Phish of the Week 15th of June

# Phish of the Week

# phishing

FIFA World Cup 2026 Impersonation – Recruitment Scam

Mette Luntama

Phish of the Week: FIFA World Cup 2026 Recruitment Scam with Google Browser-in-the-Browser Credential Harvester

This week's Phish of the Week features a recruitment-themed credential harvesting attack that impersonates FIFA World Cup 2026 talent acquisition staff. The FIFA World Cup is one of the most high-profile global events of 2026, and threat actors are quick to capitalize on the hype surrounding it. An unsolicited outreach from a major sporting organization feels both exciting and flattering — and that initial reaction is exactly what the threat actors are counting on.

How the attack works:

The target receives a personalized recruitment email from someone claiming to be Ebonee Bradley, the Head of Recruitment at FIFA. Sent via a legitimate third-party email platform, Amazon Web Services (AWS), the email clears standard security filters without raising any technical flags.

The email uses real FIFA World Cup branding, addresses the recipient by name, and references their professional background to make the outreach feel researched and credible. A button at the bottom invites the target to schedule a brief meeting and includes a button linking to a calendar page.

Clicking the link leads to a fake meeting scheduling page hosted on a FIFA-themed look-alike domain. The page again displays real FIFA branding and a profile photo of the impersonated recruiter, details that reinforce the sense of a verified, professional contact. The only available action on the scheduling page is to "Continue with Google".

Clicking the button triggers a Browser-in-the-Browser (BitB) pop-up — a fake browser window rendered inside the real one, designed to mimic an authentic Google sign-in prompt, including a spoofed address bar showing what appears to be a legitimate Google URL. Any credentials entered into this pop-up are sent directly to the attacker.

Why the attack works:

What makes this campaign effective is that no individual element stands out as an obvious warning sign. There is no urgency, no pressure, and no obvious demand. It is simply what appears to be a once-in-a-career opportunity landing in the target's inbox.

The email arrives via a real platform, which lends it technical legitimacy. The branding is authentic. The recruiter persona is based on a real person. The scheduling flow mirrors how legitimate calendar tools actually work. The timing adds another layer of plausibility: launching the campaign right before the tournament begins means nearly everyone recognizes the FIFA World Cup name, and an invitation to be part of it is the kind of opportunity that may feels too exciting to stop and question.

The Browser-in-the-Browser technique is particularly difficult to detect because it mimics the visual appearance of a genuine browser pop-up, including a URL bar that appears to show a real Google address. Unlike a traditional phishing page, which opens in a new tab with a suspicious URL the target might notice, the fake window appears within the page itself — and for a target who has just been walked through a convincing multi-step hiring flow, there is little reason to stop and scrutinize it.

How to spot similar attacks:

The sender domain does not match official FIFA or World Cup communications — check the full sender address, not just the display name

A meeting scheduling page that offers no other action than signing in

A sign-in pop-up that cannot be dragged outside the browser window is not a real browser window

If you receive unexpected recruitment outreach from a major organization, navigate independently to their official careers page to verify the opportunity before taking any action

What is Phish of the Week?

Phish of the Week is a weekly content initiative by Hoxhunt's Threat Operations team. Each week, we highlight a current phishing trend or notable real-world attack, covering what the threat is, how it works, and what to watch for to spot similar attacks in the future. The goal is to build consistent recognition of evolving phishing themes and tactics over time.

Comments (0)

Popular

Table Of Contents