Proofpoint: 86% of Singapore’s Top Companies Vulnerable to Email Fraud
Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research that found only 14% of SGX 100 companies in Singapore have implemented the recommended and strictest level of email authentication, which prevents threat actors from spoofing organisations’ identities and reduces the risk of email fraud.
These findings are based on an analysis of the top 100 companies listed on the Singapore Exchange (SGX). Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.
“We’ve observed a slight improvement in the cybersecurity posture of the top listed companies in Singapore, with 14% of them now having implemented the recommended the highest level of DMARC implementation as compared to just 8% last year,” said Philip Sow, Head of Systems Engineering, Southeast Asia and South Korea at Proofpoint. “While this is encouraging, 86% of the SGX 100 are still leaving their staff, customers, and suppliers vulnerable to email fraud and domain spoofing attacks. To protect their stakeholders and their reputations, companies must stay ahead of the ever-evolving threat landscape by ensuring their security measures are up to date.”
Proofpoint’s research revealed that whilst 71% of the SGX 100 have adopted a DMARC protocol, only 14% are properly implementing DMARC to the recommended and highest level by blocking suspicious emails. Worryingly, this means that 29% of Singapore’s largest companies have not implemented DMARC at all. With Google and Yahoo! having made email authentication on their platforms mandatory from February this year, this could even mean that organisations that don’t have DMARC authentication could see their emails routed directly to customers’ spam folders or rejected altogether.
The full findings of Proofpoint’s DMARC analysis of the SGX 100 show:
-
86% of the SGX 100 currently do not enforce the recommended strictest level of DMARC implementation (reject), while 29% of the SGX 100 do not have any DMARC record at all and are wide open to email fraud and domain spoofing attacks.
-
71% of the SGX 100 have some form of DMARC adoption in place, though these policy levels differ as follows:
-
14% have DMARC – Reject in place, the strictest recommended level which blocks unqualified emails from getting to the recipient.
-
26% have DMARC – Quarantine, which directs unqualified emails to go to the recipient’s junk or spam folder.
-
31% have DMARC – Monitor, which does not change how inboxes receive emails but allows senders to collect information about their email sources.
-
Below are some best practices Proofpoint recommends:
-
Check the validity of all email communication and be aware of potentially fraudulent emails impersonating colleagues, suppliers, and stakeholders.
-
Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
-
Follow best practices when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.
This analysis was conducted in April 2024 using data from Singapore Exchange (SGX).
To learn more about DMARC, visit here.