Estimated reading time: 4 minutes
In football, or is it soccer, mistakes get a second look with VAR, and referees can issue a card right away. With phishing, there is no review. Once someone clicks a link, the damage is often done before anyone notices. According to new Hoxhunt research, criminals have been watching the World Cup schedule closely. Phishing attacks themed around the tournament jumped nearly 500% from April to June 2026.
The most important detail is that the biggest spike in phishing happened right at kickoff. Attackers launched their campaigns when everyone, even security teams, was focused on the match.
The Two Set Pieces
Hoxhunt analysts found two main phishing tactics. The first targets marketing professionals with fake FIFA job offers. These messages seem appealing and tailored to the recipient. They lead to a fake Google sign-in page designed to steal credentials from people hoping to work at the World Cup.
The second tactic copies Coca-Cola’s tournament promotions with fake prize and bundle offers. These scams work because fans expect to see sponsor messages during the World Cup. With so much real marketing in inboxes, phishing emails blend in. Hoxhunt says this explains the spike in attacks at kickoff.
Timing Is The Whole Game
There is another reason for the spike. Kickoff is when security teams are often distracted or short-staffed. On match days, attention is split and responses are slower. Ransomware groups have used this tactic for years, attacking during holidays and weekends when defenses are weaker. The World Cup creates a global holiday at set times, making it an ideal target.
Hoxhunt describes this trend as ‘productizing the calendar.’ They saw a similar pattern in spring 2026, when phishing attacks during US tax season rose by over 400%. Their training simulations show that event-themed phishing emails get 42% more clicks than generic ones. While this number comes from simulations, it matches what is seen in real attacks.
What The Numbers Can And Cannot Say
It’s important to be cautious with these numbers. Hoxhunt sells phishing training, and their report recommends buying their simulations. The 500% increase is a relative figure, and the report does not share the starting numbers. The data comes from threats reported by Hoxhunt’s four million users, so it shows what trained employees see, but may miss attacks that go unnoticed.
To their credit, Hoxhunt points out something the trade press might miss. Their data shows AI-generated phishing increased 14 times in 2026, but they clearly say this does not prove the World Cup attacks used AI. The trend matches a rise in cheap, AI-driven phishing, but there is no direct proof.
The Tournament Threat File Grows
This report adds to a growing list of findings. Darktrace reported that 84% of sports organizations faced a cyber incident in the past year, as we covered at kickoff. Specops found over 1.2 million breached passwords named after Messi, which we reported in May. Recruitment scams, sponsor impersonations, and football-themed passwords all contribute to the same problem of stolen credentials.
The Insurance Angle: Schedule Your Underwriting
For insurers, event-based phishing means claims are more likely to happen around major dates. Social engineering fraud and business email compromise losses tend to spike during events that criminals can plan for. Cyber insurance brokers advising clients involved with the World Cup, such as sponsors or hospitality companies, should schedule reminders about verification and payment controls to match the tournament dates, not just the renewal date.
The main lesson is clear. Security awareness programs that follow a fixed yearly schedule are not enough anymore. Attackers now plan around major events like sports tournaments. For them, extra time just means more chances to reach inboxes.
FAQ – World Cup phishing
World Cup-themed phishing attacks rose nearly 500% from April to June 2026, spiking sharply at kickoff.
Fake FIFA recruitment lures targeting marketing professionals, and prize scams impersonating Coca-Cola’s tournament promotions.
Attacks are timed to calendar events, like tournaments or tax season, when unusual messages feel expected and normal.
Unproven. Hoxhunt tracked a 14-fold rise in AI-generated phishing but says the FIFA campaigns cannot be confirmed as AI-built.
Event-timed attacks cluster claims. Social engineering fraud exposure rises predictably around dates criminals can plan for.
Run event-timed awareness pushes, warn staff about recruitment and sponsor lures, and enforce payment verification callbacks during major events.
Related Cyber Insurance Posts
- 100% Compliant, Breached Anyway: Spektrum Labs CISO Joshua Brown on Why GRC Failed
- UK Cloud Outage Risk: Three Data Regions Carry 40% Of The Economy’s Revenue Exposure
- Nozomi Report: Ransomware Concentrates In English-Speaking Markets With 70% Share(Opens in a new browser tab)
- Ransomware in Q4 2024 Spike Amid Shift to Scalable Attacks – Report(Opens in a new browser tab)
- Willis Expands CyMax Facility As The SME Cyber Insurance Gap Persists