Sydney, Australia – 30 April 2024 – Proofpoint, Inc., a leading cybersecurity and compliance company, has found that 59% of ASX 200 companies are subjecting customers, partners, and employees to higher risks of email fraud.

These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the ASX 200. DMARC is an email validation protocol designed to protect domain names from being misused by cyber criminals, authenticating the sender’s identity before allowing a message to reach its intended destination. DMARC has three levels of protection^[1] – monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.

Proofpoint’s research reveals that 59% of ASX 200 listed companies have not implemented the recommended and strictest level of DMARC protection, which prevents cyber criminals from spoofing organisation’s identities and reduces the risk of email fraud. While 92% of ASX 200 companies have adopted a DMARC protocol, only 41% of companies are properly implementing DMARC to the recommended and highest level by blocking suspicious emails. Alarmingly, 8% of the ASX 200 do not have any DMARC record at all and are wide open to email fraud and domain spoofing attacks.

This is despite both Google and Yahoo implementing increased restrictions from February this year that will require DMARC email authentication to be able to send messages from their platforms. These security requirements will apply especially to accounts that send large volumes of emails per day, which will need to have the DMARC authentication protocol deployed, amongst other measures. Failure to comply will significantly impact the deliverability of legitimate messages to customers with Gmail and Yahoo accounts.

Proofpoint’s analysis revealed the lack of protection against email fraud was commonplace across all sectors including banking, healthcare, mining and minerals, real estate, telecommunications, and utilities. Cyber criminals often target listed Australian companies using email-based attacks designed to trick victims into thinking they received an email from an organisation’s leader such as the CEO or CFO asking them to transfer funds (known as wire fraud), release sensitive or personally identifiable information, or hand over their credentials. New technologies like ChatGPT are also making it easier for threat actors around the world to create communications that are clear and coherent.

“As the recent report by the ACCC highlights, scammers are launching successful phishing and business email compromise campaigns by impersonating known organisations so it’s surprising to see a significant number of Australia’s biggest companies are still failing to implement basic email security measures,” said Adrian Covich, Senior Director, Technical Sales, Asia Pacific and Japan, Proofpoint.
“We know that a major cyber attack on any company in the ASX 200 can reverberate far and wide, impacting countless stakeholders, including the everyday Australians. The Australian cyber security landscape has become increasingly complex with new threat actors, AI-based technology and lax internal cyber security behaviours. If we are to avoid a repeat of the high profile attacks we’ve seen on Australian companies in recent years, an overwhelming majority of the ASX 200 need to ensure they improve their cyber security defences, particularly when it comes to securing the email channel.” concluded Covich.

The analysis arrives on the heels of Proofpoint’s recent State of the Phish 2024 report, which found that 56% of Australian organisations experienced at least one successful phishing attack in the last year, and reported a 25% increase in reports of reputational damage. The report also found that 72% of working Australian adults admitted to taking risky actions, such as reusing or sharing a password or clicking on links from unknown senders, however a staggering 98% of them did so knowing the inherent risks involved.

This challenges the traditional belief that the main reason people take risky actions is due to a lack of cybersecurity knowledge and places further emphasis on the importance of robust security compliance procedures.

The full findings of Proofpoint’s DMARC analysis of the ASX 200 show:

• 59% of the ASX 200 currently do not enforce the recommended strictest level of DMARC.
• 8% of the ASX 200 do not have any DMARC record and are wide open to email fraud and domain spoofing attacks.
• 92% of the ASX 200 implement some form of DMARC, yet the DMARC policy levels employed vary as follows:
  • 41% use DMARC – Reject (the highest level of protection)
  • 21% use DMARC – Quarantine
  • 30% use DMARC – Monitor

Below are some cyber best practices for employees and other stakeholders:

• Check the validity of all email communication and be aware of potentially fraudulent emails impersonating well-known organisations.
• Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
• Follow best practices when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.

This analysis was conducted in April 2024 using data from the ASX 200.

Learn more about DMARC visit: https://www.proofpoint.com/au/threat-reference/dmarc

—END

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: X | LinkedIn | Facebook | YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.