When major events, like the World Cup, spur lots of online ticket sales, and a barrage of card spending on related items, fraudsters are ready to capitalize on the activity.
Payments security providers ACI Worldwide and Bluefin Payment Systems, which help protect event organizers and merchandisers against fraud, are forecasting fallout from sales for the FIFA World Cup soccer tournament happening now in North America.
Their heightened concern related to the international event comes as artificial intelligence has supercharged online fraud worldwide. The amount of money pilfered by online criminals globally increased by 9.2% last year, compared to 2024, partly due to increased AI use, according to a March report from Nasdaq’s Verafin unit, which also provides financial crime-fighting software.
ACI analyzed merchant data from past events, specifically 24.5 million global transactions for 61 live events, including the 2022 World Cup, to better understand fraud patterns, according to a press release from the Elkhorn, Nebraska-based company this month.
Ahead of the FIFA 2026 World Cup games, which began this month, ACI spotted similar patterns that suggested fraud tied to the event was climbing, said Jackie Barwell, the company’s director of fraud product management.
The company has tried to warn clients, and provide protections to spot and stop fraud, using consumer data insights, device intelligence and geolocation input, among other tools.
“We have been advising them to be more vigilant,” Barwell said in an interview this month from her base in Bromley, England. Merchants need to be ready to scale up operations for increased demand, she said.
Criminals take advantage of the event being a unique occurrence that prompts a surge in payments volume for merchants who may be stretched thin, and perhaps using temporary staff who aren’t familiar with protocols, Barwell explained.
Typically, the fraud targets merchants who are selling tickets and accommodations connected to the event, beginning about eight to 12 weeks before the event and intensifying as it draws near, Barwell said. Fraud attempts are generally in the $200 to $400 range, increasing as the event nears, she said.
The fraudsters create fake websites where they can steal consumer credentials and related information during card-not-present purchases, whether they’re made via mobile devices, in apps, or by phone. Then, they use those credentials to make purchases in the flurry of activity on authentic websites, either right away or later.
"Cybercriminals are targeting the entire fan journey, from searching for tickets and booking travel to streaming matches and purchasing merchandise," Bluefin Chief Information Security Officer Brent Johnson said by email. "We've seen the highest concentration of attacks involving fake ticketing websites, spoofed FIFA domains, fraudulent hospitality offers, phishing campaigns, and counterfeit merchandise sites."
The criminals exploit the fans’ sense of urgency and their emotion about making the purchases, Johnson said. Fraudsters thrive in situations where consumers are engaging in high-value transactions on websites with which they’re not familiar.
Atlanta-based Bluefin points to AI as increasing the threat. "Artificial intelligence allows criminals to generate professional-looking websites, phishing emails, fake QR codes, and customer communications that are much harder for consumers to distinguish from legitimate ones," Johnson said.
ACI’s data has shown that locally issued cards, such as those issued in a given country, are more susceptible to criminal activity than international cards. That may mean fraudsters are local, and understand the local payments landscape, Barwell explained.
Even consumers who aren’t victims can be impacted by merchants’ increased vigilance. “The pattern raises the risk of false declines for genuine fans buying higher-value tickets,” the ACI release said.
The full impact of the fraud likely associated with this year’s World Cup is yet to arrive, and some merchants may be shocked when it does, Barwell predicted. It’s not until the event is nearing its July 19 final that consumers start to report fraudulent transactions, creating a wave of chargebacks for merchants.
Whether or not merchants overall are more prepared to guard against fraud at the World Cup this year, is an open question. “Time will tell,” Barwell said, though she contends ACI’s merchant clients will be well-protected.
Keeping data safe it the key, Johnson said. "Organizations should focus not only on preventing fraudulent transactions but also on minimizing exposure of sensitive payment data through technologies like tokenization and point-to-point encryption," he explained. "Even if an attacker successfully compromises a transaction path, reducing the value of the underlying payment data significantly limits the impact of the attack."
