More than one-third of FIFA World Cup 2026-linked organizations lack strict DMARC protection, leaving domains exposed to spoofed emails, Proofpoint study reveals.
Proofpoint’s study discovered vulnerabilities in email security among FIFA World Cup 2026-related businesses, raising concerns about domain impersonation and email fraud.
The tournament is scheduled to take place from June 11 to July 19, 2026. According to the report, 36% of official sponsors, suppliers, partners, and supporters associated with the event have not adopted the highest level of email authentication controls. Those controls are designed to prevent domain spoofing.
Cybercriminals often use major global events to launch social engineering campaigns. These campaigns may involve fraudulent emails impersonating trusted brands such as airlines, hospitality providers, delivery services, and consumer companies. They frequently rely on lookalike domains or spoofed sender identities.
Proofpoint analyzed 25 domains involved with the World Cup ecosystem to assess adoption of DMARC (Domain-based Message Authentication, Reporting, and Conformance), an email authentication standard used to verify sender identity and prevent unauthorized use of domain names.
The findings show that 24 of the 25 domains, or 96%, have published a DMARC record at a basic level. However, only 16 domains, or 64%, have implemented the “reject” policy, which blocks unauthenticated emails from being delivered.
This means 36% of the analyzed domains do not block spoofed emails using the strictest DMARC policy. Eight domains, representing 32% of those analyzed, are operating under monitoring or partial enforcement modes that allow visibility into suspicious activity but do not block fraudulent messages.
“Major global sporting events like the FIFA World Cup create ideal conditions for cybercriminals to exploit excitement, urgency and trust at scale,” said Jennifer Cheng, Director of Cybersecurity Strategy for Asia Pacific and Japan at Proofpoint.
Cheng said heightened digital activity around ticketing, promotions, and online services increases exposure to phishing and impersonation attempts. “Across Asia Pacific, where digital engagement around ticketing, promotions and online services is high, brands and consumers should be on alert for increased phishing and impersonation attempts in the lead-up to the tournament,” Cheng said.
“As AI-powered tools make these attacks easier to launch and harder to detect, organizations need to strengthen their defenses,” Cheng said.
DMARC allows domain owners to define how receiving mail servers should handle messages that fail authentication checks. Its policies include monitoring, filtering suspicious messages to spam, and blocking delivery entirely. The “reject” setting provides the strongest protection.
Proofpoint said attackers are increasingly using impersonation tactics rather than attempting to compromise internal systems. These campaigns use brand recognition and user trust to obtain sensitive information or redirect payments.
While most organizations analyzed have taken initial steps, Cheng noted that gaps remain. “While it is encouraging that many brands have taken steps to improve their email security, too many are still leaving the door open to fraudulent messages,” she said.
The company advised organizations to strengthen email authentication controls and improve employee awareness through training and phishing simulations. It also recommended adopting stricter DMARC policies to reduce exposure to spoofed communications.
The report included guidance for consumers engaging with World Cup-related services. It recommends buying tickets through official channels. It also advises caution with unsolicited messages requesting urgent action or payment. Consumers are also advised not to share financial or account information by email or text. It also advises using unique passwords and enabling multi-factor authentication where available.
