The FIFA World Cup is drawing attention from more than football supporters. Cybercriminals are treating the tournament as a commercial opportunity, and New Zealand fans are among their targets. With 104 matches scheduled across Canada, Mexico, and the US between June 11 and July 19, demand for tickets is concentrated and intense. New Zealand’s national side is set to play Iran, Egypt, and Belgium in the opening round, giving local supporters added motivation to secure access – a dynamic that fraudsters are actively exploiting, according to a June 2, 2026, analysis by Yubico.
Geoff Schomburgk (pictured), vice president for Asia-Pacific and Japan at Yubico, outlined several methods being used against fans in the lead-up to and during the tournament. These include websites designed to look like official ticketing platforms, social media posts promoting last-minute availability, and emails constructed to appear as though they originate from FIFA or affiliated services. The common thread across these tactics is manufactured urgency. Fans are told their payment has failed, their account requires immediate verification, or that a ticket is about to be released – prompting them to act before they think. Schomburgk noted that these messages have become harder to distinguish from genuine correspondence. “Today’s phishing emails are polished, personalised, and timed to coincide with real ticketing phases or merchandise drops,” Schomburgk said. The scope of fraud extends beyond ticketing. Schomburgk identified fake accommodation listings, fraudulent transport offers, and counterfeit merchandise as additional exposure points for fans travelling to Canada, Mexico, and the US or purchasing goods from abroad.
Schomburgk’s analysis places credential theft at the centre of the risk picture. Password-based authentication, which remains standard across many ticketing platforms, offers attackers a straightforward path into accounts once login details have been obtained through phishing or data breaches. “Attackers are no longer hacking systems; they are logging in using stolen credentials,” Schomburgk said. The consequences for a compromised FIFA ticketing account can be immediate: tickets transferred, payment details exploited, and account information changed before the legitimate holder is aware. Fake merchandise platforms present a parallel risk, capturing both financial data and login credentials in a single transaction.
Schomburgk argued that the response needs to move beyond stronger passwords toward authentication methods that remain secure even when a user has been deceived. He pointed to phishing-resistant options – including hardware security keys that tie authentication to a physical device – as a more durable solution than SMS codes or app-generated one-time passwords, both of which can be intercepted. The distinction between a technical breach and an account takeover via stolen credentials is meaningful. The latter typically involves user-level actions rather than system vulnerabilities, which can affect how policies respond and where liability sits.
On the practical side, Schomburgk’s recommendations centre on slowing down rather than keeping up. FIFA has identified its official website – fifa.com/en/tickets – as the only direct sales channel, with authorised secondary transactions limited to its own resale platform. Tickets distributed as PDFs or QR codes through messaging applications fall outside the controls that legitimate systems use to prevent duplication and unauthorised transfer.
“Legitimate organisations rarely require immediate action through unsolicited messages,” Schomburgk said. Rather than following a link, he recommended going directly to the official platform to check account status independently. The same principle applies to merchandise purchases. Major sporting events consistently attract counterfeit storefronts, and buying through authorised retailers is the most straightforward way to reduce exposure.
The Yubico analysis arrives as New Zealand’s broader cyber security posture shows incremental improvement. A survey conducted by The Research Agency (TRA) on behalf of the National Cyber Security Centre (NCSC), covering 1,011 adults between Nov. 20 and Nov. 30, 2025, found that 27% of New Zealanders who encountered an online threat experienced some form of harm – down from 36% the previous year. One in five of those affected reported a financial loss.
NCSC chief operating officer Michael Jagusch said awareness is contributing to the shift. “People are taking more necessary actions to keep themselves protected,” Jagusch said. The survey recorded an increase in two-factor authentication use on primary accounts, rising from 38% to 43%, alongside growth in password manager adoption. Jagusch acknowledged progress while noting room for further improvement. “The increase in use of 2FA is great, but we would like to see that number increased further for New Zealanders’ online protection,” he said.
A separate finding from the same survey is relevant to insurers tracking loss data: just 56% of those who experienced a threat reported it. Among those aged 55 and over, that figure dropped to 47%. Jagusch pointed to uncertainty and apathy as the primary drivers of non-reporting. “Reluctance to report threats or to perform key cyber security actions can come from a feeling of not knowing how to or feeling it is too complicated,” he said. The gap between actual incident rates and reported ones limits the quality of data available for both regulators and the insurance industry in assessing the true frequency and cost of cyber harm in New Zealand.
