Proofpoint has revealed only 8% of SGX 200 companies have adopted the highest recommended level of Domain-based Message Authentication, Reporting, and Conformance (DMARC) protection to effectively block suspicious emails.
While this is an overall improvement over what was reported during the same period in 2022 (5% of SGX 200 companies), the lack of DMARC protection among Singapore’s top companies is a cause for concern.
According to Proofpoint’s analysis, over half (52%) of the top 200 companies listed on the Singapore Exchange (SGX) have yet to implement any necessary email authentication protocols, which leaves their customers, partners, and employees at an increased risk of being targeted by email fraud, domain spoofing, as well as business email compromise (BEC).
This lack of email authentication protocols could explain why Proofpoint’s recently released State of the Phish 2023 report found that 72% of Singaporean organisations experienced at least one successful email-based phishing attack in 2022, with nearly half (46%) reporting direct financial losses as a result.
“Safeguarding sensitive data is paramount in today’s digital world. As email remains the primary communication channel for organisations in this era of hybrid work, it is critical that organisations adopt strict DMARC protocols to prevent financial loss, reputational damage, and erosion of customer trust,” said Philip Sow, Manager, Systems Engineering, South East Asia and Korea at Proofpoint. “To put it simply, DMARC acts as the ultimate stoplight for email traffic by enabling organisations to identify and block potentially harmful emails before they reach the inbox. Implementing DMARC will make all the difference between keeping your company, clients, and partners safe from supply chain attacks and email fraud or leaving them vulnerable to such threats.”
While Singapore (48%) fares better than the regional average of 40% in terms of having some level of DMARC protocol, the country ranks fourth out of 10 countries analysed across the region, lagging Australia (82%), Malaysia (58%), and Indonesia (51%).
“DMARC protection is an ongoing process, not a one-time solution, that requires continuous monitoring and adjustment. By collaborating with a reliable security partner, an organisation can keep its DMARC policies up to date and ensure they are protecting against the latest email threats,” concluded Sow.
What is DMARC?
DMARC is an open email authentication protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing the message to reach its intended recipient. Organisations using a DMARC protocol can implement three levels of policy for unqualified emails attempting to spoof their domains:
- Monitor (allows unqualified emails to go to the recipient’s inbox or other folders).
- Quarantine (directs unqualified emails to go to the junk or spam folder).
- Reject (highest level of protection-blocks unqualified emails from getting to the recipient).
The full findings of Proofpoint’s DMARC analysis of the SGX 200 show:
- 92% of companies currently do not enforce the recommended strictest level of DMARC, while 52% of companies do not have any DMARC record and are wide open to email fraud and domain spoofing attacks.
- 48% of companies have some form of DMARC adoption in place, though these policy levels differ:
- 8% have DMARC – Reject in place, the strictest recommended level which blocks unqualified emails from getting to the recipient.
- 17% have DMARC – Quarantine which directs unqualified emails to go to the recipient’s junk or spam folder.
- 23% have DMARC – Monitor which does not change the way inboxes receive emails, but instead lets senders collect information about their email sources.