Australian banks criticised for weak email scam defences

Proofpoint has released research indicating that a significant number of Australian banks are exposing their customers to enhanced risks of email fraud when compared to their US counterparts.

The analysis highlights that 66% of Australia's banks have yet to adopt the highest level of Domain-based Message Authentication, Reporting and Conformance (DMARC) protection, which is crucial in preventing cybercriminals from spoofing organisations' identities. The most secure DMARC setting, 'Reject', ensures that suspicious emails do not reach a recipient's inbox.

According to Proofpoint, while three quarters of banks have incorporated some form of DMARC, only 34% utilise this security measure at the most secure level by blocking dubious emails completely. Alarmingly, 25% of Australian banks lack any DMARC record, making them considerably vulnerable to cyber threats.

These findings emerge as the Australian Government has rolled out new legislation that fines up to AUD $50 million on businesses, including banks, if they fail to adequately manage scams. This Scam Prevention Framework enforces businesses to report scams and empowers victims to seek compensation if new mandatory standards are not met.

Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan at Proofpoint, commented, "Cyber criminals are increasingly posing as trusted banks to trick Australians into handing over sensitive information or transferring funds via email phishing attacks. The Australian government has passed landmark legislation to ensure banks take more accountability for protecting Australians. Yet, this analysis alone highlights there are still gaps that the banks in Australia can address to prevent Australian consumers from being scammed."

When compared internationally, the study found that Australian banks lag behind their US counterparts in implementing stringent security measures. In the United States, 58% of banks enforce the highest DMARC protection level, with only 3% lacking a DMARC record altogether, a stark contrast to the 25% in Australia.

Moros further noted the impact on Australians, saying, "At the end of the day, hard-working Australians are primary targets of these scams. They put their trust in financial institutions to ensure their credit card information, contact details, addresses, data, and of course, their money is safe. They can't afford to have their life savings compromised by cyber criminals, especially given the rising cost of living and higher inflation pressures we are facing today. To stay ahead of the evolving threat landscape, Australian banks must adopt stronger protections for their customers, such as enforcing the strictest recommended Reject level of DMARC. This will help prevent their customers from falling victim to scams resulting from domain impersonation."

Proofpoint's data, drawn from the Australian Prudential Regulation Authority's register of authorised deposit-taking institutions, analysed 85 banks which include Australian-owned and foreign subsidiary banks operating in the country.

The recommendations emerging from this analysis include vigilance over the authenticity of emails, caution against communications requesting sensitive information, and adherence to strong password practices. These proactive measures are suggested to mitigate the risks associated with domain spoofing and cyber fraud.