FIFA World Cup 2026: More than One-Third of Official Partners Expose the Public to the Risk of Email Fraud

April 14, 2026

Analysis by cybersecurity company Proofpoint reveals that while most partners have implemented baseline email authentication, many are still not proactively blocking fraudulent emails that impersonate their brands

Proofpoint, a leader in cybersecurity and compliance, today unveiled the results of a study showing that more than one-third (36%) of the official sponsors, suppliers, partners and supporters associated with the FIFA World Cup 2026, which takes place from the 11 June to 19 July 2026, do not have the necessary email security measures in place to help protect themselves from domain impersonation. This may expose fans, customers, and partners to an increased risk of email fraud that impersonates trusted brands.

Cybercriminals routinely seek to capitalise on major global sporting events by targeting fans with social engineering scams posing as sponsors, airlines, hospitality brands, delivery services, or consumer brands, using lookalike domains and spoofed email. In the run-up to a tournament that drives a huge surge in travel, ticketing interest, promotions, and merchandise activity, the wider ecosystem must be strengthened against email-borne threats, the primary attack vector for fraud.

To establish the current state of defences against impersonation risk, Proofpoint analysed the level of adoption of DMARC (Domain-based Message Authentication, Reporting and Conformance) across a list of World Cup sponsor domains.

DMARC, the first line of defence against email fraud

In recent years, Proofpoint has observed cybercriminals using a range of tactics to impersonate legitimate organisations to reach their target, rather than hacking into and infiltrating their victims’ networks and technical infrastructure.

DMARC is an email authentication protocol designed to protect domain names from misuse by cybercriminals. It authenticates the identity of the sender before allowing a message to reach its destination. DMARC has three levels of protection: monitoring, quarantine, and reject; rejection being the safest way to prevent suspicious messages from reaching the inbox.

Implementing DMARC allows an organisation to define what treatment should be applied to email messages using its domain name, as well as the policy to be applied in case of failure during verification: accept the email message (p=none, where p here stands for policy), categorise it as spam (p=quarantine), or delete it (p=reject).

Key research findings include:

The domain names that make up the FIFA World Cup 2026 sponsors, partners, suppliers and partners ecosystem were analysed, with the following findings:

Out of the 25 domains analysed, 24 (96%) have published a DMARC record at a basic level, indicating most organisations have begun implementing protections against email domain impersonation.
However, only 16 of the 25 domains (64%) actively protect their domain name with the strongest DMARC “reject” policy, the setting that prevents unauthenticated, spoofed emails from being delivered.
This means more than one-third (36%) are not yet proactively blocking fraudulent emails that attempt to impersonate their brand.
Eight domains (32%) have DMARC set to monitoring mode or a partial enforcement posture, which provides visibility but does not stop spoofed emails from reaching inboxes.

Jennifer Cheng, Director of Cybersecurity Strategy, APJ at Proofpoint, said: “Major global sporting events like the FIFA World Cup create ideal conditions for cybercriminals to exploit excitement, urgency and trust at scale. Across Asia Pacific, where digital engagement around ticketing, promotions and online services is high, brands and consumers should be on alert for increased phishing and impersonation attempts in the lead-up to the tournament, particularly as AI-powered tools make these attacks easier to launch and harder to detect. While it is encouraging that many brands have taken steps to improve their email security, too many are still leaving the door open to fraudulent messages. To reduce this risk, businesses need to take proactive steps by strengthening email protections to block fraudulent messages before they reach the inbox and by building employee awareness through phishing simulations and ongoing education.”

Fans should be especially cautious in the run-up to the tournament and keep the following recommendations in mind:

The safest way to buy tickets is directly from FIFA, which does have a full DMARC 'reject' policy in place.

Be wary of unsolicited emails, texts, or calls - especially those urging urgent action or immediate payment.
Never share financial information or passwords via email or text message; if in doubt, contact the organisation using official channels.
Use a unique password for each account and enable multi-factor authentication (MFA) where possible.

Learn more about DMARC visit: https://www.proofpoint.com/uk/threat-reference/dmarc

###

Methodology:

To assess the level of DMARC adoption among the official sponsors of the FIFA World Cup 2026, Proofpoint conducted an analysis of the primary corporate domains of each organisation listed on the FIFA website, along with Sports Business Journal. FIFA has a full DMARC “reject” policy in place. The analysis was carried out in February 2026.

About Proofpoint, Inc.

Proofpoint, Inc. is a global leader in human- and agent-centric cybersecurity, securing how people, data, and AI agents connect across email, cloud, and collaboration tools. Proofpoint is a trusted partner to over 80 of the Fortune 100, over 10,000 large enterprises, and millions of smaller organisations in stopping threats, preventing data loss, and building resilience across people and AI workflows. Proofpoint’s collaboration and data security platform helps organisations of all sizes protect and empower their people while embracing AI securely and confidently. Learn more at www.proofpoint.com.

Connect with Proofpoint on LinkedIn

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.

Cybersecurity for the agentic workspace starts with Proofpoint’s human and agent-centric security platform.

Join a live Protect event—learn how to protect people, data, and AI

Stop cyber threats with AI-driven multichannel protection.

Experience Core Email Protection in action—block 99.99% of email threats

Transform data security with a unified, omnichannel approach.

Understand the top data security risks organisations face — and how to stay ahead

Proofpoint technologies powering human and agent-centric security.

Explore Proofpoint packages

Optimise Proofpoint solutions with expert services.

"The partnership with Proofpoint, it's an extention of our team." –Celesta Capital

Comprehensive solutions for today’s cybersecurity threats.

Learn about new AI risks—and how to build a secure foundation for enterprise adoption

Superior protection for every industry, from small business to large enterprise.

Discover the security risks healthcare organisations can't afford to ignore

More than 80 of the Fortune 100 choose Proofpoint to protect their people, data, and AI.

Evaluating security vendors? Compare us by checking out side-by-side comparisons.

Research, insights and resources from Proofpoint experts.

New Agents, New Attacks: Securing Collaboration in the Agentic Era

Learn from our expert threat intelligence and insights that you won’t find anywhere else.

Proofpoint DISCARDED Tales from the threat research trenches

Learn more about the team driving human and agent-centric security.

Ready to join a company redefining cybersecurity?