Majority of Australia's Banks Leave Customers Vulnerable to Email Fraud

How to Prevent Business Email Compromise (BEC) Attacks

Nearly three in five banks do not enforce the strongest email authentication protections as impersonation threats continue to grow

SYDNEY, Australia – 1 July 2026 - Proofpoint, Inc., a leading cybersecurity and compliance company, today warned that the majority of Australia's banks are failing to implement the recommended and most secure email authentication protocol, which may leave customers, employees, and partners vulnerable to increasingly AI-driven email fraud and domain impersonation attacks.

These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of 78 financial institutions on Australian Prudential Regulation Authority (APRA)'s ADI register. DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals by authenticating sender identities before messages reach their intended destination. It offers three levels of protection – monitor, quarantine, and reject – with 'reject' being the most secure, as it helps block suspicious emails from reaching an inbox.

According to the Australian Signals Directorate's Annual Cyber Threat Report 2024–25, online banking fraud is amongst the top 3 self-reported cybercrime threatening individuals. The emergence of powerful frontier AI models is creating a new, complex threat landscape for Australian banks. These tools can automate sophisticated social engineering attacks and generate convincing lures at an unprecedented scale. AI is also expanding the attack surface, enabling threats to spread at machine speed and impact connected workflows. Proofpoint's 2026 AI and Human Risks Landscape Report found that email remains the primary entry point for cyber threats in Australia, identified by 53% of organisations as their most common threat vector.

Australian banks falling short on email security

Proofpoint's 2026 DMARC analysis found that nearly 3 in 5 (59%) are not implementing the strictest recommended DMARC policies. It is even more concerning that 18% have no DMARC record at all, meaning their email domains are more susceptible to being spoofed by cybercriminals. 

"Banks must remember that even the most advanced AI-driven attack often relies on a single person making a mistake," said Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan, Proofpoint. “While AI can often accelerate the attacker's playbook, these threats are still ultimately designed to manipulate people. For hard-working Australians who trust their financial institutions to protect their savings and personal data, especially with today's cost-of-living pressures, getting this right is essential. To stay ahead of the evolving threat landscape, Australian banks must adopt stronger protections for their customers, such as enforcing the strictest recommended Reject level of DMARC and ensuring they adopt a human-centric approach to cybersecurity. This will help reduce the risk of their customers falling victim to scams resulting from domain impersonation."

The rapid advancement of frontier AI models like Mythos represents a significant wake-up call for the financial sector. AI is compressing the window between a vulnerability being found and being weaponised. When adversaries can automate multistep attacks overnight, every unaddressed control could be a potential point of exposure. For Australian banks, this makes existing gaps, such as the fact that nearly 60% haven't implemented DMARC at the strictest level, considerably more consequential. Reducing the attack surface through critical controls such as DMARC is now a fundamental step for organisations to improve cyber posture and protect their employees, customers and associated data.

The full findings of Proofpoint's 2026 DMARC analysis of Australia's banks show:

  • 41% use DMARC – Reject (the highest level of protection, actively blocking fraudulent emails)
  • 18% use DMARC – Quarantine
  • 23% use DMARC – Monitor
  • 18% have no DMARC record at all, which may increase exposure to email fraud and domain spoofing attacks

Proofpoint published its first DMARC analysis of Australia's banking sector in 2023 and found that only 22% of institutions had implemented a Reject policy. While adoption has increased to 41% in 2026, progress has been slower than expected given DMARC is a widely recognised industry-standard email security control that organisations should prioritise.

Best Practices for Enhanced Email Security for customers, staff, and other stakeholders:

  • Check the validity of all email communication and be aware of potentially fraudulent emails impersonating trusted brands, colleagues, suppliers, and stakeholders.
  • Be cautious of any communication attempts that request login credentials or threaten to suspend service or an account if a link isn't clicked.
  • Adopt phishing-resistant multifactor authentication, such as passkeys.

Methodology

This analysis was conducted in May 2026 using data from The Australian Prudential Regulation Authority (APRA).

 

About Proofpoint, Inc.

Proofpoint, Inc. is a global leader in human- and agent-centric cybersecurity, securing how people, data and AI agents connect across email, cloud and collaboration tools. Proofpoint is a trusted partner to over 80 of the Fortune 100, over 14,000 large enterprises, and millions of smaller organisations in stopping threats, preventing data loss, and building resilience across people and AI workflows. Proofpoint’s collaboration and data security platform helps organisations of all sizes protect and empower their people while embracing AI securely and confidently.  Learn more at www.proofpoint.com.      

Connect with Proofpoint: LinkedIn

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.