A Proofpoint study has revealed that over a third of official FIFA World Cup 2026 sponsors and partners have not implemented the strongest level of email security. The research found that 36% of analysed domains lack a DMARC ‘reject’ policy, leaving fans and customers vulnerable to sophisticated impersonation scams and email fraud in the lead-up to the tournament.
Cybercriminals routinely seek to capitalise on major global sporting events by targeting fans with social engineering scams posing as sponsors, airlines, hospitality brands, delivery services, or consumer brands, using lookalike domains and spoofed email. In the run-up to a tournament that drives a huge surge in travel, ticketing interest, promotions, and merchandise activity, the wider ecosystem must be strengthened against email-borne threats, the primary attack vector for fraud.
To establish the current state of defences against impersonation risk, Proofpoint analysed the level of adoption of DMARC (Domain-based Message Authentication, Reporting and Conformance) across a list of World Cup sponsor domains.
DMARC, the first line of defence against email fraud
In recent years, Proofpoint has observed cybercriminals using a range of tactics to impersonate legitimate organisations to reach their target, rather than hacking into and infiltrating their victims’ networks and technical infrastructure.
DMARC is an email authentication protocol designed to protect domain names from misuse by cybercriminals. It authenticates the identity of the sender before allowing a message to reach its destination. DMARC has three levels of protection: monitoring, quarantine, and reject; rejection being the safest way to prevent suspicious messages from reaching the inbox.
Implementing DMARC allows an organisation to define what treatment should be applied to email messages using its domain name, as well as the policy to be applied in case of failure during verification: accept the email message (p=none, where p here stands for policy), categorise it as spam (p=quarantine), or delete it (p=reject).
Key research findings include:
The domain names that make up the FIFA World Cup 2026 sponsors, partners, suppliers and partners ecosystem were analysed, with the following findings:
- Out of the 25 domains analysed, 24 (96%) have published a DMARC record at a basic level, indicating most organisations have begun implementing protections against email domain impersonation.
- However, only 16 of the 25 domains (64%) actively protect their domain name with the strongest DMARC “reject” policy, the setting that prevents unauthenticated, spoofed emails from being delivered.
- This means more than one-third (36%) are not yet proactively blocking fraudulent emails that attempt to impersonate their brand.
- Eight domains (32%) have DMARC set to monitoring mode or a partial enforcement posture, which provides visibility but does not stop spoofed emails from reaching inboxes.
Matt Cooke, EMEA Cybersecurity Strategist at Proofpoint, said: ““Major events like the FIFA World Cup naturally generate huge excitement — from travel plans and ticket purchases to special offers and merchandise. Unfortunately, that also creates opportunities for scammers to take advantage of fans. While it’s encouraging that many partner brands have taken steps to improve their email security, too many are still leaving the door open to fraudulent messages. Without stronger protections in place, it becomes easier for criminals to impersonate trusted brands and trick people into sharing personal details or making payments for fake offers.”
