Proofpoint Investigation: More Than One in Three Official FIFA World Cup 2026 Partners Expose Consumers to Email Scams

April 14, 2026 -- Proofpoint, a leading company in cybersecurity and compliance, today announced the results of a survey targeting official sponsors, suppliers, partners, and supporters of the FIFA World Cup 2026, to be held from June 11 to July 19, 2026. The survey revealed that more than one in three of these entities (36%) have not implemented the necessary email security measures to protect themselves from domain spoofing. This increases the risk of fans, customers, and partners falling victim to email scams impersonating trusted brands.

Cybercriminals habitually use global sporting events as opportunities to target fans with social engineering scams impersonating sponsors, airlines, hospitality brands, delivery services, and consumer brands, exploiting similar domains and spoofed emails. With the surge in interest in travel and ticket purchases, promotions, and merchandise sales leading up to the tournament's opening, it is necessary for all involved organizations to strengthen their security against threats delivered via email, the primary attack vector for scams.

To understand the current defensive posture against spoofing risks, Proofpoint analyzed the DMARC (Domain-based Message Authentication, Reporting, and Conformance) implementation status for the domains of World Cup sponsors.

The First Line of Defense Against Email Scams: DMARC

In recent years, Proofpoint has observed cybercriminals employing a variety of tactics to access targets by impersonating legitimate organizations, rather than infiltrating their victims' networks or technical infrastructure.

DMARC is an email authentication protocol designed to prevent the misuse of domain names by cybercriminals, verifying the sender's identity before a message reaches its destination. DMARC policies have three levels, set in order of strictness: 'reject', 'quarantine', and 'none' (monitoring only). 'Reject' is the strongest protection level, preventing suspicious messages from reaching the inbox.

Key Survey Findings:

Analysis of domains associated with FIFA World Cup 2026 sponsors, partners, suppliers, and supporters revealed the following:

Of the 25 domains analyzed, 24 (96%) have implemented some form of DMARC policy, indicating that many organizations have begun adopting measures against email domain spoofing.

However, only 16 out of 25 domains (64%) have applied the strongest DMARC policy, 'reject', which prevents the delivery of unauthenticated spoofed emails, actively protecting their domain names.

This means more than one-third (36%) have not implemented measures to actively block fraudulent emails impersonating their brands.

8 out of 25 domains (32%) have DMARC policies set to 'none' (monitoring only) or only partially implemented, providing visibility but failing to prevent the reception of spoofed emails.

Survey Methodology:

To assess the DMARC implementation status among official FIFA World Cup 2026 sponsors, Proofpoint surveyed the primary domains of each organization listed on the official FIFA website and in Sports Business Journal. FIFA itself has implemented the highest level DMARC policy, 'reject'.

Survey Conducted: February 2026

Jennifer Cheng, Director of Cybersecurity Strategy (APJ) at Proofpoint, stated: 'Global sporting events like the FIFA World Cup present prime opportunities for cybercriminals to exploit people's excitement, urgency, and trust on a massive scale. In the Asia-Pacific region, where ticket purchases, promotions, and online service usage are particularly active, both brands and consumers need to be vigilant against the increasing phishing and impersonation attacks before the tournament. Especially with the advancement of AI-powered tools, these attacks are becoming easier to execute while harder to detect. While it's a positive sign that many brands are starting to enhance their email security, many companies remain vulnerable to fraudulent messages. To mitigate this risk, organizations must strengthen measures to block fraudulent emails before they are received and promote employee awareness through phishing simulations and continuous training.'

FIFA World Cup fans, especially in the period leading up to the tournament, should exercise caution and keep the following recommendations in mind:

Purchase tickets directly from the official FIFA website, which has implemented the highest level DMARC authentication ('reject').

Be wary of emails, text messages, and phone calls, particularly those urging urgent action or immediate payment.

Do not share financial information or passwords via email or text messages. If in doubt, verify through official channels.

Use unique passwords for each account and enable multi-factor authentication (MFA) whenever possible.

For more details on DMARC, please visit: https://www.proofpoint.com/jp/threat-reference/dmarc

Proofpoint | About Proofpoint

Proofpoint is a global leader in cybersecurity, focused on people, data, and AI agents. We protect the connected enterprise by securing email, the cloud, and collaboration tools. Trusted by over 80% of Fortune 100 companies, more than 10,000 enterprise organizations, and millions of small and medium-sized businesses, Proofpoint helps organizations stop cyber threats, protect sensitive information, and build resilience in human and AI-driven workflows. Proofpoint's collaboration and data security platform enables organizations of all sizes to safeguard their employees and empower them to securely and confidently adopt AI. Learn more at www.proofpoint.com/jp.

Proofpoint: LinkedIn

© Proofpoint, Inc. Proofpoint is a registered trademark or trade name of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are the property of their respective owners.