Singapore Banks Failing to Block Fraudulent Emails


New research has identified that a little over half of Singapore’s local and foreign member banks are lagging on basic cybersecurity measures, subjecting customers, staff and stakeholders to a higher risk of email-based impersonation attacks.

These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of 129 local and foreign member banks in Singapore. DMARC is an email validation protocol designed to protect domain names from being misused by cyber criminals. It authenticates the sender’s identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine and reject with reject being the most secure for preventing suspicious emails from reaching the inbox.

Proofpoint’s research reveals that more than half of the listed local and foreign member banks in Singapore have yet to implement the recommended and strictest level of DMARC protection, which prevents cyber criminals from spoofing organisations’ identities and reduces the risk of email fraud. While 8 in 10 of these organisations have adopted the email authentication protocol, only 48% are properly implementing it to the recommended and highest level by blocking suspicious emails. Worryingly, a fifth (20%) of these organisations do not have any DMARC record at all, leaving them vulnerable to cyber criminals.

This is especially concerning as the Singapore Cyber Landscape 2022 report released just last month revealed that the banking and financial services sector experiences the highest number of spoofing incidents. In fact, it accounts for over 80% of all phishing attempts and has consistently ranked among the top three sectors targeted by cyber attackers since 2016.

“Banking and financial institutions are at significant risk from cyber criminals due to the large volume of sensitive and financial data they possess,” said Philip Sow, Head of Systems Engineering, South East Asia and South Korea at Proofpoint. “As spoofing and other email-based attacks continue to be a prevalent method employed by cyber criminals, it is critical for organisations to prioritise the implementation of email authentication protocols such as DMARC to reduce organisations’ attack surface and risk of attack by impersonation.”

Business email compromise (BEC) attacks should also be on organisations’ radar when it comes to email security, especially since 72% of Singaporean organisations reported an attempted BEC attack last year according to  Proofpoint’s 2023 State of the Phish report. BEC phishing involves assuming the identity of business contacts to send fraudulent emails that aim to trick victims into believing they have received legitimate emails from reputable organisations.

“DMARC is essential in fortifying defences against email fraud and safeguarding customers, staff and stakeholders from malicious attacks. Banking and financial institutions operating in Singapore must proactively stay ahead of the changing threat landscape as scams and attacks become commonplace, ensuring they are well-prepared to defend against the latest email threats,” concluded Sow.

Below are some cyber best practices for customers, staff and stakeholders:

  • Check the validity of all email communication and be aware of potentially fraudulent emails impersonating customers, partners or colleagues.
  • Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
  • Follow best practices when it comes to password hygiene, including using strong passwords, never re-using them across multiple accounts and using multi-factor authentication where available.

This analysis was conducted in June 2023 using data from The Association of Banks in Singapore’s register of local and foreign member banks.

You can read the full report here


Comments are closed.

Visit Us On TwitterVisit Us On FacebookVisit Us On LinkedinVisit Us On Youtube