Survey: The 2026 World Cup Wi-Fi trap—how a familiar venue name fools 7 in 10 football fans

A new ExpressVPN survey of 6,000 football fans across six countries finds more than 70% would trust public Wi-Fi by name alone, leaving them exposed at the 2026 World Cup.

Modern football fandom is now as much a digital activity as a physical one. Fans stream matches from airport lounges, check scores in hotel lobbies, post from bars, buy food and merchandise from their seats, and move between public networks all day without much thought about who runs them. That habit is what makes the matchday experience feel modern, and what makes the 2026 World Cup such a rich target for cybercriminals.

A new ExpressVPN survey of 6,000 football fans across the U.S., the UK, France, Germany, Spain, and Australia, published as the inaugural ExpressVPN World Cup Wi-Fi Risk Index, finds that fans are heading into the tournament with a vulnerability cybercriminals are already positioned to exploit. Across all six markets, more than 70% of fans said they would trust and connect to a public Wi-Fi network if it used the name of a venue or event they were attending, something like "MetLife_Stadium_WiFi" or "Wembley_Guest_WiFi." Yet fewer than four in 10 fans in any market said they believed they could reliably tell a real public Wi-Fi network from a fake one.

That gap is the central cybersecurity problem of the World Cup. A familiar venue name is the easiest credential a cybercriminal can fake, and at a tournament that will bring an estimated 6.5 million people to stadiums across three host countries, the supply of recognizable venue names is effectively unlimited.

The riskiest profile belongs to younger fans, especially those aged 18 to 29 in the U.S. They are among the most confident that they can spot a fake network, the most willing to trust venue-named Wi-Fi, and the most likely to use public networks for sensitive activity. Nearly one in three said they have checked a banking or financial app while connected to stadium Wi-Fi, against 2.5% of fans aged 62 to 80. 

The fans most comfortable online are also the ones most likely to treat public Wi-Fi as part of the matchday experience.

73% of fans trust venue-named Wi-Fi, but fewer than 4 in 10 say they can spot a fake

A fan standing near a stadium, hotel, airport, bar, or fan zone doesn't need much convincing when a network appears with the name of the place they are already in. Across all six markets, 72.7% of fans said they would be likely to trust and connect to a public Wi-Fi network if it used the name of a venue or event they were attending. In the U.S., that figure rose to 82.4%, with the UK at 80.6%, Germany at 77.2%, France at 68.3%, Australia at 65.8%, and Spain at 62.1%.

Trust in venue-named networks outpaced detection capability in every market. In Germany, only 19.2% of fans said they could tell a real network from a fake one, against 77.2% willing to trust a venue-named network. Spain showed a similar split (24.7% versus 62.1%), as did Australia (26.9% versus 65.8%). Even in the U.S., where detection confidence was highest, only 37.5% of fans overall said they could reliably tell the difference.

Fans understand the general risk of public Wi-Fi but use it anyway. In every country surveyed, a majority of respondents described public Wi-Fi at venues such as stadiums, airports, bars, and hotels as very or somewhat risky, with Spain reporting the highest concern at 82.5%, followed by Australia at 75.8% and the U.S. at 73.4%. That awareness doesn't stop them from connecting once the match is live. More than half of U.S. fans (55.5%) said they have streamed live matches or sports content on public Wi-Fi, compared with 48.9% in Germany, 47.7% in Spain, 46.9% in the UK, 42.4% in France, and 34.4% in Australia.

The immediate need to stream, message, navigate, pay, or post tends to win in the moment. At the World Cup, that moment will repeat millions of times across stadiums, airports, hotels, fan zones, and bars.

How an “evil twin” attack works at the 2026 World Cup

The easiest public Wi-Fi scam is also one of the oldest: a cybercriminal creates a fake hotspot, gives it an official-sounding name, and waits for nearby people to connect. Cybersecurity researchers call this an “evil twin” attack.

ExpressVPN CISO, Aaron Engel, explains why it works particularly well at sporting events:

“Cybercriminals don't need sophisticated tools to target football fans. They can name a network after a stadium, hotel, or fan event and wait for people to connect. Our research shows that familiar names carry more trust than they should. That becomes especially risky at a tournament like the World Cup, where millions of fans will be moving between stadiums, airports, hotels, and public venues.”

