The World Cup starts June 11, and the scam infrastructure is already deployed: fake stadium Wi-Fi, fake streaming sites, fake ticket resales. An ExpressVPN survey of 6,000 fans across six countries suggests most of the targets will cooperate enthusiastically.
The headline number: 73% of fans said they would trust and connect to a public Wi-Fi network just because it carries the name of the venue they’re attending.
The survey numbers, and why they’re worse than they look
The survey, reported by TechRadar, polled 6,000 football fans across six markets ahead of the tournament. Beyond the 73% who would auto-trust venue-named Wi-Fi, fewer than four in ten fans said they could reliably tell a genuine public network from a fake one.
The Australian numbers, covered by iTWire, add an even better detail: roughly 76% of fans acknowledged that public Wi-Fi at stadiums, airports and bars is risky. Then 57% said they’d share personal details over it anyway. People know. They connect anyway. Convenience beats caution every time the match is about to start.
About a third of Australian fans reported already experiencing some form of scam at a major sporting event, phishing messages being the most common, followed by fake streaming websites and apps.
The three scams that will dominate this tournament
The evil twin hotspot. Anyone can name a Wi-Fi network “Stadium_Free_WiFi” or “MetLife_Guest”. You connect, the attacker sits in the middle, and everything you type on an unencrypted connection passes through their hands: logins, card numbers, session cookies. Stadiums, fan zones, airports and sports bars during the World Cup are the perfect hunting ground because tens of thousands of phones arrive looking for a connection at the same time. We covered the mechanics in our public Wi-Fi safety guide.
The fake stream. Search “watch World Cup free” during any match and you’ll find dozens of sites promising exactly that. Some want a credit card for “free registration.” Some serve malware through fake video players. Some just harvest the email and password combo you’ll inevitably reuse. GB News reports that ExpressVPN ranks fraudulent streaming sites among the top threats for this tournament, and with 104 matches across three time zones, the demand for “just one quick stream” will be enormous.
The ticket and travel phish. Emails and texts about ticket confirmations, resale bargains, hotel deals and last-minute schedule changes. The 2026 tournament spans 16 host cities in three countries, which means millions of fans navigating unfamiliar booking systems in foreign languages. Scammers love confusion, and this World Cup has more moving parts than any event in sports history.
Why this tournament is the biggest target ever
Scale, mostly. This is the first 48-team World Cup, with over 100 matches and an expected audience above 2 billion. It’s hosted across the US, Canada and Mexico, three countries where in-person attendance means heavy roaming, hotel Wi-Fi and airport layovers for international fans.
And because broadcast rights are scattered across different services in every country, plenty of fans genuinely won’t know what the legitimate way to watch even is. That gap between demand and clarity is exactly the space scams live in. ExpressVPN’s own scam guide lists fake giveaways, betting scams and counterfeit merch stores on top of everything above.
How to actually protect yourself
None of this requires paranoia, just a few defaults.
Treat every public network as hostile. If you must use stadium or hotel Wi-Fi, run a VPN on the connection so a hostile network operator only sees encrypted noise. A VPN on your phone is the single highest-value protection for travelling fans. NordVPN runs on every platform you’ll carry, and its 5/5 speed score in our tests means it won’t choke a live stream.
Stream from legitimate sources only. In the UK, every match is free on BBC and ITV. In Mexico, ViX and TV Azteca carry the tournament free. In the US it’s FOX and Telemundo. If a site you’ve never heard of offers what billion-dollar broadcasters charge for, the product is you. Our guide to the best VPN for the World Cup lists the legitimate broadcaster in each major country and how to reach the free ones while traveling.
Book and buy through official channels. FIFA’s ticket portal and recognized resellers only. Any ticket offer arriving by DM is fake. All of them. Every tournament, without exception.
Use cards with disposable numbers for tournament-related purchases if your bank offers them, and never log into anything important from a shared or public device.
If you’re going in person
A few extra rules for fans attending matches in the US, Canada or Mexico.
Prefer mobile data over any public Wi-Fi. An eSIM data package for the host countries costs less than a stadium beer per gigabyte and removes the fake hotspot problem entirely. If you do connect to public networks, turn off auto-join so your phone stops attaching itself to anything with a familiar name while you walk through an airport.
Download the apps you need before you travel: your bank, your streaming services, FIFA’s official app for tickets. Searching for “FIFA tickets app” from a hotel lobby in a hurry is exactly the scenario fake apps are built for. Stick to official app stores and check the developer name.
And treat QR codes around venues with suspicion. Stickers slapped over legitimate codes on posters and tables redirect to credential-harvesting pages, and tournament crowds are the ideal audience for them.
Already clicked something? Damage control
If you entered a password on a site you now doubt, change that password immediately, starting with your email account, and enable two-factor authentication. If you reused the password elsewhere, change it there too. That reuse is what attackers are counting on.
If you entered card details, contact your bank and have the card frozen or reissued. Most banks make this a two-tap operation in the app now. Watch statements for small test charges; scammers verify cards with tiny amounts before selling them.
If you installed something, delete it, run a malware scan, and check your device for new profiles or unknown VPN configurations it may have added. On a phone, when in doubt, a factory reset with a clean restore is unpleasant but reliable.
Want to compare all VPNs side by side? Check our full VPN comparison table with scores across 18 criteria.
Tournament-long housekeeping: the scam wave doesn’t end at the group stage, and the knockout rounds’ higher stakes sharpen the lures (final tickets, “exclusive” streams). The defaults above hold for the whole month; set them before the opening match and let the tournament be about football.
(Survey figures from the cited ExpressVPN research; the behavioral lesson, that convenience beats caution under kickoff pressure, is the durable part, and it will be exactly as true at the next tournament.)
The survey's real finding isn't that fans are careless. It's that awareness doesn't change behavior when a match is starting in four minutes and the venue Wi-Fi is right there. Security that depends on humans making the careful choice under time pressure always loses. Set up the protections that work without willpower before you travel: VPN installed and set to auto-connect on untrusted networks, official streaming apps downloaded, payment alerts on. Then go enjoy the football.
Sources: TechRadar on the ExpressVPN survey | GB News breakdown | iTWire on the Australian numbers | ExpressVPN’s World Cup scam guide