Cybercriminals regularly attempt to exploit major international sporting events by approaching fans with social engineering scams. They pose as sponsors, airlines, hospitality companies, delivery services, or consumer brands, using look-alike domain names and forged emails. In the lead-up to a tournament - which brings a massive increase in travel, interest in tickets, promotions, and merchandise sales - the broader ecosystem must be strengthened against email threats, the primary attack vector for fraud.
To get an overview of the current state of cybersecurity against identity fraud, Proofpoint examined the extent to which Domain-based Message Authentication, Reporting, and Conformance (DMARC) is implemented across a range of domains of World Cup sponsors.
DMARC as the first line of defense against email fraud
In recent years, Proofpoint has found that cybercriminals use various tactics to impersonate legitimate organizations. They reach their targets instead of hacking and infiltrating the networks and technical infrastructure of their victims.
DMARC is an email verification protocol designed to protect domain names from abuse by cybercriminals. It checks the sender's identity before a message can reach its destination. DMARC has three security levels: monitoring, quarantine, and rejection. Rejection is the safest way to prevent suspicious messages from landing in the inbox.
By implementing DMARC, an organization can determine how email messages originating from its domain should be handled. They also consider what policy should be applied if verification fails: accept the email (p=none, where p stands for policy), classify it as spam (p=quarantine), or delete it (p=reject).
The key findings of the research:
The domain names that are part of the network of sponsors, partners, and suppliers of the 2026 World Cup were analyzed, with the following findings:
- Of the 25 analyzed domains, 24 (96%) have published a basic level DMARC record, indicating that most organizations have begun implementing security measures against identity fraud via email domains.
- However, only 16 of the 25 domains (64%) actively protect their domain name with the strictest DMARC policy, namely the 'reject' setting, which prevents unverified, forged emails from being delivered.
- This means that more than a third (36%) still do not proactively block fraudulent emails that impersonate their brand.
- For eight domains (32%), DMARC is set to monitoring mode or a partial enforcement status, which provides insight but does not prevent forged emails from reaching inboxes.
"Major events, such as the World Cup, generate enormous excitement ranging from travel plans and ticket sales to special offers and fan merchandise," says Matt Cooke, EMEA Cybersecurity Strategist at Proofpoint. "Unfortunately, this also provides opportunities for scammers to exploit fans. While it is encouraging that many partner brands have taken steps to improve their email security, too many still leave the door open for fraudulent messages. Without stronger cybersecurity, it becomes easier for criminals to impersonate a trusted brand. This can mislead people into sharing personal information or making payments for fake offers."
Fans should be extra cautious in the lead-up to the World Cup. The following tips can help:
- The safest way to purchase tickets is directly from FIFA, which has a full DMARC policy that rejects emails.
- Be alert for unsolicited emails, texts, or phone calls, especially if they urge immediate action or payment.
- Never share financial information or passwords via email or text. If in doubt, contact the organization through official channels.
- Use a unique password for each account and enable multi-factor authentication (MFA) where possible.
- Click here for more information about DMARC.
Methodology
To assess the extent to which DMARC is implemented by the official sponsors of the 2026 World Cup, Proofpoint, in collaboration with Sports Business Journal, conducted an analysis of the primary business domains of each organization listed on the FIFA website. FIFA has a full DMARC policy that rejects emails. The analysis took place in February 2026.
