Proofpoint Survey: Over One-Third of FIFA World Cup 2026 Official Partners Expose Consumers to Email Fraud Risk
Proofpoint announced that 36% of FIFA World Cup 2026 official partners have not implemented necessary email security measures to protect against domain impersonation. This increases the risk of fans and customers falling victim to fraud, highlighting the importance of DMARC authentication.
📋 Article Processing Timeline
- 📰 Published: April 15, 2026 at 19:00
- 🔍 Collected: April 15, 2026 at 10:31
- 🤖 AI Analyzed: April 19, 2026 at 13:34 (99h 2m after Collected)
April 14, 2026 -- Proofpoint, a leading cybersecurity and compliance company, today announced the results of a survey targeting official sponsors, suppliers, partners, and supporters of the FIFA World Cup 2026, which will be held from June 11 to July 19, 2026. The survey revealed that more than one-third (36%) of these organizations have not implemented the necessary email security measures to protect themselves from domain impersonation. This increases the risk of fans, customers, and partners falling victim to email fraud impersonating trusted brands.
Cybercriminals routinely exploit global sporting events as opportunities to launch social engineering scams against fans, impersonating sponsors, airlines, hospitality brands, delivery services, and consumer brands, often leveraging similar domains and impersonated emails. As interest in travel and ticket purchases, promotions, and merchandise sales surge in the period leading up to the tournament, it is crucial for all involved organizations to strengthen security against email-based threats, which are a primary attack vector for fraud.
To understand the current state of defense against impersonation risks, Proofpoint analyzed the implementation status of DMARC (Domain-based Message Authentication, Reporting and Conformance) authentication for the domains of various World Cup sponsors.
## DMARC: The First Line of Defense Against Email Fraud
In recent years, Proofpoint has observed that cybercriminals are increasingly employing various methods to access targets by impersonating legitimate organizations, rather than infiltrating victims' networks or technical infrastructure.
DMARC is an email authentication protocol designed to prevent the unauthorized use of domain names by cybercriminals, authenticating the sender's identity before a message reaches its destination. DMARC policies have three levels, in order of strictness: "reject," "quarantine," and "none" (monitoring only). "Reject" is the strongest protection level, preventing suspicious messages from reaching the inbox.
## Key Survey Findings:
Analysis of domains associated with FIFA World Cup 2026 sponsors, partners, suppliers, and supporters revealed the following:
- Of the 25 domains analyzed, 24 domains (96%) had some DMARC policy configured, indicating that many organizations have begun implementing measures against email domain impersonation.
- However, only 16 of the 25 domains (64%) had applied the strongest DMARC policy, "reject," which actively prevents the delivery of unauthorized impersonated emails, thereby actively protecting their domain names.
- This means that more than one-third (36%) have not implemented measures to actively block fraudulent emails impersonating their brand.
- 8 of the 25 domains (32%) had a DMARC policy of "none" (monitoring only) or partial application, providing visibility but not preventing the receipt of impersonated emails.
## Survey Methodology:
To assess DMARC adoption among official FIFA World Cup 2026 sponsors, Proofpoint conducted a survey targeting the primary domains of organizations listed on the official FIFA website and Sports Business Journal. FIFA itself has implemented the highest level DMARC policy, "reject."
Survey period: February 2026
Jennifer Cheng, APJ Director of Cybersecurity Strategy at Proofpoint, commented: "Global sporting events like the FIFA World Cup provide prime opportunities for cybercriminals to exploit people's excitement, urgency, and trust on a massive scale. In the Asia Pacific region, where interest in ticket purchases, promotions, and online services is high, both brands and consumers need to be vigilant against the increase in phishing and impersonation attacks before the tournament. Especially with the evolution of AI-powered tools, these attacks are becoming easier to execute while being harder to detect."
Cybercriminals routinely exploit global sporting events as opportunities to launch social engineering scams against fans, impersonating sponsors, airlines, hospitality brands, delivery services, and consumer brands, often leveraging similar domains and impersonated emails. As interest in travel and ticket purchases, promotions, and merchandise sales surge in the period leading up to the tournament, it is crucial for all involved organizations to strengthen security against email-based threats, which are a primary attack vector for fraud.
To understand the current state of defense against impersonation risks, Proofpoint analyzed the implementation status of DMARC (Domain-based Message Authentication, Reporting and Conformance) authentication for the domains of various World Cup sponsors.
## DMARC: The First Line of Defense Against Email Fraud
In recent years, Proofpoint has observed that cybercriminals are increasingly employing various methods to access targets by impersonating legitimate organizations, rather than infiltrating victims' networks or technical infrastructure.
DMARC is an email authentication protocol designed to prevent the unauthorized use of domain names by cybercriminals, authenticating the sender's identity before a message reaches its destination. DMARC policies have three levels, in order of strictness: "reject," "quarantine," and "none" (monitoring only). "Reject" is the strongest protection level, preventing suspicious messages from reaching the inbox.
## Key Survey Findings:
Analysis of domains associated with FIFA World Cup 2026 sponsors, partners, suppliers, and supporters revealed the following:
- Of the 25 domains analyzed, 24 domains (96%) had some DMARC policy configured, indicating that many organizations have begun implementing measures against email domain impersonation.
- However, only 16 of the 25 domains (64%) had applied the strongest DMARC policy, "reject," which actively prevents the delivery of unauthorized impersonated emails, thereby actively protecting their domain names.
- This means that more than one-third (36%) have not implemented measures to actively block fraudulent emails impersonating their brand.
- 8 of the 25 domains (32%) had a DMARC policy of "none" (monitoring only) or partial application, providing visibility but not preventing the receipt of impersonated emails.
## Survey Methodology:
To assess DMARC adoption among official FIFA World Cup 2026 sponsors, Proofpoint conducted a survey targeting the primary domains of organizations listed on the official FIFA website and Sports Business Journal. FIFA itself has implemented the highest level DMARC policy, "reject."
Survey period: February 2026
Jennifer Cheng, APJ Director of Cybersecurity Strategy at Proofpoint, commented: "Global sporting events like the FIFA World Cup provide prime opportunities for cybercriminals to exploit people's excitement, urgency, and trust on a massive scale. In the Asia Pacific region, where interest in ticket purchases, promotions, and online services is high, both brands and consumers need to be vigilant against the increase in phishing and impersonation attacks before the tournament. Especially with the evolution of AI-powered tools, these attacks are becoming easier to execute while being harder to detect."