We'll get up at 4am for the Socceroos, cyber-criminals are counting on it
Thu, 2nd Jul 2026 (Today)
Millions of Australians are travelling, scrolling, tapping and sharing their way through the 2026 Fifa World Cup right now as the Socceroos aim for a first knockout round victory. But the biggest threat to their experience won't be anything happening on the pitch.
Australia has always watched the world's biggest moments from a distance, geographically, culturally, and usually in the middle of the night. We set our alarms for 3:55am, then meet our colleagues with square eyes at the work coffee machine – often reporting match updates from overnight. We've made an art form of caring deeply about things happening on the other side of the planet. The World Cup, currently being hosted across three co-host nations – United States, Canada, and Mexico – is no different.
For some, the love has gone further. Australian fans have booked flights, hunted down tickets, and made the journey to Vancouver, Seattle, and New York. What gets far less attention is the digital risks those fans are exposed to when they're excited, distracted, or jetlagged in a foreign city.
They land at LAX. They connect to airport Wi-Fi. They pull up their banking app at a stadium bar, or log into their work emails from a hotel lobby in Los Angeles. That's the real risk – not pickpockets or street scams, but the invisible threat sitting on the same network.
New research from ExpressVPN makes the scale of that risk hard to ignore. A survey of six thousand football fans across six countries found that nearly two thirds of Australians would connect to a public Wi-Fi network simply because it used a familiar venue or event name, like Stadium_Guest_WiFi'. Setting up a convincingly named malicious network requires very little technical skill. Cybercriminals know this, and they're counting on fans not thinking twice.
The password habits are just as exposed. Two thirds (66.6%) of Australian fans reuse the same password or something close to it, across multiple accounts. And the passwords themselves aren't hard to crack. 63% of Australian fans use football related info in at least one password, and Australian fans were the most likely to admit that someone familiar with their interests could probably guess it. Of those who had shared their login for a sports streaming platform, more than a third said that same password was protecting something else entirely – such as an email inbox, a shopping account, a bank.
That matters on public Wi-Fi because fans aren't just checking scores once they're connected. The most common activity is logging into social media (44%), followed by accessing emails (19.4%) and purchasing tickets, food or merchandise (18.5%). Every login and transaction on an unverified network is an opportunity for a malicious actor to exploit. Close to one in five (19.3%) Australian fans have already experienced phishing scams, fraudulent charges, or hacked accounts at major sporting events. Yet three in four (75.8%) Australian fans acknowledge that public Wi-Fi at stadiums, airports, and bars is risky. Convenience, it turns out, is a hard habit to break.
The risk isn't confined to the stadium either. Australian fans are logging into personal and sensitive accounts across every stop of the match-day journey. Hotels are the most common location (51.2%), followed by airports (31.5%), pubs and restaurants (17.9%), train stations (12.8%), and stadiums themselves (9%). With the World Cup spanning three countries, that exposure compounds at every step – from check-in to kick-off.
Younger fans are the most exposed. Gen Z respondents were consistently the most willing to trade security for access, with 22.4% of Australian Gen Z fans saying they'd use public Wi-Fi to follow a match, even knowing it might not be secure. Over a quarter (28.21%) have already handed over personal details – an email address or phone number - to access Wi-Fi or sports content during a match or tournament. For cybercriminals that's an ideal target – highly connected, comfortable sharing personal information, and more willing to accept risk in exchange for instant access.
Airports, stadiums, fan zones, and hotel lobbies are environments that criminals target. They're noisy, chaotic, and full of people who are mentally somewhere else.
Cybercriminals only need an ordinary distraction. A fake "Stadium_FreeWiFi" network or a login page that looks like the real deal. A moment of inattention while checking a bank balance, logging into a streaming account with a reused password, or watching a replay. Most fans are more focused on whether their team can hold a one-goal lead. Attackers are counting on exactly that.
None of this should dampen the excitement. The Socceroos qualifying for their sixth consecutive World Cup, having the perfect start to the tournament with a 2-0 victory against Turkiye, and having a genuine chance of getting through to the last 16 are worth celebrating. The prospect of Australian fans filling stands in North America, or merely watching the game from afar, is worth the lost sleep.
But it comes with a responsibility to travel smart. Be sceptical of unfamiliar networks. Use a VPN on public Wi-Fi before you're in the crowded stadiums. Enable multi-factor authentication on key accounts. Stop using football related passwords. Pay attention to the small moments that signal something doesn't feel right. A VPN takes seconds to switch on and makes you a significantly harder target.
Australians have never done sport in halves; we go all out. We just need to bring that same energy to protecting ourselves, so that the only thing opponents can exploit is our defensive shape, not our digital habits.