Out of the 129 banks surveyed, 1 in 5 lack any form of email authentication protocol

SINGAPORE –  10 August 2023 –  Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research identifying that a little over half of Singapore’s local and foreign member banks are lagging behind on basic cybersecurity measures, subjecting customers, staff and stakeholders to a higher risk of email-based impersonation attacks.

These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of 129 local and foreign member banks in Singapore. DMARC is an email validation protocol designed to protect domain names from being misused by cyber criminals. It authenticates the sender's identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine and reject with reject being the most secure for preventing suspicious emails from reaching the inbox.  

Proofpoint’s research reveals that more than half of the listed local and foreign member banks in Singapore have yet to implement the recommended and strictest level of DMARC protection, which prevents cyber criminals from spoofing organisations’ identities and reduces the risk of email fraud. While 8 in 10 of these organisations have adopted the email authentication protocol, only 48% are properly implementing it to the recommended and highest level by blocking suspicious emails. Worryingly, a fifth (20%) of these organisations do not have any DMARC record at all, leaving them vulnerable to cyber criminals.

This is especially concerning as the Singapore Cyber Landscape 2022 report released just last month revealed that the banking and financial services sector experiences the highest number of spoofing incidents. In fact, it accounts for over 80% of all phishing attempts and has consistently ranked among the top three sectors targeted by cyber attackers since 2016.

“Banking and financial institutions are at significant risk from cyber criminals due to the large volume of sensitive and financial data they possess,” said Philip Sow, Head of Systems Engineering, South East Asia and South Korea at Proofpoint. “As spoofing and other email-based attacks continue to be a prevalent method employed by cyber criminals, it is critical for organisations to prioritise the implementation of email authentication protocols such as DMARC to reduce organisations’ attack surface and risk of attack by impersonation.”

Business email compromise (BEC) attacks should also be on organisations’ radar when it comes to email security, especially since 72% of Singaporean organisations on average reported an attempted BEC attack last year according to Proofpoint’s 2023 State of the Phish report. BEC phishing involves assuming the identity of business contacts to send fraudulent emails that aim to trick victims into believing they have received legitimate emails from reputable organisations.

“DMARC is essential in fortifying defences against email fraud and safeguarding customers, staff and stakeholders from malicious attacks. Banking and financial institutions operating in Singapore must proactively stay ahead of the changing threat landscape as scams and attacks become commonplace, ensuring they are well-prepared to defend against the latest email threats," concluded Sow.

Below are some cyber best practices for customers, staff and stakeholders:

• Check the validity of all email communication and be aware of potentially fraudulent emails impersonating customers, partners or colleagues. 

• Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked. 

• Follow best practices when it comes to password hygiene, including using strong passwords, never re-using them across multiple accounts and using multi-factor authentication where available.

This analysis was conducted in June 2023 using data from The Association of Banks in Singapore’s register of local and foreign member banks.

What is DMARC?

DMARC is an open email authentication protocol designed to protect domain names from being misused by cyber criminals. It authenticates the sender's identity before allowing the message to reach its intended recipient. Organisations using a DMARC protocol can implement three levels of policy for unqualified emails attempting to spoof their domains:

1. Monitor (allows unqualified emails to go to the recipient's inbox or other folders).
2. Quarantine (directs unqualified emails to go to the junk or spam folder).
3. Reject (highest level of protection-blocks unqualified emails from getting to the recipient).

The full findings of Proofpoint’s DMARC analysis of Singapore’s listed banks:

• 52% of companies currently do not enforce the recommended strictest level of DMARC, while 20% of companies do not have any DMARC record and are wide open to email fraud and domain spoofing attacks.
• 80% of companies have some form of DMARC adoption in place, though these policy levels differ as follows:
  • 48% have DMARC – Reject in place, the strictest recommended level which blocks unqualified emails from getting to the recipient.
  • 11% have DMARC – Quarantine, which directs unqualified emails to go to the recipient's junk or spam folder.
  • 21% have DMARC – Monitor, which does not change how inboxes receive emails but allows senders collect information about their email sources.

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 75 per cent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.