Proofpoint Analysis: 67% of ASX 200 Companies at Risk of Email Fraud


Sydney, Australia – 22 June 2023Proofpoint, Inc., a leading cybersecurity and compliance company, has found that two-thirds of ASX 200 companies are subjecting customers, partners, and employees to higher risks of email fraud.

The new analysis by Proofpoint of Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption reveals that 67% of ASX 200 listed companies have not implemented the recommended and strictest level of DMARC protection, which prevents cyber criminals from spoofing organisations’ identities and reduces the risk of email fraud. While 81% of ASX 200 companies have adopted the email authentication protocol, only 33% of companies are properly implementing it to the recommended and highest level by blocking suspicious emails. Alarmingly, 19% of the ASX 200 do not have any DMARC record and are wide open to email fraud and domain spoofing attacks.

“The past year has shown the ASX 200, as some of Australia’s most recognisable brands, are and have been obvious targets for email-borne attacks,” said Steve Moros, senior director, advanced technology group, Asia Pacific and Japan, Proofpoint. “All Australians trust their data to these brands, whether it is their credit card information, contact details, addresses, private health records or other sensitive information, and these companies have a responsibility to keep that information safe and secure.”

Proofpoint’s analysis shows Australia’s ASX 200 is lagging behind its global counterparts in DMARC adoption at 81% against a backdrop of increased incidents of email-based cyber attacks. In the United States, the Fortune 1,000 index shows an 88% DMARC adoption rate, whilst in the United Kingdom, the FTSE 100 adoption rate is at 89% and in France, the CAC 40 at 85%.

The analysis arrives on the heels of Proofpoint’s recent State of the Phish 2023 report, which found that nine in 10 Australian organisations (90%) experienced at least one successful email-based phishing attack in 2022, with almost half (48%) reporting direct financial losses – a 60% increase year over year.

Proofpoint’s analysis revealed the lack of protection against email fraud was commonplace across all sectors including banking, healthcare, mining and minerals, real estate, telecommunications, and utilities. Cyber attackers often target companies using email-based attacks designed to trick victims into thinking they received an email from a senior executive such as the CEO or CFO asking them to transfer funds (known as wire fraud), release sensitive or personally identifiable information, or hand over their credentials. New technologies like ChatGPT are also making it easier for threat actors around the world to craft legitimate-looking communications aimed at duping unsuspecting employees.

“We know that a major cyber breach on any company in the ASX 200 can reverberate far and wide, impacting countless stakeholders, including everyday Australians. The combination of lax security behaviours, awareness gaps and a labour market that’s seen a lot of movement in recent years has culminated in creating substantial security risks for Australian organisations and their employees.

“Proofpoint’s recent research shows that only two-thirds (67%) of Australian organisations with a security awareness program train their entire workforce. What’s worse is only 37% conduct phishing simulations—meaning a critical component to building an effective security awareness program is being missed. Equipping employees with the knowledge and tools necessary to protect themselves and important company information remains paramount and must be a high priority,” concluded Moros.

What is DMARC?

DMARC is an open email authentication protocol designed to protect domain names from being misused by cyber criminals. It authenticates the sender's identity before allowing the message to reach its intended recipient. Organisations using a DMARC protocol can implement three levels of policy for unqualified emails attempting to spoof their domains:

  1. Monitor (allows unqualified emails to go to the recipient's inbox or other folders).
  2. Quarantine (directs unqualified emails to go to the junk or spam folder).
  3. Reject (highest level of protection-blocks unqualified emails from getting to the recipient).

The full findings of Proofpoint's DMARC analysis of the ASX 200 shows:

  • 67% of the ASX 200 currently do not enforce the recommended strictest Reject level of DMARC.
  • 19% of the ASX 200 do not have any DMARC record and are wide open to email fraud and domain spoofing attacks.
  • 81% of the ASX 200 implement some form of DMARC, yet the DMARC policy levels employed vary as follows:
    • 33% use DMARC – Reject (the highest level of protection).
    • 14% use DMARC – Quarantine.
    • 34% use DMARC – Monitor.

Below are some cyber best practices for employees and other stakeholders:

  • Check the validity of all email communication and be aware of potentially fraudulent emails impersonating customers, partners or colleagues.  
  • Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
  • Follow best practices when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.

This analysis was conducted in May 2023 using data from the ASX 200.


About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 75 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.