More than three quarters of ASX 200 companies are failing to properly block fraudulent emails

Financial Loss

Australian organisations lag global counterparts in basic email protection

Sydney, Australia – 8 March 2022 – Proofpoint, Inc a leading cyber security and compliance company, has found that more than three quarters of ASX 200 companies are subjecting their customers, partners, and employees to higher risks of email fraud.

The new research revealed today found that 78% of ASX 200 listed companies have not implemented the recommended and strictest level of Domain-based Message Authentication, Reporting and Conformance (DMARC) protection, which prevents cybercriminals from spoofing organisation’s identities and reduces the risk of email fraud. While 69% of ASX 200 companies have adopted a DMARC protocol, only 22% are properly implementing DMARC to the highest level by blocking suspicious emails.

Steve Moros, Senior Director, Advanced Technology Group, APJ at Proofpoint said, “Email continues to be the number one threat vector for cybercriminals, and as some of the most recognisable brands in Australia, ASX 200 companies are and have been obvious targets for email-borne attacks.

“All organisations with or without a hybrid working model rely heavily on the email ecosystem to conduct business between suppliers and vendors, employees, customers, and partners, so the risk of compromise and brand damage is high. Yet Proofpoint research shows Australian organisations are underperforming when it comes to adopting people-centric cybersecurity solutions necessary to prevent adverse outcomes and reduce the risk of human (employee) activated attacks.”

Email-based attacks dominated the threat landscape in 2021 as Australia becomes a key target

Proofpoint’s analysis shows Australia is lagging its global counterparts in DMARC adoption, against a backdrop of increased incidents of email-based cyberattacks. The United States’ Fortune 1,000 index shows an 82% DMARC adoption rate, the United Kingdom’s FTSE 100, and FTSE 250 sit at 72% adoption, and France’s CAC 40 at 75%.

At the same time, Proofpoint’s recent State of the Phish Report found Australian organisations are experiencing greater adverse outcomes from successful email-based cyberattacks compared to other countries including the US, UK and Japan. The report highlighted 90% of Australian survey respondents said their organisation faced spear phishing, business email compromise (BEC) and email-based ransomware attacks in 2021. In addition, 92% of Australian organisations experienced a successful phishing attack, the highest of any country surveyed and a 53% increase from 2020.

According to Proofpoint’s analysis of ASX 200 companies, the lack of protection against email fraud is commonplace across all sectors, exposing countless parties to imposter emails. These BEC attacks are designed to trick victims into thinking they received an email from an organisation leader like the CEO or CFO asking them to transfer funds (known as wire fraud), release sensitive or personally identifiable information, or hand over their credentials.

A 2021 report released by the Australian Cyber Security Centre (ACSC) identified BEC as an increasing threat to Australian businesses, with the average loss per successful BEC amounting to $50,600 – over one and a half times higher than the previous financial year.

“Business email compromise is one of the most common and disruptive types of attacks facing those organisations without proper protocols in place to secure their email communication channels. In fact, a 2021 Proofpoint survey of 100 Australian CISOs revealed BEC topped the list of attacks they felt most at risk from over the next 12 months.

“A major cyber breach on the ASX 200 would reverberate far and wide and have the potential to financially impact many stakeholders and organisations. This year marks ten years since the DMARC protocol was created however it is concerning to see that some of Australia’s most prominent organisations are yet to leverage best-practice technology to protect themselves.

“As the number of successful email attacks continue to rise in Australia, equipping employees with the knowledge and tools necessary to protect themselves and critical organisational information remains paramount and must be a high priority. In addition to employee awareness training, cybersecurity standards create a definitive and clear baseline for security that organisations can rely on to protect themselves. The ACSC already mandates stringent email authentication standards including DMARC, for all public sector organisations. It’s time all private companies also follow suit and reduce their attack surface area,” concluded Moros.

What is DMARC?

DMARC is an open email authentication protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender's identity before allowing the message to reach its intended recipient. Organisations using a DMARC protocol can implement three levels of policy for unqualified emails attempting to spoof their domains:

  1. Monitor (allows unqualified emails to go to the recipient's inbox or other folders).
  2. Quarantine (directs unqualified emails to go to the junk or spam folder).
  3. Reject, the highest level of protection (blocks unqualified emails from getting to the recipient).

The full findings of Proofpoint's DMARC analysis of the ASX 200 shows:

  • 69% of companies currently publish a DMARC record, however.
  • only 22% of companies with DMARC have implemented a reject policy and are proactively blocking fraudulent emails.
  • 47% of companies with DMARC are using monitor and quarantine policies.
  • 31% of companies do not have a DMARC record at all and are wide open to email fraud and domain spoofing attacks.

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube


Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.