- Proofpoint warns 36% of FIFA World Cup partners lack strong DMARC protections
- Weak email security leaves fans and sponsors exposed to spoofing and fraud
- Only 64% enforce “reject” policy, meaning many domains still vulnerable to impersonation
With the 2026 FIFA World Cup right around the corner, cybercriminals will no doubt be looking ti capitalize on interest for identity theft, scams, and wire fraud - and security researchers at Proofpoint have noted they won’t have a difficult time pulling it off, since many World Cup partners are not doing enough to protect their online identities.
In a research report shared with TechRadar Pro, Proofpoint said more than a third (36%) of official sponsors, suppliers, partners, and supporters, don’t have the necessary email security measures in place to help them defend from domain impersonation.
“This may expose fans, customers, and partners to an increased risk of email fraud that impersonates trusted brands,” the researchers said.
What is DMARC?
The company analyzed the level of adoption of Domain-based Message Authentication, Reporting and Conformance (DMARC) among sponsor domains.
DMARC is an email authentication protocol that helps domain owners prevent attackers from spoofing their domain. It works by checking SPF and DKIM results and telling receiving mail servers what to do if an email fails those checks, such as delivering, quarantining, or rejecting it. By implementing DMARC, organizations get to define which action should be applied to messages using their domain name.
Proofpoint analyzed 25 domains, and found that 24 (96%) have published a DMARC record at a basic level, meaning most organizations at least started implementing protections. While commendable, the researchers said just 16 (64%) actively protect their domain name with the strongest DMARC policy - reject.
“This means more than one-third (36%) are not yet proactively blocking fraudulent emails that attempt to impersonate their brand,” Proofpoint concluded.
Furthermore, eight domains (32%) have DMARC set to monitoring mode or a partial enforcement posture, which allows the companies to see what’s going on, but not to stop spoofed emails in their tracks.