The gap between what fans believe they can spot and what they are willing to connect to is the opportunity attackers rely on. A familiar network name at the moment a fan wants to get online is, for many, all the credibility a network needs.

Younger fans bank on stadium Wi-Fi 12x more than older fans

The survey’s most exposed demographic is younger fans, and the gap between them and older fans is sharpest where the stakes are highest. In the U.S., 30.2% of fans aged 18 to 29 said they have checked a banking or financial app while connected to stadium Wi-Fi, against 2.5% of fans aged 62 to 80. The UK gap was nearly as wide, with 24.6% of younger fans against 2.1% of the oldest age group.

The same generational pattern appears in streaming, where 69.7% of UK fans aged 18 to 29 reported watching sports on public Wi-Fi, compared with 13.9% of the 62-to-80 bracket. Younger fans were also more willing to hand over personal details to get online: 45.3% of U.S. fans aged 18 to 29 had entered an email address or phone number to access Wi-Fi or sports content during a match or tournament, with the figure at 38.8% in France, 38.3% in the UK, 36.4% in Spain, 35.2% in Germany, and 28.2% in Australia.

The most striking part of the younger-fans data is the confidence. U.S. respondents aged 18 to 29 reported the highest detection confidence of any age group surveyed, at 53.5%, while also reporting the highest willingness to connect to venue-named networks, with 86% saying a familiar stadium or event name would be enough to make them connect.

Among younger U.S. fans, confidence in spotting fake networks is accompanied by a greater willingness to connect, rather than by a stronger impulse to verify. The two attitudes run on parallel tracks instead of the first informing the second.

More than 1 in 4 U.S. fans have shopped on stadium Wi-Fi

Connecting to public Wi-Fi is only the first step, and what fans do afterwards is where the risk becomes more serious. Across the markets surveyed, fans said they use stadium Wi-Fi for everything from social media to banking. More than half of fans in the U.S. (55.3%), UK (56.9%), and France (55.1%) said they had logged into social media while connected to stadium Wi-Fi, around a quarter of fans in several markets said they had checked their email, and more than one in four U.S. fans (28.2%) said they had made a purchase on stadium Wi-Fi, including food, merchandise, or tickets.

The highest-risk behaviors are less common but more consequential: around one in seven fans in both the U.S. and UK have checked a banking or financial app on stadium Wi-Fi, and smaller but meaningful shares have accessed work accounts or corporate systems, including 9.1% of U.S. fans and 6.0% of UK fans.

Activity on stadium Wi-Fi

Not every stadium network is hostile, but fans routinely use shared networks for activities that carry real consequences if the network is compromised, spoofed, or monitored. Social media logins can expose personal accounts, email can become a gateway to password resets and account takeovers, and banking apps and work systems raise the stakes further still.

The most common behaviors on stadium Wi-Fi aren't the most consequential. Posting from a stadium may be the most visible activity, but checking a bank account or work platform can turn a bad network decision into an account compromise in a single session.

Hotel Wi-Fi feels safest, which may be why fans take bigger risks there

Stadium Wi-Fi is the obvious matchday risk, but hotels may be the more overlooked one. Across the survey, fans consistently rated hotel Wi-Fi as the safest type of public network: 84.9% in the UK, 82.3% in Germany, 79.3% in the U.S., 75.0% in France, 74.9% in Australia, and 72.5% in Spain.

Hotels were also the place where fans said they were most likely to log in to sensitive accounts, with between 51% and 61% of respondents in each country naming hotels as the place they would most likely use to access email, banking platforms, or work systems while connected to Wi-Fi. Airports came second by a wide margin, and stadiums ranked much lower.

Where fans are most likely to log into sensitive accounts

The trust is understandable, since hotels feel more controlled than airports or stadiums and a room key, a check-in desk, and a branded login page all create a sense of legitimacy. A hotel Wi-Fi network is still a shared public network used by hundreds of guests and devices at any given moment.

