Two-thirds of ASX 200 companies are subjecting customers, partners, and employees to higher risks of email fraud, according to new analysis by Proofpoint.

The new analysis by Proofpoint of Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption reveals that 67% of ASX 200 listed companies have not implemented the recommended and strictest level of DMARC protection, which prevents cyber criminals from spoofing organisations identities and reduces the risk of email fraud. 

While 81% of ASX 200 companies have adopted the email authentication protocol, only 33% of companies are properly implementing it to the recommended and highest level by blocking suspicious emails. Alarmingly, 19% of the ASX 200 do not have any DMARC record and are wide open to email fraud and domain spoofing attacks.

"The past year has shown the ASX 200, as some of Australia's most recognisable brands, are and have been obvious targets for email-borne attacks," says Steve Moros, senior director, advanced technology group, Asia Pacific and Japan, Proofpoint. 

"All Australians trust their data to these brands, whether it is their credit card information, contact details, addresses, private health records or other sensitive information, and these companies have a responsibility to keep that information safe and secure."

Proofpoint's analysis shows Australia's ASX 200 is lagging behind its global counterparts in DMARC adoption at 81% against a backdrop of increased incidents of email-based cyber attacks. In the United States, the Fortune 1,000 index shows an 88% DMARC adoption rate, whilst in the United Kingdom, the FTSE 100 adoption rate is at 89% and in France, the CAC 40 at 85%.

The analysis arrives on the heels of Proofpoint's recent State of the Phish 2023 report, which found that nine in 10 Australian organisations (90%) experienced at least one successful email-based phishing attack in 2022, with almost half (48%) reporting direct financial losses a 60% increase year over year.

Proofpoint's analysis revealed the lack of protection against email fraud was commonplace across all sectors including banking, healthcare, mining and minerals, real estate, telecommunications, and utilities. Cyber attackers often target companies using email-based attacks designed to trick victims into thinking they received an email from a senior executive such as the CEO or CFO asking them to transfer funds (known as wire fraud), release sensitive or personally identifiable information, or hand over their credentials. New technologies like ChatGPT are also making it easier for threat actors around the world to craft legitimate-looking communications aimed at duping unsuspecting employees.

"We know that a major cyber breach on any company in the ASX 200 can reverberate far and wide, impacting countless stakeholders, including everyday Australians," says Moros.

"The combination of lax security behaviours, awareness gaps and a labour market thats seen a lot of movement in recent years has culminated in creating substantial security risks for Australian organisations and their employees."

Proofpoint's recent research shows that only two-thirds (67%) of Australian organisations with a security awareness program train their entire workforce. 

"What's worse is only 37% conduct phishing simulations, meaning a critical component to building an effective security awareness program is being missed," Moros says. 

"Equipping employees with the knowledge and tools necessary to protect themselves and important company information remains paramount and must be a high priority."