The talk is all over your company. A large sporting event looms, and your employees are planning to watch it. Some will buy merchandise. Some already tried to get tickets but couldn’t. A few probably clicked something they shouldn’t have. Oops! The tournament kicks off in a few days, but the fraud infrastructure has been running since last year.

There have been 4,300 fraudulent sporting event domains registered over the last ten months. At any given time, at least 300 are actively running phishing operations, most of them built on a single shared kit operated by the Chinese hacking group called GHOST STADIUM. FortiGuard Labs counted more than 13,000 domains registered between January and May 2026 alone, roughly 9% of them malicious or suspicious. The FBI publishes a public service advisory. 

At Raxis we run phishing simulations for our clients on a regular basis, but popular sporting and entertainment events take this one step further. With victims of this fraud desperate to engage with the event, they are likely to go in search of malicious sites without much effort on the attacker’s part.

Why Some Events Are Different

When events are located in a target-rich environment where many people have the means to afford tickets and merchandise and others aim to find work related to the event, their demand gives rise to conditions where fraud flourishes. A large sporting event can boast thousands, or even millions, of seats. Sporting events may be 30 times oversubscribed in some cases, which means the overwhelming majority of people who wanted tickets go without. The desire to be one of the lucky ones can displace sound judgement. 

If these sports fans are your employees, traveling with work devices, using personal devices for sensitive work, connecting to airport and hotel networks, and making purchasing decisions under timed pressure, then the threat spreads into your organization.

What’s Actually Out There

The fraud ecosystem around large sporting events is a mature, multi-vector operation with distinct components targeting different attack surfaces. 

Credential Harvesting

Readily available phishing kits replicate login pages with indistinguishable fidelity to hijack real accounts. Once an attacker has credentials, they can drain hospitality tickets or resell access to the event. A recent event found more than 1,700 spoofed social media accounts with nearly 90 percent of them on Facebook and Instagram (Fortinet). Campaigns redirecting job applicants through a fake Google login page proliferate on social media. The gold mine at the end of that chain is a Google account, and everything that comes with it: sheets, docs, drive, and any federated logins associated with the account. 

Banking Malware

Bogus streaming sites promising free event broadcasts quietly install malware on users’ devices upon sign up. ThreatFabric has documented payloads using accessibility permissions to overlay fake login screens on legitimate banking apps. These payloads have been known to record keystrokes, intercept one-time codes from SMS and authenticator apps, and even facilitate remote screen control. 

No legitimate streaming app requests accessibility access. Any app that does should be uninstalled immediately.

Fake Ticket and Merchandise Fraud

Recorded Future’s payment fraud team tracked a network of 33 scam domains running roughly 2,500 online ads in 2026. These sites looked like official merchandise outlets. When a victim made a purchase, their card data and personal information landed in the wrong hands within seconds. Several of these operations rotated merchant accounts to stay live even after individual domains got flagged.

Business Email Compromise

This is the side-channel vector most organizations don’t consider. Proofpoint found that many sporting event-adjacent partners lacked sufficient DMARC enforcement to block domain spoofing of their procurement chains. If your organization does business with event-related partners, including travel vendors, hospitality providers, technology contractors, and others, attackers can spoof their domains with minimal effort. A fraudulent invoice or payment redirection request coming from a trusted vendor domain leading up to an event isn’t likely to raise flags.

Fake Job Listings

The FBI has repeatedly flagged recruitment lures using fake job postings to collect passport scans, selfies, and personal information for identity theft. Bold as brass, these attacks directly target the employees who fill out the form.

The Underlying Mechanics

The fraud infrastructure runs on the same economics as other commoditized attack services. Group-IB has documented phishing-as-a-service market vendors selling tailor-made scam kits and ticket-buying bots for events. The credential data flowing out of these operations ends up on dark web markets where it gets used for unrelated fraud long after the event ends. The fervor creates the acquisition opportunity, but the data lives on, often bought and sold dozens of times over.

What This Means for Your Organization

The fraud targets individuals, and by extension, organizations. A credential phishing campaign that captures a Google Workspace login also captures everything attached to it. Your corporate email, shared drives, SSO sessions are all acquired as well. Banking malware installed on a personal device used for work could lead to financial and other compromise for your organization. 

Your security awareness training may cover phishing, but large sporting events often arrive with emotional collateral and are a great time for a targeted refresher. Attacks that would otherwise be easily spotted may become compelling interactions. Throw in scores of people traveling and spending money, and the attack surface soon boggles the mind.

A few practical controls worth reviewing leading up to a large sporting event:

• Provide specific guidance and remind employees what the attack surface looks like. Fake streaming sites, unsolicited ticket offers, merchandise deals through social ads, and job postings are all active long before game day. Be specific to get employees thinking about the current risks.
• Check DMARC configuration on trusted domains. If your supply chain includes event-adjacent vendors, verify their domain authentication posture before the event creates elevated email volume. Finance teams should apply extra scrutiny to any payment requests arriving during the event window.
• Flag any app requesting accessibility permissions. On personal or corporate mobile devices, accessibility permission requests from entertainment or streaming apps are a reliable indicator of malicious intent. Revoke immediately.
• Run phishing simulations using the event. If your last social engineering exercise didn’t include event-themed lures, this is great opportunity to run a test and training to keep the risk at the top of your employees’ thoughts.

The fraud running against sports fans exploits the same infrastructure and tradecraft that proliferate the rest of the year. A showstopper event just builds a larger, more motivated victim pool for a few weeks. Enthused employees wade into that pool whether or not they notice it at the time.