Analysis by cybersecurity company Proofpoint also reveals most local authorities that will host the Games, ticketing platforms, and travel booking platforms are not proactively blocking fraudulent emails from reaching customers 

London, UK – April 11, 2024 – Proofpoint, a leader in cybersecurity and compliance, today unveiled the results of a study showing that two-thirds (66%) of the Official Partners of the Paris 2024 Games do not have the necessary security measures in place to protect themselves from domain impersonation,  exposing the public to the risk of email fraud. In addition, as spectators around the world are organising their travel plans online, and many are still looking for a seat to attend events, most local authorities hosting the Games (70%), the top online ticketing platforms (90%) and travel websites (40%) are not proactively blocking fraudulent emails that could reach the public.

Cybercriminals regularly seek to take advantage of major sporting and cultural events to trick spectators via social engineering, posing as an official partner, infrastructure, ticketing platform or online travel booking site. In the run-up to the Paris Games, being held this summer, the entire ecosystem must be strengthened to defend against security threats – especially email fraud, the primary attack vector.

To establish the current state of defences against impersonation risk, Proofpoint analysed the levels of adoption of DMARC (Domain-based Message Authentication, Reporting and Conformance), a fundamental email protection measure, by all official Games partners, local authorities, ticketing and online travel booking platforms, and the results are worrying.

DMARC, the first line of defence against email fraud

In recent years, Proofpoint has observed cybercriminals using a range of tactics to impersonate legitimate organisations to reach their target, rather than hacking into and infiltrating their victims' networks and technical infrastructure.

DMARC is an email authentication protocol designed to protect domain names from misuse by cybercriminals. It authenticates the identity of the sender before allowing a message to reach its destination. DMARC has three levels of protection: monitoring, quarantine, and reject; rejection being the safest way to prevent suspicious messages from reaching the inbox.

Implementing DMARC allows an organisation to define what treatment should be applied to email messages using its domain name, as well as the policy to be applied in case of failure during verification: accept the email message (p=none, where p here stands for policy), categorise it as spam (p=quarantine), or delete it (p=reject).

Key Research Findings

The domain names that make up the Paris Games ecosystem were analysed, with the following findings:

• There are 77 official partners of the Olympic Games. While 66 (86%) have adopted DMARC at its basic level, only 26 (34%) actively protect their domain name with the highest DMARC ‘reject’ registration, meaning that two-thirds (66%) of official partners expose the public to the risk of email fraud
• Out of the 20 cities hosting the Games' events, only 6 (30%) actively protect the domain name of their official website with the strongest DMARC ‘reject’ registration; five (25%) do not have any DMARC protocol in place at all
• Out of the 10 ticket resale platforms analysed, eight (80%) have a DMARC record and only one (10%) actively protects its domain name in ‘reject’ mode.
• Finally, the 10 travel platforms analysed are the most mature in terms of defences against domain impersonation risk: 6 (60%) actively protect their domain name in ‘reject’ mode and 90% have implemented a basic DMARC record.   

Loïc Guézo, Director of Cybersecurity Strategy at Proofpoint, said: "It is worrying to see that a majority of players in the Olympic Games ecosystem are still lagging behind when it comes to protecting their emails, a few months before the start of the Opening Ceremony. DMARC is a simple-to-implement and highly-effective measure against domain name spoofing that underpins email fraud. The fact that many organisations still do not have it in place raises fears of the advent of a cyber threat of unprecedented proportions.  

“In addition, it’s important for potential spectators to remember that tickets for the Games can only be purchased through the official Games website, which is fully DMARC compliant and proactively blocking fraudulent emails from reaching the public,” continues Guézo.

Olympics fans should be extremely vigilant, especially in the run-up to the Games, and keep in mind the following recommendations:

• Be wary of unsolicited emails, texts, or calls, especially if they suggest you take ‘urgent’ action or ask for payment
• Never give out financial information or passwords via email or text message. Always call your bank directly if a request seems suspicious
• It's important to create a unique password for each online account you use. Use three random words to create a strong and memorable password and enable multi-factor authentication (MFA) when possible.

Learn more about DMARC visit: https://www.proofpoint.com/uk/threat-reference/dmarc

###

Methodology:

To assess the level of DMARC adoption among the Official Partners of the 2024 Olympics Games, Proofpoint conducted an analysis of the primary corporate domains of each organisation listed on the Games website. In addition, Proofpoint analysed the local authorities of the cities hosting events, the top 10 ticketing sites in France and the top 10 travel websites in France. The analysis was carried out in March 2024.

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.