsters. Yet the latest threat goes beyond fake tickets and merchandise. Researchers at CUJO AI found a campaign targeting employees through fake recruitment portals.
The scheme used 21 domains posing as official FIFA careers pages. Sites included fifa-careerhub[.]com, fifa-careerportal[.]com, and fifajobs[.]com. They carried FIFA branding and fake recruiter profiles. Some also invited visitors to book a call through Google Calendar.
However, the real trap appeared during sign-in. Personal email addresses triggered the message “Please use your work or business email”. The fake form rejected Gmail, Yahoo, Hotmail, Outlook, Proton Mail, and other consumer domains.
This simple filter changed the target profile. Instead of stealing fan data, the attackers sought corporate accounts. The campaign pushed applicants toward work credentials. That could open access to business email, cloud files, and internal systems.
After the email check, victims saw a fake Google Calendar booking page. It asked them to sign in using Google Workspace. The page then sent credentials to a backend server. Researchers said the server used obfuscation to avoid basic detection tools.
The domains appear designed for short campaign windows. WHOIS records showed many registrations through name.com. Most appeared between April and May 2026. Registrant countries in the dataset listed the United States.
By the time researchers reviewed the domains, many had changed. They showed parked pages with generic search links. This pattern often follows phishing activity. Criminals close the active phase, then save domains for later use.
The wider pattern matters for operators. CUJO AI said the same phishing kit impersonated other major brands. These included Heineken, Hilton, Coca-Cola, Netflix, PepsiCo, Delta, and Spotify. Each campaign used stolen recruiter identities from LinkedIn.
For telecom providers, the case highlights a valuable security layer. Every visit starts with a network lookup. A DNS request shows where the device wants to go. DNS acts like the internet’s address book.
Operators that monitor these signals can spot suspicious domains early. They can block access before users enter credentials. This helps when employees use personal devices or remote connections. Endpoint protection may not cover every device.
There are challenges too. Network-level blocking requires accuracy, privacy care, and strong governance. False blocking can disrupt legitimate browsing. Operators must balance security duties with user trust and regulatory expectations.
Even so, regulatory pressure continues to grow. NIS2 and the UK’s Online Safety Act both encourage stronger action. They push operators toward earlier detection of harmful traffic.
The lesson is clear for telcos and enterprises. Phishing campaigns now qualify victims before stealing data. Network visibility can interrupt that process. As World Cup excitement builds, security teams must watch the traffic behind the headlines.