France leads on phishing, Spain on fake streaming sites, and the U.S. on hacked accounts

The survey also found that fans are already encountering cybersecurity incidents around major sporting events. France reported the highest rate of phishing or scam messages tied to sporting events, with 29.0% of French fans saying they had received such messages while trying to buy tickets, watch, stream, or attend a major sporting event. Spain followed at 26.1%, the U.S. at 19.6%, Australia at 19.3%, the UK at 18.0%, and Germany at 16.9%.

Spain also reported the highest exposure to suspicious or fake streaming websites and apps, with 21.6% of Spanish fans saying they had encountered one while following a sporting event. The U.S. reported the highest rate of hacked or compromised accounts at 10.5%, followed closely by Spain at 10.1% and France at 9.6%.

Cybersecurity incidents around major sporting events

World Cup cyber risk will not arrive through a single channel. Fans may encounter fake Wi-Fi networks near venues, phishing messages tied to tickets, suspicious streaming platforms, payment scams, or account takeover attempts, and the common thread across all of them is timing. Major live events create urgency, and urgency makes people less careful.

The ExpressVPN 2026 World Cup Wi-Fi Risk Index: U.S. tops the ranking, UK close behind

When the survey findings are viewed across several behaviors, the U.S. emerges as the highest-risk market overall, with high trust in venue-named networks, high willingness to connect to stadium Wi-Fi, the highest rate of purchases made on stadium Wi-Fi, and the highest rate of hacked or compromised accounts tied to major sporting events.

The UK also shows elevated risk, with strong trust in venue-named networks and some of the fastest public Wi-Fi connection behavior overall. Germany presents a different issue: fans are among the least confident in their ability to spot fake networks, but still show high trust in venue-named Wi-Fi. France stands out for phishing and scam messages, while Spain reports the highest awareness of the risks of public Wi-Fi and the highest exposure to fake streaming platforms. Australia's results show comparatively lower streaming on public Wi-Fi and lower willingness among fans aged 18 to 29 to use potentially unsafe Wi-Fi for match activity, but Australian fans still report high concern about public Wi-Fi risk and meaningful trust in venue-named networks.

Country differences matter for local press coverage, but the underlying pattern is consistent. Fans use public Wi-Fi in the same places where attackers have the easiest time exploiting trust: stadiums, hotels, airports, bars, and event spaces.

Five ways football fans can stay safer at the 2026 World Cup

The World Cup puts fans in exactly the environments where the risk of public Wi-Fi is easiest to ignore: crowded venues with familiar names, devices doing everything at once, and the urgency of live matches working against careful decisions. The fans most likely to fall for an attack are the ones most comfortable moving quickly online, which is what makes deliberate habits matter more than confident ones.

Engel suggests the following steps to keep your digital footprint safe:

1. Check the venue's published Wi-Fi name before you connect: A network name alone tells you nothing about who set it up. Most stadiums, hotels, and airports publish their official Wi-Fi name on signage, in their app, or on their website. If you can't verify it, don't tap.
2. Treat hotel Wi-Fi the same as any other public network: The hotel halo is one of the clearest patterns in the survey, and one of the least justified. Hundreds of guests and devices share the same network at any moment.
3. Keep banking apps, work logins, and sensitive accounts off public Wi-Fi: If you need to check your account balance or log into a work system, switch to mobile data. The tradeoff in convenience is small relative to the reduction in risk.
4. Watch for phishing tied to the tournament: France leads the survey on phishing exposure, and the other markets are not far behind. Fake ticket offers, fake streaming links, and lookalike sender names tend to spike around major sporting events.
5. Use a VPN: A VPN encrypts traffic between your device and the rest of the internet, so even on a compromised network, sensitive activity travels through an encrypted tunnel rather than over the local connection. ExpressVPN offers a 30-day money-back guarantee for fans who want to try one through the tournament.
   

Get ExpressVPN

Methodology

This survey was commissioned by ExpressVPN in May 2026 in collaboration with online market research provider Pollfish. The survey included football/soccer fans across the United States, the United Kingdom, France, Germany, Spain, and Australia, with 1,000 respondents surveyed in each market. All respondents identified as football fans who follow the sport closely or casually.