If you’re attending one of the 104 games at the 2026 World Cup, or even watching it at a fan event or bar, cyber security is unlikely to be on your mind. But maybe it should be, according to new research from ExpressVPN.
As part of its launch Wi-Fi Risk Index at the World CupExpressVPN surveyed 6,000 soccer fans from the US, UK, France, Germany, Spain and Australia – and found that 70 percent of respondents would trust public Wi-Fi networks based on their names alone.
“Fans stream matches from airplane lounges, check scores in hotel rooms, post at bars, buy food and merchandise from their seats, and move between public networks throughout the day without giving much thought to who’s running them,” the company said in its report. “That behavior is what makes the matchday experience feel modern, and what makes the 2026 World Cup a prime target for cybercriminals.”
According to ExpressVPN, cybercriminals would only have to set up a fake public Wi-Fi network and give it the name of a venue to trick many World Cup participants into logging in and sharing potentially sensitive information. Of the 6,000 respondents, 70 percent of respondents said they would trust public Wi-Fi called “MetLife_Stadium_WiFi” while in a venue of the same name, for example.
Less than four in 10 fans said they would be able to tell the difference between an official public Wi-Fi network and a fake one.
How the ‘evil twin’ attack is winning over fans
The fake public Wi-Fi scam, known as the “evil twin” attack, is one of the oldest in the book. A cybercriminal creates a fake hotspot masquerading as a legitimate public Wi-Fi network with an official-sounding name. Hall attendees are connected to the fraud network – after that, if they log into any account, sensitive information is captured.
Mashable Light Speed
An ExpressVPN survey found 30 percent of US fans between the ages of 18 and 29 have logged into their bank account using stadium Wi-Fi. Almost half of all respondents have logged into their social media accounts while on the stadium’s public Wi-Fi. Others have checked email, or work-related accounts, over Wi-Fi while at sporting events.
Before the World Cup began, the FBI’s Cybercrime Reporting Center issued a public service announcement about the flood of FIFA and World Cup fake websites related to the Cup seeks to defraud football fans who were looking for tickets, hospitality and merchandise.
Bad actors are clearly looking to target the 6.5 million people expected to attend the World Cup games, as well as hundreds of millions of viewers around the world.
“Cybercriminals don’t need sophisticated tools to target soccer fans,” says ExpressVPN Chief Information Security Officer Aaron Engel. “They can name the network after a stadium, hotel or fan event and wait for people to connect. Our research shows that familiar names are more trusted than they should be.
“That becomes very dangerous in a tournament like the World Cup, where millions of fans will be moving between stadiums, airports, hotels and public venues.”
Fans traveling to games face even more risks. The majority of respondents said hotel Wi-Fi felt more secure and were more likely to log into their accounts with sensitive information using those networks.
What can you do? Simple: no matter how much you focus on football, check the venue before you log into anything that looks like a public Wi-Fi network. Most playgrounds publish the name of their official Wi-Fi, so you have help in making a successful trip.
