Proofpoint: 78% of Australia’s Banks Are Not Proactively Blocking Fraudulent Emails


Sydney, Australia – 1 August 2023Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research identifying that almost 4 out of 5 Australian-owned authorised deposit-taking institutions and foreign subsidiary banks are lagging behind on basic cybersecurity measures, subjecting customers, staff and stakeholders to a higher risk of email-based impersonation attacks.

These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of 85 Australian-owned authorised deposit-taking institutions and foreign subsidiary banks. DMARC1 is an email validation protocol designed to protect domain names from being misused by cyber criminals. It authenticates the sender's identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine and reject2 with reject being the most secure for preventing suspicious emails from reaching the inbox.  

Proofpoint’s research reveals that 78% of the Australia-owned deposit-taking institutions and foreign subsidiary banks have not implemented the recommended and strictest level of DMARC protection, which prevents cyber criminals from spoofing organisations’ identities and reduces the risk of email fraud. Whilst 66% of these organisations have adopted the email authentication protocol, only 22% of them are properly implementing it to the recommended and highest level by blocking suspicious emails. Worryingly, over one-third (34%) of these organisations do not have any DMARC record at all, leaving them vulnerable to cyber criminals impersonating their domains to target customers with email fraud.

“Due to the extensive amount of sensitive personal and financial data that they store, banking and financial institutions are a prime target for cyber criminals,” said Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan, Proofpoint. “With email-based phishing attacks remaining one of the most common techniques used by cyber criminals, it is irresponsible for organisations to not have the highest level of protection.”

According to Proofpoint’s 2023 State of the Phish Report, on average, 9 in 10 (90%) of Australian organisations reported an attempted business email compromise (BEC) attack in 2022, higher than the global average (75%). BEC phishing attempts involve threat actors posing as legitimate business contacts, such as a senior executive (CFO or CEO), colleague or supplier to send fraudulent emails to customers or employees.

“The banking and financial services sector is constantly undergoing rapid digital transformation due to the increased use of mobile applications by employees and customers, making it imperative for these institutions to adopt stricter DMARC protection to stay ahead of the evolving threat landscape. Email authentication protocols such as DMARC are essential in fortifying defences against email fraud and safeguarding customers, staff, and other stakeholders in the supply chain from malicious attacks. By achieving full DMARC compliance, organisations can remain confident that they are doing their best to protect the life savings entrusted to them by millions of Australians around the country,” concluded Moros.

Below are some cyber best practices for customers, staff and stakeholders:

  • Check the validity of all email communication and be aware of potentially fraudulent emails impersonating customers, partners or colleagues. 
  • Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked. 
  • Follow best practices when it comes to password hygiene, including using strong passwords, never re-using them across multiple accounts and using multi-factor authentication where available.

This analysis was conducted in June 2023 using data from APRA’s register of authorised deposit-taking institutions, including Australian-owned authorised deposit-taking institutions and foreign subsidiary banks.


About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 75 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.


1 What is DMARC?

2 Monitor (allows unqualified emails to go to the recipient's inbox or other folders), Quarantine (directs unqualified emails to go to the junk or spam folder) and Reject, the highest level of protection, (blocks unqualified emails from getting to the recipient).