By Mashable | Created at 2026-06-23 22:20:22 | Updated at 2026-06-23 23:21:23
1 hour ago
If you're attending one of the 104 games at the 2026 World Cup, or even watching it at a fan event or bar, cybersecurity isn't likely to be on your mind. But maybe it should be, according to a new survey from ExpressVPN.
As part of its inaugural World Cup Wi-Fi Risk Index, ExpressVPN surveyed 6,000 soccer fans from the U.S., UK, France, Germany, Spain, and Australia — and found that 70 percent of those surveyed would trust public Wi-Fi networks by their name alone.
"Fans stream matches from airport lounges, check scores in hotel lobbies, post from bars, buy food and merchandise from their seats, and move between public networks all day without much thought about who runs them," the company said in its report. "That habit is what makes the match day experience feel modern, and what makes the 2026 World Cup such a rich target for cybercriminals."
According to ExpressVPN, cybercriminals would simply have to set up a fake public Wi-Fi network and name it after the venue in order to trick the vast majority of World Cup attendees to login and share potentially sensitive information. Of the 6,000 surveyed, 70 percent of those surveyed said they would trust public Wi-Fi named "MetLife_Stadium_WiFi" while at the venue of the same name, for example.
Fewer than four in 10 fans said they would be able to tell the difference between a real official public Wi-Fi network and a fake one.
How an 'evil twin' attack scores off fans
The fake public Wi-Fi scam, known as an "evil twin" attack, is one of the oldest in the book. A cybercriminal simply creates a fake hotspot posing as a legit public Wi-Fi network with an official sounding name. Venue attendees connect to the fraudulent network — after which, if they log in into any accounts, sensitive information gets intercepted.
Mashable Light Speed
ExpressVPN's survey found 30 percent of U.S. fans between the ages of 18 and 29 have logged into their bank account using stadium Wi-Fi. Around half of all those surveyed have logged into their social media accounts when on a stadium's public Wi-Fi. Others have checked email, or work-related accounts, on Wi-Fi while at sporting events.
Before the World Cup started, the FBI's Internet Crime Complaint Center issued a public service announcement concerning the flood of fake FIFA and World Cup-related websites looking to scam soccer fans who were searching for tickets, hospitality, and merchandise.
Malicious actors are clearly looking to target the 6.5 million people expected to attend the World Cup games, as well as hundreds of millions of viewers around the world.
“Cybercriminals don't need sophisticated tools to target football fans," says ExpressVPN Chief Information Security Officer Aaron Engel. "They can name a network after a stadium, hotel, or fan event and wait for people to connect. Our research shows that familiar names carry more trust than they should.
"That becomes especially risky at a tournament like the World Cup, where millions of fans will be moving between stadiums, airports, hotels, and public venues.”
Fans traveling to the games face additional risks. The vast majority of those surveyed said hotel Wi-Fi felt the safest and were most likely to login to their accounts with sensitive information using those networks.
What can you do? Simple: no matter how much you're focused on the football, check with the venue before logging into anything that looks like a public Wi-Fi network. Most sports stadiums publish the name of their official Wi-Fi, so you have an assist in scoring a successful outing.
