FIFA World Cup 2026™ Recruitment Scam Campaign
15 June 2026
By Samantha Clarke, Hiwot Mendahun and the Mimecast Threat Research team
- Fraudulent recruitment campaign impersonating FIFA World Cup 26™
- More than 2,500 emails observed using legitimate Zoom Events infrastructure
- Multi-stage attack collecting personally identifiable information (PII) through fake interview processes
- Predominantly targeting recipients in the United Kingdom, Germany and the United States working within Marketing/social media teams
- Campaign objective: Social media account harvesting to drain meta business ad funds
Campaign Overview
Major global events generate public interest at scale. Ahead of the 2026 FIFA World Cup, law enforcement agencies and security researchers have publicly warned about FIFA-themed spoofing activity, including fraudulent job portals as well as fake ticket and merchandise sites. The Mimecast Threat Research team has observed a recruitment scam that leverages the upcoming FIFA World Cup 26™ to establish credibility. Threat actors are impersonating multiple high-profile brands to deliver unsolicited job offers, directing recipients to book calls via scheduler.zoom.us. The messages are delivered using Zoom Events infrastructure, and the scheduling URLs resolve to legitimate Zoom Scheduler pages on the zoom.us domain, making them particularly difficult to distinguish from authentic outreach.
In addition to the FIFA World Cup 26™, we have also identified similar activity impersonating FC Barcelona, Meta, Warner Bros, Amazon, and Publicis Groupe.
What makes this campaign particularly difficult to detect is its deliberate abuse of Zoom's own infrastructure, routing victims through legitimate scheduler.zoom.us URLs that appear indistinguishable from genuine recruiter outreach. Layered on top of this trusted platform abuse, consistent social engineering tactics are designed to exploit job seekers and those eager to be part of the world's most-watched sporting event.
In each observed instance, the initial contact follows a recognizable template: polished enough to appear legitimate but consistent enough across targets to reveal its automated origins.
The Initial Outreach
The emails targeted social media managers or those believed to have an active Meta for Business account. The messages reviewed followed a consistent structure:
- A generic greeting ("Hello," or "Hi,") without the recipient's name
- A statement that the sender found the recipient's profile and was impressed by their social media expertise
- An offer involving a social media or fan-engagement role tied to the impersonated brand
- An invitation to a "confidential introductory conversation"
- A link to a Zoom Scheduler URL
The email text states that after the recipient books a call, they will receive a confirmation email containing a link to an "official application for the role." Completing the application is described as a mandatory step to be considered.
Multi-Stage Attack Flow
The Mimecast Threat Research team observed a multi-step booking flow hosted on Zoom Scheduler (scheduler.zoom.us) during FIFA-themed campaigns.
Across several campaigns, the research team has seen the scheduler collect extensive personal information:
- Full name
- Email address
- Phone number
- LinkedIn profile URL
- Experience level with specific platforms (e.g., Meta Business Suite)
- Written responses about fit for the role and relevant experience
Likely End Goals
Based on the campaign structure and data collection methods, several threat scenarios are possible.
Identity and credential theft: After the form is completed via the Zoom scheduler page, recipients will receive a "mandatory application" link. This page likely directs users to credential harvesting page designed to capture login data. Once the credentials are secured, threat actors likely aim to drain the funds in the existing Meta for Business account.
Account takeover: Application forms may request users to authenticate via Google, Facebook, or LinkedIn, enabling session hijacking or account compromise.
PII harvesting during fake interviews: Scheduled calls may involve requests for sensitive information including Social Security numbers, bank account details, and government-issued ID scans under the guise of employment verification.
Financial fraud: Victims may be asked to pay for equipment deposits, onboarding fees, or participate in fake check schemes where they deposit fraudulent checks and wire funds before the check bounces.
Indicators of Compromise (IOCs)
Sender Domain:
- noreply-zoomevents@zoom.us (legitimate Zoom Events infrastructure)
Malicious Scheduler URLs:
- scheduler.zoom.us/joseph-fifa/social-media-manager
- scheduler.zoom.us/joseph-fcb/social-media
Common Email Characteristics:
- Generic greetings without recipient name
- References to social media expertise
- Links to personal Zoom Scheduler pages
- Sender name "Joseph" with title "Talent Acquisition Team"
- No job requisition IDs or official careers portal links
Recommendations
User Awareness Training
- Educate employees on the specific characteristics of this campaign
- Train users to verify recruiter identities through official company channels before engaging
- Emphasize that legitimate employers do not request sensitive personal information before formal interviews or offers
- Conduct phishing simulations that include recruitment-themed scenarios
Proactive Threat Hunting
- Search email receipt logs using the IOC’s listed
Keep your edge in threat intelligence
Join thousands of security professionals who rely on our curated alerts, expert analysis, and campaign IOCs to defend against the latest cyber threats.
Sign up successful
Thank you for signing up to receive updates for our threat intelligence notifications.
We will be in touch!