With the FIFA World Cup 2026 kicking off on June 11, cybersecurity firm Proofpoint has found that more than one in three official sponsors, suppliers, partners, and supporters associated with the tournament have not implemented the strongest available email authentication protections, a gap that could be exploited by scammers targeting fans.
Proofpoint analysed the primary corporate domains of 25 organisations listed as official World Cup affiliates on the FIFA website and Sports Business Journal. The analysis, carried out in February 2026, focused on DMARC adoption: an email authentication protocol that prevents cybercriminals from impersonating a domain to send fraudulent messages.
Of the 25 domains reviewed, 24 (96%) had published a DMARC record at some level, suggesting broad baseline awareness of the standard. But only 16 of those (64%) had configured it to the strictest setting: a “reject” policy that blocks unauthenticated emails outright before they reach any inbox. The remaining eight domains (32%) were operating in monitoring or partial enforcement mode, which flags suspicious emails but does not stop them from being delivered.
DMARC operates across three tiers. At the lowest, emails that fail verification are still delivered (p=none). At the middle tier, they are filtered to spam (p=quarantine). Only the reject setting (p=reject) actively prevents spoofed messages from reaching recipients.
The concern is timing. Major sporting tournaments generate sharp spikes in email traffic around ticketing, travel, merchandise, and promotions, all categories that criminals have historically mimicked using lookalike domains and brand impersonation. When a sponsor’s domain lacks full DMARC enforcement, spoofed emails purporting to come from that brand have a cleaner path to fan inboxes.
“Major events like the FIFA World Cup naturally generate huge excitement — from travel plans and ticket purchases to special offers and merchandise. Unfortunately, that also creates opportunities for scammers to take advantage of fans. While it’s encouraging that many partner brands have taken steps to improve their email security, too many are still leaving the door open to fraudulent messages. Without stronger protections in place, it becomes easier for criminals to impersonate trusted brands and trick people into sharing personal details or making payments for fake offers,” Matt Cooke, EMEA Cybersecurity Strategist at Proofpoint said in a statement.
Proofpoint is advising fans to treat unsolicited emails, texts, or calls with caution, particularly those demanding urgent action or immediate payment. The firm also recommends never sharing financial details or passwords over email, using unique passwords per account, and enabling multi-factor authentication where available.
