The 2026 FIFA World Cup is here. The U.S., Mexico, and Canada are co-hosting. Tickets are expensive, supply is tight, and millions of people are searching online for any seat they can grab. Scammers know this.

Last week, the FBI’s Internet Crime Complaint Center issued a public warning that they have already identified 36 separate fake FIFA websites set up to steal money, payment cards, and personal information from people trying to buy World Cup tickets, hospitality packages, or even apply for FIFA jobs.

The fakes look exactly like the real fifa.com. They use small misspellings (filfa.org, wvvw-fifa.com, ww-fifa.com) or unusual domain endings (fifa.cab, fifa.pink, fifa-ticket.live, worldcup26ticket.com). Some pretend to be FIFA’s career portal (jobs-fifa.com, fifa-hr.com) to harvest your resume, your address, and your bank info under the guise of an "interview."

The trap usually starts with a Google ad. The fake site is paid to appear above the real fifa.com in the sponsored results. You click, the page looks right, you enter your card to "reserve" a ticket. The card gets charged for far more than you agreed to, or it gets charged the right amount and no ticket ever arrives, or the card simply gets used the next day in another country.

The rule: Type fifa.com directly into your browser. Never trust a sponsored search result for a high-demand ticket. If you’ve already bought from a third-party seller, dispute the charge with your card now, not after the match.

Source: FBI IC3 PSA: Threat Actors Spoofing FIFA Websites in Advance of the 2026 World Cup

A crypto ATM (sometimes called a Bitcoin kiosk) is a machine in a gas station or convenience store that takes your cash and turns it into cryptocurrency. They look ordinary. They are now the scammer’s favorite tool.

The FBI just released the 2025 numbers. Americans were tricked into feeding $388 million into crypto kiosks last year, a 58 percent jump in losses from 2024. More than half of the victims were over 50, and those older victims lost $302 million of the total.

The script is always the same. Someone calls or messages, says they are with the IRS, Social Security, your bank, your utility, or the local police. They invent an emergency. They tell you to withdraw cash from your bank "to protect it" or "to clear a warrant." They send you a QR code by text. They direct you to the nearest crypto kiosk and walk you through scanning the code and feeding bills into the slot. Every dollar you feed in goes straight to the scammer’s wallet.

A few telltale signs that someone is being set up for this: an unusually large cash withdrawal, especially in big denominations. A QR code on their phone they cannot explain. A "helpful" caller who stays on the line while they drive to the gas station. Confusion, nervousness, and a story that involves the words "warrant," "frozen account," or "protect your money."

The rule: No legitimate government agency, bank, utility, or police department will ever ask you to pay through a crypto kiosk. If anyone tells you to, hang up and call the agency back at a number you look up yourself. If it’s a family member you’re worried about, walk them away from the kiosk before they tap "confirm."

Source: FBI IC3 PSA: Cryptocurrency Kiosk Complaint Data By State

Your phone rings. The caller says they’re from "Medicare benefits review" and they need to verify your Medicare number to make sure you’re still enrolled, or to send you a new card, or to confirm a free back brace your doctor ordered. They sound friendly. They have your name.

Don’t read them anything off your card.

The FTC issued an alert last week reminding everyone that Medicare fraud now costs taxpayers about $60 billion a year, and a lot of it starts with that exact call. A scammer collects your Medicare number, then bills Medicare for hospice care you never received, equipment that was never delivered, or treatments that never happened. The bills get paid out of the Medicare trust fund. The fraud sometimes gets caught later, but the damage is done, and your medical record now has fake claims attached to your name.

Medicare itself almost never calls you out of the blue. Medicare representatives only call you back if you contacted them first. They will never visit your home to sell you anything, and they will never ask you to verify your Medicare number to "keep your benefits active." A fake plan, a fake brace, a fake "new card" pitch, those are all the scam.

The rule: Treat your Medicare number like your Social Security number. If someone calls asking to verify it, hang up and call 1-800-MEDICARE yourself. If you suspect fraud on your account, you can also call the Senior Medicare Patrol at 1-877-808-2468.

Source: FTC: Medicare fraud affects everyone, here’s what to know and do

It’s graduation season. Wedding season. Summer-party season. So when this text shows up, it feels normal:

"You’re invited! Sarah has sent you an invitation through Paperless Post. To view the event details and RSVP, please verify your email by signing in below: paperlesspost-login.app/rsvp"

You tap. The page looks right. It asks for your email address and your email password "to load your invite."

That’s where the scam clicks shut.

The FTC put out a fresh warning about this exact pattern last week. Scammers are sending fake invitations branded as Evite, Paperless Post, or "RSVP," using a real name from your contacts (sometimes scraped from a previous data breach, sometimes guessed). The login page they send you to is a phishing page, and once you type your password in, the scammer has your email account. From there they can reset your bank login, drain saved payment methods, and send the same fake invite to every contact in your address book.

Real invitation platforms (Evite, Paperless Post, Punchbowl, Partiful) never ask you to log in to your email account to view an invite. They send you a link that opens the invite directly, or they email it as a clickable card. If anything ever asks for your email password, it isn’t a real invite.

The rule: Never enter your email password on a page you reached from a link in a text or email. If you want to RSVP, go to the invitation platform’s real website (evite.com, paperlesspost.com) and look up your event there.

Source: FTC: Asked to enter your email address and password to open a party invite?