News Center
Two-Thirds of Australia’s Leading Banks Put Consumers at Risk of Email Fraud

Two-Thirds of Australia’s Leading Banks Put Consumers at Risk of Email Fraud

Secure Email Relay Overview

Proofpoint analysis reveals Australian banks are falling behind US counterparts in protecting their customers

SYDNEY, 26 November 2024Proofpoint, Inc., a leading cybersecurity and compliance company, has found that two-thirds of Australia’s leading banks are subjecting customers, partners, and employees to higher risks of email fraud.

The new analysis by Proofpoint of email authentication adoption reveals that 66% of Australia’s banks have not implemented the recommended and strictest level of Domain-based Message Authentication, Reporting and Conformance (DMARC) protection, which prevents cyber criminals from spoofing organisations’ identities and reduces the risk of email fraud. DMARC has three levels of protection[1] – monitor, quarantine and reject – with reject being the most secure for preventing suspicious emails from reaching the inbox.

The findings reveal that while three quarters (75%) of banks have adopted the email authentication protocol, only 34% of them are properly implementing it to the recommended and highest level by blocking suspicious emails. Alarmingly a quarter (25%) of Australia’s banks do not have any DMARC record at all, leaving them much more vulnerable to cyber criminals.

The analysis follows new reforms by the Australian Government that will impose fines of up to $50 million on banks, mobile networks, and social media companies if they do not take reasonable steps to prevent, detect, disrupt, respond, and report scams and attempted scams in their businesses. The Scam Prevention Framework[2] will require businesses to report scams to a federal authority and give victims the power to fight for compensation if they fail to meet the new standards. As part of the legislation, the Australian Competition and Consumer Commission (ACCC) will also be given the authority to draft mandatory industry-wide codes and establish specific codes for companies within those industries. According to the ACCC’s Scamwatch[3], Australians have already reported over 198,000 scams and a total loss of more than $208 million in 2024 alone.

“Cyber criminals are increasingly posing as trusted banks to trick Australians into handing over sensitive information or transferring funds via email phishing attacks,” said Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan, Proofpoint. “The Australian government has passed landmark legislation to ensure banks take more accountability for protecting Australians. Yet, this analysis alone highlights there are still gaps that the banks in Australia can address to prevent Australian consumers from being scammed.”

When compared to leading financial institutions in the United States, the analysis reveals that Australian banks are falling behind their global counterparts in terms of security and fraud prevention. While only a third (34%) of Australian banks implement the highest level of DMARC protection, more than half (58%) of banks in the US have already adopted this strictest form of email authentication. Additionally, only 3% of banks in the US lack a DMARC record, compared to an alarming 25% of banks in Australia, leaving a large number of Australians vulnerable to cyberattacks.

“At the end of the day, hard-working Australians are primary targets of these scams. They put their trust in financial institutions to ensure their credit card information, contact details, addresses, data, and of course, their money is safe. They can’t afford to have their life savings compromised by cyber criminals, especially given the rising cost of living and higher inflation pressures we are facing today. To stay ahead of the evolving threat landscape, Australian banks must adopt stronger protections for their customers, such as enforcing the strictest recommended Reject level of DMARC. This will help prevent their customers from falling victim to scams resulting from domain impersonation”, concluded Moros.

The full findings of Proofpoint's DMARC analysis of Australia’s leading banks show:

  • 66% of banks currently do not enforce the recommended strictest Reject level of DMARC implementation.
  • 25% of banks do not have any DMARC record and are wide open to email fraud and domain spoofing attacks.
  • 75% of the banks implement some form of DMARC, yet the DMARC policy levels employed vary as follows:
    • 34% use DMARC – Reject (the highest level of protection).
    • 14% use DMARC – Quarantine.
    • 27% use DMARC – Monitor.

Below are some cyber best practices for employees and other stakeholders:

  • Check the validity of all email communication and be aware of potentially fraudulent emails impersonating customers, partners or colleagues.  
  • Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
  • Follow best practices when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.
  • Simply put, if it sounds too good to be true, or you are feeling pressured to act quickly, these are strong indicators of potential fraud.

This analysis was conducted in November 2024 based on a total of 85 institutions using data from APRA’s register of authorised deposit-taking institutions, including Australian-owned authorised deposit-taking institutions and foreign subsidiary banks.

###

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.
 

Connect with Proofpoint: X | LinkedIn | Facebook | YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.

 

[1] Monitor (allows unqualified emails to go to the recipient's inbox or other folders), Quarantine (directs unqualified emails to go to the junk or spam folder) and Reject, the highest level of protection, (blocks unqualified emails from getting to the recipient).

[2] Albanese Government introduces landmark Scams Prevention Framework

[3] Australian Competition and Consumer Commission (ACCC)