• Singapore enterprises have the strongest adoption rate when it comes to email authentication with 1 in 4 protecting their email channel 
• Businesses in Vietnam and Indonesia fare among the worst with only a tenth or less proactively protecting their customers against phishing 

SINGAPORE – 29 August 2024 – New Proofpoint research reveals that the majority of top companies in the region are leaving their customers, staff and stakeholders exposed to email fraud and email-based attacks. Only 13% of Fortune Southeast Asia 500 have implemented the recommended and most stringent level of email authentication, which prevents cyber criminals from spoofing organisations’ identities thus reducing the risk of email fraud. 

These findings are based on an analysis of the inaugural Fortune’s Southeast Asia 500 companies list and their implementation of Domain-based Message Authentication, Reporting and Conformance (DMARC), a widely-adopted email validation protocol. DMARC protects domain names from being misused by malicious actors, by authenticating the sender's identity before allowing an email to reach its intended destination. This authentication system detects and prevents domain spoofing – an email phishing technique used for business email compromise (BEC), and other email-based attacks. DMARC has three levels of protection – monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from reaching users’ inboxes.  
 
“Email continues to be the number one vector for cybercriminals. As we approach the year-end shopping and holiday planning season, top Southeast Asian companies are leaving their customers vulnerable to email fraud and email-based attacks,” said Philip Sow, Head of Systems Engineering, Southeast Asia and South Korea at Proofpoint. “The lack of protection against phishing in Southeast Asia is particularly alarming and lags well behind other regions. It is essential for reputable brands to implement the most widely accepted email authentication protocol, DMARC, to defend against domain impersonation and ensure spoofing emails do not reach their targets.” 

Proofpoint’s research shows that more than 1 in 4 (28%) of Fortune Southeast Asia 500 companies have not implemented any form of DMARC at all. Organisations without DMARC authentication could see their emails routed directly to customers’ spam folders or turned away altogether.  

The key findings of Proofpoint’s DMARC analysis of the Fortune Southeast Asia 500: 

• 87% currently do not enforce the recommended strictest level of DMARC implementation (reject). Singapore (85%) and Malaysia (83%) show relatively better implementation rates overall with some level of email authentication. 
• 28% do not have any DMARC record at all and are wide open to email fraud and domain spoofing attacks. Thailand (45%) and Vietnam (37%) lag behind the rest of the region with no DMARC record at all. 
• 72% have some form of DMARC adoption in place, though only 13% have a DMARC policy of “Reject” in place, the strictest recommended level which blocks unqualified emails from getting to the recipient.  
  • Singapore (28%) has the highest adoption rate for the strictest recommended level of email authentication, followed by Malaysia (11%), the Philippines (11%), Thailand (10%) and Indonesia (10%). 
  • A mere 4% of enterprises in Vietnam adopt the strictest recommendation level of email authentication. 
• Out of the organisations that have some form of DMARC policy in place, 73% opt to implement DMARC on their own without expert assistance. This lack of proper DMARC implementation runs the risk of -  
  • Blocking legitimate emails, given there is no authentication visibility into all emails coming into and being sent from their organisations.  
  • Inability to store, manage the sheer volume of DMARC data generated and review actionable insights generated from these reports. 

Below are some best practices Proofpoint recommends:  

• Check the validity of all email communication and be aware of potentially fraudulent emails impersonating colleagues, suppliers, and stakeholders.   
• Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.  
• Follow best practices when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts. 
   

This analysis was conducted in August 2024 using data from Fortune Southeast Asia 500.  

To learn more about DMARC, visit: https://www.proofpoint.com/au/threat-reference/dmarc. 

### 
 

About Proofpoint, Inc. 

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com. 
 

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube  
 

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners