When in doubt, kick it out, plus other tips for hardening your cyber-defenses against World Cup-themed phishing and other scams
The FIFA World Cup 2022 in Qatar is just about to kick off! From November 20th through December 18th, one of this year’s most important global events will attract hundreds of millions of football (or soccer if you prefer) fans from all over the world. But as we’ve seen before, online fraudsters invariably use the buzz surrounding such major events to defraud not only sports fans.
Let’s look at how scammers are kicking it up a notch in the run-up to the upcoming edition of the quadrennial tournament and how you can avoid falling foul of their ploys.
In one tried-and-tested variety of scams, criminals make victims believe they won a cash prize or a ticket or hospitality package to watch a match in person. The real intention, however, is typically the same: get you to hand over your personal data or money or unwittingly download info-stealing malware into your device.
ESET researchers have detected a number of global phishing campaigns that seek to trick people into thinking that they won a lottery prize. To collect your “winnings”, it appears that you only need to fill in a few fields via a form and provide personal details, such as your full name, date of birth, and phone number.
As in the example below, the announcement may come complete with the name of a contact person who will, supposedly, help you claim your prize. At some point, the agent will let you know that before you can actually claim your winnings there’s some tax or fee to be paid. Once the transfer is completed, the scammers have accomplished their objectives: they’ve stolen your money and personal information for follow-on fraud or in order to sell it to other crooks.
In the example above, this image was sent as an email attachment. The scam requests a variety of personal identification details, and in order for you to receive the “ATM card”, it asks you to contact the agent, who requests a fee before sending the card.
One tell-tale sign that something is amiss is the generic salutation. The email subject lines are not very creative, either – think “Qatar World Cup 2022 Lottery Winner”, “QATAR 2022 FIFA LOTTERY WINNER” or “CONGRATULATIONS, YOU HAVE WON THE QATAR FIFA 2022 MEGA WORLD CUP LOTTERY”. On the other hand, they can certainly catch one’s attention and hopes.
Below is another example of a phishing email using the World Cup theme. The image, embedded in an email message, includes a “Click Here” button to snag a ticket and watch the opening World Cup fixture in person. In these kinds of campaigns, however, clicking the button results in you giving away your personal data or downloading malicious content into your computer or mobile device.
— GM Sectec (@gmsectec) September 3, 2022
Sometimes a more convincing (if you don’t pay much attention to detail, that is) variety of phishing fraud involves rogue websites posing as the real ones. Links to them are also distributed through spam emails, via fake social media profiles or in discussion forums.
Regardless of whether these sites are spitting images of legitimate sites or not, the key thing is that they are launched in order to steal personal and financial data, login credentials and other sensitive information, or as a way to install malware on victims’ devices.
This website below poses as the official World Cup site, including in its mimicking of the real URL – https://www.qatar2022.qa/ (take note of the .pro top-level domain in the imposter website shown below). The cybercriminals also created a ‘gateway’ for people to buy their tickets, but obviously the fans first need to supply their personal data. Once stolen, this data can be misused or sold immediately to other fraudsters.
A number of people have already reported being contacted via email by “FIFA officials” who offered tickets for sale. Meanwhile, Reddit users are sharing message exchanges with people offering fake printed tickets.
If you’re still looking to buy tickets to watch any of the games, you need to beware of scammers. It’s worth mentioning that Qatar 2022 only has digital tickets, the only exception being last-minute, over-the-counter purchases that can only be done in person directly at two possible offices in Doha, Qatar. Resale of unauthorized tickets is prohibited in Qatar and penalties can be very severe. The only way to resell tickets and purchase them is through the official FIFA ticket resale platform.
Other ways to get scammed
Recently, a crypto token called FIFA Inu was launched and before long it started receiving accusations of being a cryptocurrency scam because of the sudden drop it suffered after a sustained rise. However, its founders assure that the accusations are false. However, it is always advisable to be careful when investing money.
Messages sent via WhatsApp and involving bogus giveaways, fake social media profiles or even malicious ads that redirect you to rogue websites are very common ways to catch you by surprise. So, be on the lookout for suspicious ads and messages and don’t fall for unexpected windfalls. As we have seen in other cases, scammers often take advantage of major events, trending topics or emergencies to ramp up their criminal activity.
Your cybersecurity game plan
Staying safe from scams, be they World Cup-themed or not, comes down to a few, simple rules:
- You can’t win a lottery if you didn’t buy a ticket. If someone tries to convince you otherwise, it is a scam.
- Don’t pay someone in order to receive a prize. Advance fee schemes are a way of stealing your money.
- Look out for phishing attacks. Don’t click on links or attachments in emails or other messages unless you’re sure they’re legitimate, especially if the messages are unsolicited and request your personal data.
- Similarly, watch out for rogue websites. Pay attention to the websites you visit, and always search for grammar and spelling mistakes, weird URLs or a lack of security certificates or other signs that something is amiss, especially if that website is asking for your money or personal information.
- Don’t hand over your personal information to whoever asks for it – it could be misused for fraud right away or further sold on the dark web.
- Use two-factor authentication on all accounts, especially those containing your sensitive information. This reduces the chances of hackers cracking them open with stolen/phished passwords.
- Use reputable, multi-layered security software with anti-phishing capabilities.