95% of SGX 200 Companies Are Failing to Actively Block Fraudulent Emails, Lagging Global Counterparts: Proofpoint

Financial Loss

Out of the SGX 200 companies, more than half have not adopted DMARC - exposing these organisations to email fraud and domain spoofing attacks

SINGAPORE – 7 April 2022 – Proofpoint, Inc, a leading cyber security and compliance company, today revealed that more than half (59%) of SGX 200 companies do not have the necessary email authentication protocols in place, leaving their customers, partners, and employees open to higher risks of email fraud.

In a recent analysis of SGX top 200 companies, Proofpoint research found that while 41% have implemented some form of email authentication protocol, only 5% of those companies have adopted the recommended strictest level of Domain-based Message Authentication, Reporting and Conformance (DMARC) protection that blocks suspicious emails.

Alex Lei, Senior Vice President, Asia Pacific and Japan at Proofpoint said, “Implementing DMARC email authentication protocols is akin to having your passport checked at an airport – ensuring your identity matches who you say you are and that you have the necessary travel visas required. In a similar way, DMARC allows organisations to ensure that only legitimate senders are using their trusted domains to message employees, customers, and business partners to prevent email fraud and domain spoofing.”

Proofpoint’s research also shows Singapore is lagging its global counterparts in DMARC adoption. The United States’ Fortune 1,000 index shows an 82% DMARC adoption rate, the United Kingdom’s FTSE 100, and FTSE 250 sit at 72% adoption. Closer to home, Australia’s ASX 200 shows 69% DMARC adoption.

Lei continues, “The importance of putting in place strict email authentication policies cannot be understated, especially since our hybrid way of working in Singapore has placed a huge emphasis on communication via email. Without a DMARC policy, companies are basically leaving the doors to their sensitive information wide open for hackers and cyber criminals to exploit and are also putting anyone they work with – from employees, to clients, and partners – at risk.”

In fact, nearly six in ten of the SGX top 200 companies have no DMARC protocol in place at all, with the majority of these being Real Estate Investment Trusts (REITs). This lack of protection against email fraud means exposing countless parties to imposter emails and business email compromise (BEC), since these attacks are designed to trick victims into thinking they received an email from an organisation leader like the CEO or CFO asking them to transfer funds (known as wire fraud), release sensitive or personally identifiable information, or hand over their credentials.

According to the 2021 Annual Crime Brief released from the Singapore Police Force, there has been an increase in the amount of scams and cybercrimes reported in 2021 compared to 2020, accounting for 58.2% of the total cases reported.

“Trust is notoriously hard to earn but incredibly easy to lose. Therefore, we believe in helping organisations build trust with the companies and people they work with, by ensuring only authorised information gets sent through. After all, why would any organisation want to work with a company that doesn’t take cyber security seriously?” concluded Lei.

What is DMARC?

DMARC is an open email authentication protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender's identity before allowing the message to reach its intended recipient. Organisations using a DMARC protocol can implement three levels of policy for unqualified emails attempting to spoof their domains:

  1. Monitor (allows unqualified emails to go to the recipient's inbox or other folders).
  2. Quarantine (directs unqualified emails to go to the junk or spam folder).
  3. Reject, the highest level of protection (blocks unqualified emails from getting to the recipient).

The full findings of Proofpoint's DMARC analysis of the SGX200 shows:

  • 95% of companies currently do not enforce the recommended strictest level of DMARC
  • 41% of companies have some form of DMARC adoption in place, though these policy levels differ:
    • 5% have DMARC – Reject in place, the strictest recommended level which blocks unqualified emails from getting to the recipient
    • 10% have DMARC – Quarantine which directs unqualified emails to go to the recipient's junk or spam folder
    • 26% have DMARC – Monitor, which does not change the way inboxes receive emails, but instead lets senders collect information about their email sources
  • 59% of companies do not have any DMARC record and are wide open to email fraud and domain spoofing attacks

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube

Proofpoint is a trademark or registered trademark of Proofpoint, Inc. in the U.S. and other countries. All other trademarks contained herein are the property of their owners.