A recent study by cybersecurity firm Proofpoint highlights a significant vulnerability among the partners and sponsors of the FIFA World Cup 2026. Despite most organizations implementing basic email authentication, a substantial number are not taking proactive measures to block fraudulent emails that impersonate their brands. This oversight could lead to increased risks of email fraud as cybercriminals exploit the event's popularity to target fans and customers with deceptive communications.

The study analyzed the adoption of DMARC (Domain-based Message Authentication, Reporting and Conformance) among the official sponsors and partners of the FIFA World Cup 2026. DMARC is a protocol that helps protect domain names from misuse by authenticating the sender's identity before an email is delivered. It offers three levels of protection: monitoring, quarantine, and reject, with the reject policy being the most effective at preventing spoofed emails from reaching inboxes.

Proofpoint's findings indicate that while 96% of the analyzed domains have published a DMARC record, only 64% have implemented the strongest 'reject' policy. This leaves 36% of the domains vulnerable to email fraud, as they have not fully enforced measures to block unauthenticated emails. The study underscores the need for stronger email security practices, especially in the context of major events like the FIFA World Cup, which attract a high volume of fraudulent activity.

The impact of inadequate email security can be severe, as cybercriminals often use social engineering tactics to impersonate legitimate brands and deceive individuals into sharing personal information or making payments for fake offers. Fans and customers are at risk of falling victim to these scams, particularly as excitement builds around the tournament, leading to increased travel, ticketing, and merchandise activity.

To protect against these threats, organizations associated with the FIFA World Cup should adopt a DMARC 'reject' policy to prevent spoofed emails from reaching their audience. Fans should exercise caution by purchasing tickets directly from FIFA, avoiding unsolicited communications, and using secure practices such as unique passwords and multi-factor authentication. By taking these steps, both organizations and individuals can reduce the risk of falling prey to email fraud during the event.

Source: https://www.proofpoint.com/us/newsroom/press-releases/fifa-world-cup-2026-more-one-third-official-partners-expose-public-risk