The FBI and the Internet Crime Complaint Center (IC3) has issued a public service announcement warning the public about a surge in malicious spoofed websites related to the FIFA games. Cybercriminals are using these fake sites to impersonate FIFA, tricking fans into giving up personal information, credit card numbers, or buying counterfeit tickets and fake travel packages.

“The malicious domains employ typosquatting and alternative top-level domains (TLDs) to impersonate the official FIFA domain (fifa.com), deceiving users into divulging sensitive information or purchasing counterfeit tickets and hospitality packages. The sophistication of these sites is such that even experienced users may be fooled, especially as attackers leverage HTTPS certificates and cloned branding.”

Two cybersecurity research firms have identified over 1400 malicious spoofed websites. These websites include operating fake visa and travel portals, and fraudulent hospitality and ticketing sites. In addition, “the scale of credential theft is staggering, with more than 1.5 million compromised accounts and 7,300+ leaked credentials related to FIFA and its partners being traded on the dark web.”

Enjoy watching the games, but don’t let these fake domains fool or scam you. Here are some tips to avoid becoming a victim:

Access FIFA resources only via https://www.fifa.com and official subdomains. Block and monitor the IOCs listed above at the network perimeter. Educate staff and fans about the risks of fake ticketing and job sites. Monitor for phishing campaigns using World Cup themes. Coordinate with law enforcement and FIFA’s official cybersecurity partners for incident response.

On June 17, 2026, the U.S. District Court for the Eastern District of Pennsylvania denied Brown-Daub Chevrolet of Nazareth’s motion to dismiss a putative class action alleging violations of the Telephone Consumer Protection Act’s (TCPA) National Do Not Call Registry (DNCR) provisions. In Pero v. Brown-Daub Chevrolet of Nazareth (E.D. Pa. June 17, 2026), the court considered whether a text message is a “telephone call” under Section 227(c) of the TCPA, and concluded that it is.

The TCPA restricts certain telemarketing communications and, through Section 227(c), provides a private right of action to a person who receives more than one prohibited telephone call within a 12-month period. The plaintiff alleged that she registered her number on the DNCR in 2021, gave the dealership her number in October 2024 to receive truck sales information, later opted out of texts, and then received six unwanted texts between January 8 and March 28, 2025.

The court’s analysis is notable in the current  environment. The Supreme Court recognized that Chevron deference has been abolished and that courts must exercise independent judgment rather than defer automatically to agency interpretations. At the same time, it emphasized that agency interpretations may still deserve respect as the product of “a body of experience and informed judgment,” particularly where Congress delegated implementation authority to the FCC.

Turning to the statutory text, the court focused on Section 227(a)(4), which defines “telephone solicitation” as the initiation of a “telephone call or message” for telemarketing purposes. Although texts did not exist when Congress enacted the TCPA, the court found that Congress “intended to prohibit more than solicitations by telephone” because it also used the phrase “by message.” Applying ordinary meaning, the court concluded that a text message is “a communication (message) transmitted by a telephone,” and therefore falls within the statute.

The court also gave “considerable weight” to the FCC’s interpretation and noted the FCC’s 2024 clarification that DNCR protections extend to text messages. Considering the statutory language, FCC rules, and the “overwhelming majority of courts,” the court held that texts are calls under Section 227(c). For companies using SMS campaigns, they should treat texts to DNCR-listed numbers as regulated telemarketing contacts, confirm the required consent, and make opt-outs durable across systems and personnel. The decision also suggests that post-Loper Bright challenges to FCC TCPA interpretations may face headwinds where the agency’s position aligns with statutory text and the weight of judicial authority.

DraftKings is the latest target in California’s wave of California Invasion of Privacy Act (CIPA) website-tracking litigation. In Hughes v. DraftKings Inc., filed in the Central District of California, plaintiff Dana Hughes alleges that DraftKings operated its website with data broker software from NextRoll, The Trade Desk, and Comscore that secretly collected data about website visitors, their devices, locations, page views, and browser characteristics to identify and track users for marketing and profiling purposes. The complaint alleges that Hughes visited the DraftKings website and that data reasonably likely to identify her was transmitted to at least three third parties through code running on the site. 

