IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Flux result 18a4dde7 e4cb 4d02 9c37 a89119ec2b8b
#
Data Protection
#
MFA
#
Phishing

One-third of FIFA World Cup partners lack email protection

Thu, 23rd Apr 2026 (Today)
Author image
By Mark Tarre, News Chief

Proofpoint has found that more than one-third of official FIFA World Cup 2026 commercial partners lack the strongest email protections against domain impersonation, potentially exposing fans and customers to fraudulent messages that mimic trusted brands.

The cybersecurity company examined 25 primary corporate domains used by sponsors, suppliers, partners and supporters linked to the tournament. It found that 24 had published a basic DMARC record, but only 16 had adopted the strictest "reject" setting, which blocks unauthenticated emails from reaching inboxes.

As a result, 36% of the organisations analysed are not yet actively preventing spoofed emails sent in their name. Eight domains, or 32% of the total, remain in monitoring mode or partial enforcement, a setup that provides visibility into suspicious traffic but does not stop fake messages from being delivered.

Email risk

DMARC, short for Domain-based Message Authentication, Reporting and Conformance, is an email authentication standard designed to stop criminals from abusing company domains. It allows organisations to decide whether unauthenticated email should be accepted, diverted to spam or rejected outright.

The analysis suggests broad basic adoption but weaker full enforcement. FIFA itself has a full DMARC reject policy in place.

The issue matters because large sporting events often trigger a surge in online activity around tickets, travel, merchandise and promotions. That gives fraudsters a larger pool of targets and more opportunities to exploit urgency, brand recognition and fear of missing out.

Australian supporters may be particularly vulnerable if they are still looking for flights or accommodation, as high prices can make discount offers appear more appealing. Criminals routinely use spoofed emails and lookalike domains to imitate airlines, hospitality groups, delivery services and consumer brands.

The growing use of artificial intelligence has also changed the threat landscape, making phishing emails and fake brand communications easier to generate and harder to spot. For major global events, that increases pressure on well-known companies to strengthen email authentication controls.

Jennifer Cheng, Director of Cybersecurity Strategy, APJ, at Proofpoint, said the combination of high public interest and heavy digital activity creates a favourable environment for online fraud.

"Major global sporting events like the FIFA World Cup create ideal conditions for cybercriminals to exploit excitement, urgency and trust at scale. Across Asia Pacific, where digital engagement around ticketing, promotions and online services is high, brands and consumers should be on alert for increased phishing and impersonation attempts in the lead-up to the tournament, particularly as AI-powered tools make these attacks easier to launch and harder to detect. While it is encouraging that many brands have taken steps to improve their email security, too many are still leaving the door open to fraudulent messages. To reduce this risk, businesses need to take proactive steps by strengthening email protections to block fraudulent messages before they reach the inbox and by building employee awareness through phishing simulations and ongoing education," Cheng said.

Consumer exposure

The findings highlight a recurring problem for consumer-facing brands during major international events. Even where a company has begun implementing DMARC, a weaker policy can still allow malicious emails through, leaving customers to judge authenticity on their own.

That creates risks not only for individuals but also for the brands being copied. A spoofed email offering fake tickets, discounts or travel arrangements can damage trust in a sponsor or partner even when the company itself has not been breached.

For security teams, the results suggest that publishing a DMARC record is only a first step. The more meaningful test is whether the policy is set to reject suspicious mail rather than simply monitor it.

The safest route for supporters buying tickets is to use official channels. Consumers should also treat unsolicited emails, texts and calls with caution, especially those pressing for urgent action or immediate payment, and avoid sharing financial details or passwords by email or text message.

Proofpoint also recommends using unique passwords across accounts and enabling multi-factor authentication where possible. In the dataset examined, only 16 of the 25 domains analysed had reached the reject setting that stops spoofed emails from being delivered.

Related stories
UK firms using AI assistants but multi-agent workflows lag
TenneT Netherlands deploys ReFlow for faster grid checks
UK data centre sector doubts AI-ready infrastructure
Anthropic AI's Mythos triggers warnings over cyber risk
Thrive launches Abacode compliance services after deal

Top stories

Datadog launches GPU Monitoring to curb AI cloud costs
NetApp deepens Google Cloud tie-up with Gemini rollout
Tredence launches agentic AI suite with Google Cloud
MacPaw survey finds green concerns may drive file cleanups
Alteryx launches AI Insights Agent on Google Cloud