Australian banks not proactively blocking fraudulent emails
Cybersecurity and compliance company Proofpoint has released new research identifying that almost 4 out of 5 Australian-owned authorised deposit-taking institutions and foreign subsidiary banks are lagging behind on basic cybersecurity measures, subjecting customers, staff and stakeholders to a higher risk of email-based impersonation attacks.
These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of 85 Australian-owned authorised deposit-taking institutions and foreign subsidiary banks.
DMARC is an email validation protocol designed to protect domain names from being misused by cyber criminals. It authenticates the sender's identity before allowing a message to reach its intended destination.
DMARC has three levels of protection monitor, quarantine and reject with reject being the most secure for preventing suspicious emails from reaching the inbox.
Proofpoint's research reveals that 78% of the Australia-owned deposit-taking institutions and foreign subsidiary banks have not implemented the recommended and strictest level of DMARC protection, which prevents cyber criminals from spoofing organisations identities and reduces the risk of email fraud.
Whilst 66% of these organisations have adopted the email authentication protocol, only 22% of them are properly implementing it to the recommended and highest level by blocking suspicious emails. Worryingly, over one-third (34%) of these organisations do not have any DMARC record at all, leaving them vulnerable to cyber criminals impersonating their domains to target customers with email fraud.
"Due to the extensive amount of sensitive personal and financial data that they store, banking and financial institutions are a prime target for cyber criminals," says Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan, Proofpoint.
"With email-based phishing attacks remaining one of the most common techniques used by cyber criminals, organisations should focus on implementing the highest level of protection that can provide outcome-based protection."
According to Proofpoint's 2023 State of the Phish Report, on average, 9 in 10 (90%) of Australian organisations reported an attempted business email compromise (BEC) attack in 2022, higher than the global average (75%). BEC phishing attempts involve threat actors posing as legitimate business contacts, such as a senior executive (CFO or CEO), colleague or supplier to send fraudulent emails to customers or employees.
"The banking and financial services sector is constantly undergoing rapid digital transformation due to the increased use of mobile applications by employees and customers, making it imperative for these institutions to adopt stricter DMARC protection to stay ahead of the evolving threat landscape," says Moros.
"Recent events have demonstrated that the risk is too high for organisations to rely solely on in-house approaches. Email authentication protocols such as DMARC are essential in fortifying defences against email fraud and safeguarding customers, staff, and other stakeholders in the supply chain from malicious attacks," he says.
"By achieving full DMARC compliance, organisations can remain confident that they are doing their best to protect the life savings entrusted to them by millions of Australians around the country."
Below are some cyber best practices for customers, staff, and stakeholders:
Check the validity of all email communication and be aware of potentially fraudulent emails impersonating customers, partners or colleagues.
Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn't clicked.
Follow best practices when it comes to password hygiene, including using strong passwords, never re-using them across multiple accounts and using multi-factor authentication where available.
This analysis was conducted in June 2023 using data from APRAs register of authorised deposit-taking institutions, including Australian-owned authorised deposit-taking institutions and foreign subsidiary banks.