The core CIPA theory is familiar but still high stakes: the complaint claims the tracking code operated as an unlawful “trap and trace device” under California Penal Code section 638.51 because it captured electronic signals and identifying information from visitors’ devices without a court order or consent. Hughes seeks class certification, statutory damages under CIPA, punitive damages, restitution, disgorgement, injunctive relief, attorneys’ fees, and other relief. For companies, the warning is straightforward: plaintiffs are continuing to scrutinize routine website advertising and analytics tools through the lens of California’s wiretap and trap-and-trace laws. The DraftKings complaint targets third-party tags that many businesses may view as standard marketing infrastructure, including retargeting pixels, cookie-based identifiers, browser fingerprinting, cookie matching, and cross-site tracking tools. Businesses that receive CIPA demands or complaints should quickly map which third-party scripts run on their sites, what data those scripts collect or transmit, whether the vendors are data brokers or advertising technology providers, and what consent, disclosure, and vendor controls are in place before responding.

The leaders of the Five Eyes cyber security agencies, representing Australia, New Zealand, Canada, the United Kingdom, and the United States, issued an alert on June 22, 2026, entitled “The AI Shift in Cyber Risk: Why Leaders Must Act Now” urging organizations to a “call to action” to protect against cyber threats both for organizations and society as a whole. The Five Eyes are expressing urgency because artificial intelligence (AI) is quickly changing cyber risk, and organizations need to act fast to keep up. The call to action is informed by the fact that AI can improve cyber defense, but it also makes cyber-attacks faster, larger, and more advanced, including how attacks happen and how organizations can defend against them.

Because of this, the Five Eyes urge that cyber resilience is critical for business continuity, market confidence, and long-term success.

The Five Eyes encourage leaders to:

  • understand and assess risks, readiness, and accountability 
  • focus on basic cybersecurity practices and controls 
  • give cyber leaders the authority and resources they need 
  • stay involved as threats and guidance change 

The alert emphasizes how “success for organizations depends on getting the basics right, acting quickly, and making cybersecurity part of the core business strategy.” It stresses that cyber risk is not just a technical issue—it is a business risk and a leadership responsibility.

Boards and executives must ensure systems are resilient and work under pressure. It is not enough to have controls; leaders must know those controls will work during a real incident. This may require rethinking past decisions and using AI carefully to strengthen defenses, not just improve efficiency.

The alert outlines key actions for leaders, including:

  • Build systems to be secure from the start and by default 
  • Do not rely on a single solution—use multiple layers of defense 
  • Expect new and unknown vulnerabilities as AI evolves, including zero-day risks

It also lists “urgent” practical actions:

  1. Reduce your attack surface: Limit unnecessary access and external connections. Only expose systems when truly needed. 
  2. Speed up patching: AI is reducing the time between finding and exploiting vulnerabilities. Delays increase risk, especially for older systems. 
  3. Fix legacy systems: Unsupported systems are easy targets and create serious risk. 
  4. Strengthen access controls: Limit who can access critical systems. Use strong authentication and regularly review permissions. 
  5. Prepare for incidents: Test response plans, train teams, and assume breaches will happen. Focus on quick containment and recovery.

It also suggests that leaders use AI to strengthen defense against cyber-attacks. Getting ahead of cyber-attacks when threat actors are using AI requires continued preparedness and the ability to use tools to detect, monitor, and defend against them, including AI tools developed for defense purposes. If ever there was digital warfare, it is now with the proliferation of AI enhanced tools. Leaders of all organizations should review the recommendations by the Five Eyes and implement them for the preparedness of the organization and society.

After several years of experimenting with generative AI, machine learning, and AI agents, many insurers are no longer asking whether AI belongs in the business. The harder question is whether a pilot is ready to scale. The answer usually is not found in the model architecture or the novelty of the tool. It is found in how the organization talks about AI: whether leaders can tie the use case to specific business outcomes, define the process changes required, and explain how human teams will rely on the output in day-to-day work.

That distinction matters because AI can easily become a solution in search of a problem. A technically impressive pilot may still fail if it addresses an “interesting” problem rather than an important one. The AI use cases most likely to scale are the ones embedded into core workflows, not bolted on as side experiments. In insurance, that often means giving underwriters, claims teams, or operations personnel tools that help them review, prioritize, and decide more effectively, while preserving clear human oversight and accountability.

