Many are still leaving the door open': Security experts warn FIFA World Cup partners could be putting customers at risk of email attacks

News
By published

Some World Cup partners are not actively protecting their domain name

FIFA World Cup Trophy is displayed during the FIFA World Cup 2026 Official Draw at John F. Kennedy Center for the Performing Arts on December 05, 2025 in Washington, DC.
(Image credit: Getty IMandel NGAN - Pool/Getty Images)
  • Proofpoint warns 36% of FIFA World Cup partners lack strong DMARC protections
  • Weak email security leaves fans and sponsors exposed to spoofing and fraud
  • Only 64% enforce “reject” policy, meaning many domains still vulnerable to impersonation

With the 2026 FIFA World Cup right around the corner, cybercriminals will no doubt be looking ti capitalize on interest for identity theft, scams, and wire fraud - and security researchers at Proofpoint have noted they won’t have a difficult time pulling it off, since many World Cup partners are not doing enough to protect their online identities.

In a research report shared with TechRadar Pro, Proofpoint said more than a third (36%) of official sponsors, suppliers, partners, and supporters, don’t have the necessary email security measures in place to help them defend from domain impersonation.

“This may expose fans, customers, and partners to an increased risk of email fraud that impersonates trusted brands,” the researchers said.

Article continues below

What is DMARC?

The company analyzed the level of adoption of Domain-based Message Authentication, Reporting and Conformance (DMARC) among sponsor domains.

DMARC is an email authentication protocol that helps domain owners prevent attackers from spoofing their domain. It works by checking SPF and DKIM results and telling receiving mail servers what to do if an email fails those checks, such as delivering, quarantining, or rejecting it. By implementing DMARC, organizations get to define which action should be applied to messages using their domain name.

Proofpoint analyzed 25 domains, and found that 24 (96%) have published a DMARC record at a basic level, meaning most organizations at least started implementing protections. While commendable, the researchers said just 16 (64%) actively protect their domain name with the strongest DMARC policy - reject.

“This means more than one-third (36%) are not yet proactively blocking fraudulent emails that attempt to impersonate their brand,” Proofpoint concluded.

Furthermore, eight domains (32%) have DMARC set to monitoring mode or a partial enforcement posture, which allows the companies to see what’s going on, but not to stop spoofed emails in their tracks.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.