Majority of Australia’s Higher Education Institutions and Private Schools are Increasing the Risk of Exposure to Email Fraud

February 22, 2026

Nearly three-quarters of private schools and more than 3 in 5 universities lack industry‑recommended email authentication controls, such as DMARC at ‘reject’ level

SYDNEY, Australia – 23 February 2026 – Proofpoint, Inc., a leading cybersecurity and compliance company, today warned that a significant majority of Australia's top universities and private schools are potentially increasing exposure to email‑based impersonation attacks which are a known precursor to many data breaches. New research reveals that nearly three-quarters (73%) of schools and over three in five (66%) of universities currently lack industry-recommended email authentication controls, such as DMARC at ‘reject’ level.

These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the top 131 Australian higher education institutions and the top 100 Australian private schools. DMARC is an email validation protocol designed to help reduce domain spoofing by validating whether messages appear to originate from authorised sources before delivery. It offers three levels of protection – monitor, quarantine, and reject – with ‘reject’ being the most secure, as it helps prevent suspicious emails from reaching an inbox.

The findings come amid a spate of cyberattacks on the education sector, including a publicly reported breach affecting more than 1,500 Victorian government schools, and publicly reported incidents at Western Sydney University and the University of Western Australia raising concerns about the sector’s growing vulnerability.

Private schools falling short on email security

Proofpoint’s DMARC analysis of 100 top Australian private schools found that nearly three-quarters of schools (73%) are not employing the strictest recommended DMARC policies, potentially exposing confidential information and increasing their exposure to similar types of email‑based threats. Additionally, 6% of private schools surveyed have no DMARC record at all.

“We are seeing a steady rise in cyber-attacks targeting Australia’s education sector, and many institutions are struggling to keep pace with the speed, volume and sophistication of today’s threats,” said Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan at Proofpoint.

“Educational institutions are highly attractive targets for cyber criminals because they hold vast amounts of personally identifiable information, spanning students, staff, and alumni. In addition, many educational institutions have significantly lower budgets, technical capabilities and resources to help combat the threats targeting them, which further emphasise why critical layers of defence such as DMARC are an important layer of defence that can help reduce the volume of potential attacks.

Email is the number one threat vector targeting people. Educational institutions need to adopt proven platforms to protect their brand, employees and students from impersonation and account compromise. Implementing DMARC is a critical step in reducing their attack surface,” concluded Moros.

Higher education institutions not improving fast enough

A similar pattern is found in higher education. While 93% of the top 100 Australian universities have some form of DMARC protection in place, approximately three in five (66%) still aren’t enforcing the industry-recommended ‘reject’ policy, leaving large numbers of students and staff more exposed to email-based phishing and impersonation attacks.

In 2024, Proofpoint conducted their first DMARC analysis on Higher Education Institutions warning that it was one of Australia’s most vulnerable sectors to threat actors. The initial analysis revealed that, more than four in five (82%) were still falling short of the industry-recommended ‘reject’ policy. In 2026, there has been a marginal improvement in security, 'Reject' policies have increased 16% and number of universities with 'no DMARC record' at all has dropped 24% to 7%. However, despite this progress, a substantial portion continues to rely on intermediate 'quarantine' or 'monitor' policies, increasing the sector’s exposure to sophisticated email attacks.

The full findings of Proofpoint's 2026 DMARC analysis of Australia’s Private Schools show:

27% have DMARC – Reject in place.
30% have DMARC – Quarantine.
37% have DMARC – Monitor.
6% of schools do not have any DMARC record at all, placing them at significantly increased risk of email fraud and domain spoofing attacks.

The full findings of Proofpoint's 2026 DMARC analysis of Australia’s top universities show: 

34% use DMARC – Reject (the highest level of protection).
26% use DMARC – Quarantine.
34% use DMARC – Monitor.
7% have no DMARC record at all.

Best Practices for Enhanced Email Security for students, staff, and other stakeholders:

Check the validity of all email communication and be aware of potentially fraudulent emails impersonating trusted brands, colleagues, suppliers, and stakeholders.
Be cautious of any communication attempts that request login credentials or threaten to suspend service or an account if a link isn’t clicked.
Adopt phishing-resistant multifactor authentication, such as passkeys.

The analysis of Australian higher education institutions was conducted in January 2026 using data from Australian Department of Education. The analysis of top Australian private schools was also conducted in January 2026, using data from Schools 360.

###

About Proofpoint, Inc.

Proofpoint, Inc. is a global leader in human- and agent-centric cybersecurity, securing how people, data and AI agents connect across email, cloud and collaboration tools. Proofpoint is a trusted partner to over 80 of the Fortune 100, over 10,000 large enterprises, and millions of smaller organisations in stopping threats, preventing data loss, and building resilience across people and AI workflows. Proofpoint’s collaboration and data security platform helps organisations of all sizes protect and empower their people while embracing AI securely and confidently. Learn more at www.proofpoint.com.

Connect with Proofpoint: LinkedIn

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.

Cybersecurity for the agentic workspace starts with Proofpoint’s human and agent-centric security platform.

Join a live Protect event—learn how to protect people, data, and AI

Stop cyber threats with AI-driven multichannel protection.

Experience Core Email Protection in action—block 99.99% of email threats

Transform data security with a unified, omnichannel approach.

Understand the top data security risks organisations face — and how to stay ahead

Proofpoint technologies powering human and agent-centric security.

Explore Proofpoint packages

Optimise Proofpoint solutions with expert services.

"The partnership with Proofpoint, it's an extention of our team." –Celesta Capital

Comprehensive solutions for today’s cybersecurity threats.

Learn about new AI risks—and how to build a secure foundation for enterprise adoption

Superior protection for every industry, from small business to large enterprise.

Discover the security risks healthcare organisations can't afford to ignore

More than 80 of the Fortune 100 choose Proofpoint to protect their people, data, and AI.

Evaluating security vendors? Compare us by checking out side-by-side comparisons.

Research, insights and resources from Proofpoint experts.

New Agents, New Attacks: Securing Collaboration in the Agentic Era

Learn from our expert threat intelligence and insights that you won’t find anywhere else.

Proofpoint DISCARDED Tales from the threat research trenches

Learn more about the team driving human and agent-centric security.

Ready to join a company redefining cybersecurity?