For carriers, the scaling question is also a governance question. Before expanding an AI pilot, organizations need to be clear about whether AI is making decisions, recommending actions, summarizing information, or helping employees work faster. They also need data showing whether users trust the tool, when they override it, and where it may create downstream risk across interconnected systems. Moving too fast without governance creates obvious regulatory and operational concerns. But waiting too long has its own risk. The carriers best positioned for the next phase of AI adoption will be those that treat scaling as a readiness exercise: aligning business value, workflow design, oversight, infrastructure, and regulatory expectations before the pilot becomes part of the enterprise.

LastPass has confirmed that a security incident with a vendor, a third-party market intelligence platform “which integrates with our Salesforce and Gong systems” has compromised some customers information. As a result, the threat actor was able to use credentials to access LastPass customer data within its Salesforce environment.

The compromised information includes “business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.” LastPass is recommending that customers:

“remain vigilant of potential phishing attacks or social engineering attempts, which could leverage exposed contact details. Always exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information.

Please remember that no one at LastPass will ever ask for your master password.

All official communication from LastPass comes through our trusted support channels. “

These are sound tips generally, but particularly helpful if you have a LastPass account.

In a recently released report titled Cybersecurity in Global Sport: Threats, Signals, and Strategic Implications for a Digitized Industry, cybersecurity firm Darktrace has outlined “the current challenges the global sporting sector faces and…forward-looking views on future challenges as AI increasingly becomes adopted across the sector.”

The Report’s conclusions were the result of a survey to 875 IT cybersecurity professionals across sports organizations located in the U.S., U.K., Australia, and Germany.

Because the global sports industry “has undergone a rapid and continuous digital transformation” (including digital ticketing platforms, broadcasting, mobile applications, and third-party vendor support), and sports organizations are adopting generative AI and agentic AI tools, emerging cybersecurity threats are targeting these organizations.

The Report’s key takeaways include:

  • 84% of professional sports organizations surveyed have experienced at least one cyber incident in the past 12 months, with more than half (57%) hit multiple times. This underscores that cyber risk is already an operational issue for the sector.
  • 34% of respondents cited stadium operations as the most critical function to protect during a live event, reinforcing that cyber resilience in sport is defined by high-visibility moments where downtime is least acceptable.
  • Sports sector customers received 19% more phishing emails than non-sports sector customers, reinforcing that email and identity remain dominant attack vectors for sports organizations.
  • 21% of phishing emails targeting sports sector customers were sent to VIPs, while 37% contained novel social engineering techniques, highlighting how attackers are focusing on high value identities and adapting tactics to exploit urgency, trust, and operational complexity in the sports sector.
  • 47% of respondents cited AI prompt risks and attacks and AI development risks and deployment as top concerns for AI use within their organizations.
  • 72% of IT cybersecurity professionals from sports organizations surveyed believe AI will increase cyber risk over the next 12 months as adoption grows in high stakes areas including stadium operations, ticketing and fan engagement, and business operations.

Sports organizations have been victimized by various threats including: “client-side payment skimming, ransomware outbreaks, and compromise of ecommerce infrastructure through third-party scripts. Fan platforms and mobile applications have been accessed via exposed keys and weak API security, placing large user populations at risk.”

Darktrace suggests that organizations treat cyber risk “as an operational and governance challenge” to be resilient against attacks. This includes:

1.         Threat modeling for emerging technologies, including AI misuse;

2.         Rigorous supply chain governance and vendor access control;

3.         Strong segmentation across IT, OT, and fan-facing systems;

4.         Identity-centric security with anomaly detection and universal multi-factor authentication (MFA);

5.         Phishing resilience across all channels, including QR-based vectors; and

6.         Operational playbooks aligned to live event constraints.

The Report is a must read for those in the sports sector

Researchers from Mandiant and Google Threat Intelligence Group are warning the higher education sector, including universities, that ShinyHunters has exploited an Oracle PeopleSoft zero-day vulnerability and has “potentially infiltrated the networks of more than 100 organizations in an attack spree that largely impacted higher education.” ShinyHunters has reportedly started publishing the names of the compromised victims and stolen data.

