Analysis by cybersecurity company Proofpoint reveals that while most partners have implemented baseline email authentication, many are still not proactively blocking fraudulent emails that impersonate their brands

Proofpoint, a leader in cybersecurity and compliance, today unveiled the results of a study showing that more than one-third (36%) of the official sponsors, suppliers, partners and supporters associated with the FIFA World Cup 2026, which takes place from the 11 June to 19 July 2026, do not have the necessary email security measures in place to help protect themselves from domain impersonation. This may expose fans, customers, and partners to an increased risk of email fraud that impersonates trusted brands.

Cybercriminals routinely seek to capitalize on major global sporting events by targeting fans with social engineering scams posing as sponsors, airlines, hospitality brands, delivery services, or consumer brands, using lookalike domains and spoofed email. In the run-up to a tournament that drives a huge surge in travel, ticketing interest, promotions, and merchandise activity, the wider ecosystem must be strengthened against email-borne threats, the primary attack vector for fraud.

To establish the current state of defenses against impersonation risk, Proofpoint analyzed the level of adoption of DMARC (Domain-based Message Authentication, Reporting and Conformance) across a list of World Cup sponsor domains.

DMARC, the first line of defense against email fraud

In recent years, Proofpoint has observed cybercriminals using a range of tactics to impersonate legitimate organizations to reach their target, rather than hacking into and infiltrating their victims’ networks and technical infrastructure.

DMARC is an email authentication protocol designed to protect domain names from misuse by cybercriminals. It authenticates the identity of the sender before allowing a message to reach its destination. DMARC has three levels of protection: monitoring, quarantine, and reject; rejection being the safest way to prevent suspicious messages from reaching the inbox.

Implementing DMARC allows an organization to define what treatment should be applied to email messages using its domain name, as well as the policy to be applied in case of failure during verification: accept the email message (p=none, where p here stands for policy), categorize it as spam (p=quarantine), or delete it (p=reject).

Key research findings include:

The domain names that make up the FIFA World Cup 2026 sponsors, partners, suppliers and partners ecosystem were analyzed, with the following findings:

• Out of the 25 domains analyzed, 24 (96%) have published a DMARC record at a basic level, indicating most organizations have begun implementing protections against email domain impersonation.
• However, only 16 of the 25 domains (64%) actively protect their domain name with the strongest DMARC “reject” policy, the setting that prevents unauthenticated, spoofed emails from being delivered. 
• This means more than one-third (36%) are not yet proactively blocking fraudulent emails that attempt to impersonate their brand.
• Eight domains (32%) have DMARC set to monitoring mode or a partial enforcement posture, which provides visibility but does not stop spoofed emails from reaching inboxes.

Matt Cooke, EMEA Cybersecurity Strategist at Proofpoint, said: “Major events like the FIFA World Cup naturally generate huge excitement - from travel plans and ticket purchases to special offers and merchandise. Unfortunately, that also creates opportunities for scammers to take advantage of fans. While it’s encouraging that many partner brands have taken steps to improve their email security, too many are still leaving the door open to fraudulent messages. Without stronger protections in place, it becomes easier for criminals to impersonate trusted brands and trick people into sharing personal details or making payments for fake offers.”

Fans should be especially cautious in the run-up to the tournament and keep the following recommendations in mind:

• The safest way to buy tickets is directly from FIFA, which does have a full DMARC 'reject' policy in place.

• Be wary of unsolicited emails, texts, or calls - especially those urging urgent action or immediate payment.
• Never share financial information or passwords via email or text message; if in doubt, contact the organization using official channels.
• Use a unique password for each account and enable multi-factor authentication (MFA) where possible.

Learn more about DMARC visit: https://www.proofpoint.com/us/threat-reference/dmarc

###

Methodology:

To assess the level of DMARC adoption among the official sponsors of the FIFA World Cup 2026, Proofpoint conducted an analysis of the primary corporate domains of each organization listed on the FIFA website, along with Sports Business Journal. FIFA has a full DMARC “reject” policy in place. The analysis was carried out in February 2026.

About Proofpoint, Inc.

Proofpoint, Inc. is a global leader in human- and agent-centric cybersecurity, securing how people, data, and AI agents connect across email, cloud, and collaboration tools. Proofpoint is a trusted partner to over 80 of the Fortune 100, over 10,000 large enterprises, and millions of smaller organisations in stopping threats, preventing data loss, and building resilience across people and AI workflows. Proofpoint’s collaboration and data security platform helps organisations of all sizes protect and empower their people while embracing AI securely and confidently.  Learn more at www.proofpoint.com.

Connect with Proofpoint on LinkedIn

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.