Major global sporting events can be a boon for cyber criminals.
Social engineering scams rise sharply, offering ‘too good to be true’ deals on tickets and accommodation, while lookalike domains harvest personal information from the unwary.
It’s a dangerous enough environment as it is, but ahead of the FIFA World Cup 2026, cyber security firm Proofpoint has released study results that show even the event's official partners could be a source of extreme risk.
“Major global sporting events like the FIFA World Cup create ideal conditions for cybercriminals to exploit excitement, urgency and trust at scale. Across Asia Pacific, where digital engagement around ticketing, promotions and online services is high, brands and consumers should be on alert for increased phishing and impersonation attempts in the lead-up to the tournament, particularly as AI-powered tools make these attacks easier to launch and harder to detect,” Jennifer Cheng, Director of Cybersecurity Strategy, APJ at Proofpoint, said in a statement.
“While it is encouraging that many brands have taken steps to improve their email security, too many are still leaving the door open to fraudulent messages. To reduce this risk, businesses need to take proactive steps by strengthening email protections to block fraudulent messages before they reach the inbox and by building employee awareness through phishing simulations and ongoing education.”
DMARC blues
DMARC is an email authentication protocol that protects domains from misuse by authenticating the identity of any sender before an email reaches your inbox.
Proofpoint analysed 25 domains linked to the FIFA World Cup and found that 24 had implemented DMARC at its most basic level, but only 16 out of those 25 had implemented the strong policy setting, capable of preventing spoofed messages from being delivered.
According to the company, this means more than a third of official partners do not have policies in place to proactively prevent scammers from impersonating their brand.
How to stay safe
Proofpoint recommends only buying tickets directly from FIFA, as it has a full DMARC ‘reject’ policy in place.
Further, soccer fans should be wary of unexpected emails, calls, or texts, particularly ones that stress a sense of urgency to respond.
Never share financial information or passwords, always contact the organisation if in doubt of a message it appears to have sent, and always use unique passwords for each account.
Finally, enable multi-factor authentication wherever it is available.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.