The vulnerability (CVE-2026-35273) “allows unauthorized attackers to execute remote code and takeover affected servers.” Oracle has published mitigation steps, but a patch has not yet been released. According to Mandiant, “This campaign is still active.” Google adds that “most of the potential victim pool is based in the United States and 68% are in the higher education sector.” If you are in the higher education sector, implement Oracle’s mitigation steps  as soon as possible, and look out for a released patch.

A recent court order from the Northern District of California offers a useful reminder that not every alleged collection of browsing data will support an invasion-of-privacy claim. In Campbell v. Honey Science, LLC (N.D. Cal. June 15, 2026), the plaintiffs alleged that PayPal’s Honey browser extension promised to search for and apply the “best” coupons or discount codes when users shopped online, but sometimes failed to provide the lowest available price. According to the complaint, Honey allegedly did not actually search the internet for discount codes and instead used codes from affiliate networks, a website, or Honey subscribers, while also allegedly maintaining vendor agreements that affected which discounts would be applied. The plaintiffs asserted claims under California’s Unfair Competition Law, unjust enrichment, and invasion of privacy.

On the invasion of privacy front, the plaintiffs alleged that Honey examined users’ visited websites and browser cookies without adequate disclosure or consent. The court assumed, for purposes of the motion, that browsing history could involve a legally protected privacy interest and a reasonable expectation of privacy. However, the court held that this was not enough. To state a California invasion-of-privacy claim, according to the court, the plaintiffs also had to allege conduct that was “highly offensive” and amounted to a serious invasion of privacy.

That element turned on context. The court contrasted Honey with cases involving more surreptitious tracking, including tracking after a user logged out of an account. Honey, by contrast, was a browser extension downloaded for the “express purpose” of monitoring online shopping activity and applying coupon codes at checkout. Therefore, the court held that the alleged collection looked more like “routine commercial behavior” than a highly offensive privacy intrusion.

The court also held that the pleading lacked the details needed to turn tracking into an actionable privacy claim. The plaintiffs did not allege what specific browsing behavior Honey tracked, what information was collected, or why that information was “embarrassing, invasive, or otherwise private” enough to make the collection highly offensive. The court rejected the idea that collection of browsing data, standing alone, was enough “without more detail.”

Browser extensions, plug-ins, apps, shopping tools, and loyalty technologies should still be built around clear disclosures, appropriate consent flows, and data minimization. Still, where data collection aligns with the product’s apparent function, plaintiffs may need specific allegations of sensitive, unexpected, or intrusive tracking to state a privacy claim.

The Federal Communications Commission (FCC) has narrowed its foreign-produced drone restrictions by removing a specific category of “Toy Drones” and “Toy Drones that contain foreign-produced components” from the FCC Covered List. The June 15, 2026, Public Notice follows a June 12, 2026, National Security Determination from the Department of War, which found that this defined class of devices does not pose an unacceptable risk to U.S. national security or to the safety and security of U.S. persons. The update refines the FCC’s broader December 2025 action, which added foreign-produced uncrewed aircraft systems and UAS critical components to the Covered List, subject to later specific determinations that particular systems or components do not present the same level of risk.

The key takeaway is that the exception is narrow. To qualify as a “Toy Drone,” a device must meet a detailed set of technical and marketing criteria, including a maximum take-off weight of 150 grams, line-of-sight operation of 100 meters or less, maximum sustained altitude of 300 feet, no GPS or equivalent navigation system, no internet, mobile app, cellular, or Wi-Fi connectivity, no imaging or sensing capabilities, flight time of 10 minutes or less, and marketing as a toy for recreational use. The Department of War framed the distinction around capability: low-risk toys lack the range, endurance, sensing, payload, connectivity, and data collection or storage features that raise national security concerns in more capable UAS.

For drone manufacturers, importers, retailers, and equipment authorization applicants, the notice offers a clearer view into how federal officials are separating low-risk consumer toy products from higher-risk drone systems. The Covered List now expressly excludes foreign-produced Toy Drones, as defined in the National Security Determination, and Toy Drones that contain foreign-produced components, while leaving the broader restrictions in place for foreign-produced UAS and UAS critical components that do not fit an exception. Companies should treat the update as a targeted compliance opening rather than a general relaxation of the FCC’s drone-related supply chain restrictions