Press play to start listening
Scammers are using excitement around the FIFA World Cup 2026 to target employees with a new email scam, reveals Cofense Intelligence.
According to their investigation, scammers send emails offering free, exclusive World Cup T-shirts, pretending that FIFA has partnered with the victim’s employer to give away these gifts.
These emails are sent to trick workers into downloading a malicious program onto their work computers. Right when an employee clicks the link, hackers can gain initial access inside the business network. This can allow them to spy on corporate activities, steal business data, or compromise sensitive company accounts.
The emails are highly dangerous because they look real. Scammers properly research their targets before sending the messages, and even put the worker’s name, company name, and company logo directly onto images of the fake merchandise. This trick makes people trust the email and click the link quickly.
Security software failed to stop the attack
Cofense researchers reported that these fake emails easily passed through major security tools. The campaign successfully bypassed three widely used email protection programs: Cisco IronPort, Microsoft ATP, and Abnormal Security. Researchers noted that the malware, called Voidrift, is hosted on a legitimate website domain. This makes it very hard for standard security defenses to spot the threat.
After being downloaded, Voidrift hides inside the computer. It is designed to run quietly without being caught, and that’s why security teams cannot easily find or respond to the infection. Cofense researchers warn that “traditional email security controls cannot be relied upon to stop this campaign.”
How to protect your company
Because the malware bypasses automated systems, companies need better ways to protect themselves. This campaign shows how fast scammers use major global events to create clever tricks. Automated security filters alone are no longer enough to stop these emails from reaching inboxes.
Cofense explained that relying on real people to report strange emails is a better defence. Since human-reported intelligence comes directly from what workers see in their inboxes rather than automated boundary controls, it helps teams catch threats that security software misses.
Workers should stay alert and avoid clicking links in unexpected emails offering free tournament gear, even if the messages include official company logos.
Expert’s commentary:
Max Gannon, the Cyber Intelligence Team Manager at Cofense, shared his thoughts on the threat with Hackread.com. He explained that global sporting events like the FIFA World Cup create a big target for hackers because everyone gets excited about them.
“What separates this campaign from run-of-the-mill phishing is the level of research the attackers did before sending a single email,” Gannon said. “They embedded each recipient’s name, their company’s name, and their company’s logo directly into the imagery, which takes deliberate effort and reconnaissance. The time pressure and scarcity tactics layered on top, like ‘only the first 100 people can claim this,’ are far more believable when tied to a real, high-profile event that people are already emotionally invested in.”
Gannon also pointed out how dangerous the software is once it slips past filters. “This campaign bypassed three separate secure email gateways, meaning the organizations targeted had every reasonable defense in place and were still hit. Once Voidrift lands, it is specifically engineered to resist the tools security teams use to analyze and detect it, so every layer of this attack was built to succeed,” he stated.
To stay safe, Gannon advised workers to doubt any unexpected emails offering rewards. “If an email knows your name, your employer, and uses your company logo, that is not proof it is legitimate. In this case, it was the opposite.
Organizations need to accept that no single email security gateway is enough. When attackers are actively testing and evading multiple platforms at once, the only reliable signal comes from humans reporting suspicious emails directly from their inboxes.”
