SINGAPORE - Media OutReach Newswire - 21 February 2025 - Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research on a worrying gap among top organisations across the Asia Pacific with only 12% having implemented the recommended and most stringent level of email authentication. In 2024, phishing attacks surged significantly, increasing nearly 60% year-over-year. This dramatic increase underscores the critical need for proper implementation of email authentication, which prevents cyber criminals from spoofing organisations' identities thus reducing the risk of email fraud.

These findings are based on an analysis of the Domain-based Message Authentication, Reporting and Conformance (DMARC), a widely-adopted email validation protocol records of Asia Pacific companies listed on the Forbes Global 2000. DMARC protects domain names from being misused by malicious actors by authenticating the sender's identity before an email reaches its intended destination. This authentication system detects and prevents domain spoofing, a common phishing technique. DMARC has three levels of protection – monitor, quarantine, and reject, with reject being the most secure for preventing suspicious emails from reaching users' inboxes.

"Email remains the most common and critical threat vector across industries. It's encouraging that many leading companies in Asia Pacific have taken proactive steps to protect their customers from email fraud,” said George Lee, Senior Vice President of Asia Pacific and Japan at Proofpoint. “However, the rising frequency, sophistication, and cost of cyberattacks make it especially concerning that many remain highly vulnerable, exposing them to significant risks from malicious email-based threats such as phishing. Prioritising robust cybersecurity measures is essential to safeguard against these threats and protect customers' valuable data.”

Proofpoint's research shows that DMARC adoption in the Asia Pacific region is mostly lower compared to the US and UK, placing organisations and their customers at risk. While Australia leads in email authentication DMARC enforcement, Japan, South Korea and Thailand lag, leaving businesses exposed to escalating email fraud, including business email compromise (BEC) and phishing.

Key findings of Proofpoint's DMARC analysis across key Asia Pacific markets include:

• 
  
• - Australia: 71% of the top Australian companies have implemented DMARC at the recommended levels (reject). All the top Australian companies being studied have a DMARC record.
  
• - Singapore: 46.2% of companies analysed have DMARC set to reject. Yet 23.1% do not have any DMARC record and are wide open to email fraud and domain spoofing attacks.
  
• - India: 50% of the top Indian organisations implemented the highest level of DMARC (reject), with 30.9% utilising quarantine and 11.8% having no DMARC record at all.
  
• - Japan: Only 7.4% of top Japanese companies have a DMARC policy of reject in place. 65.6% of companies are at the monitor level, gathering data but offering no active protection
  
• - South Korea: Only 1.8% have implemented DMARC at the quarantine level with none at the reject level, and 51.8% having no DMARC record at all.
  
• - Thailand: 17.6% have a reject policy in place to block unqualified emails, while 17.6% of companies implemented quarantine and 52.9% at the monitor level still.
  
• - China: Only 4.2% of top Chinese companies have the strictest level of DMARC in place. A startling 71.8% do not use any DMARC protection at all.

Major email providers are making moves to force companies to catch up and use email authentication. Some highly-publicised examples include the October 2023 announcements from Google, Yahoo and Apple around mandatory email authentication requirements (including DMARC) for bulk senders sending emails to Gmail, Yahoo and iCloud accounts. This aims to significantly reduce spam and fraudulent emails hitting their customers' inboxes.

In addition, organisations that store consumer payment information must comply with the Payment Card Industry Data Security Standard (PCI-DSS) or risk paying hefty fines for violations. The latest PCI DSS (v4.0.1) will require companies to use DMARC to protect credit card data by March 31, 2025.

• - Implement DMARC: Protect your domain from impersonation by implementing DMARC and enforcing it at the reject level. Seek expert assistance if needed to avoid blocking legitimate emails.
  
• - Educate employees: Train staff on how to identify and avoid potentially fraudulent or suspicious emails, such as those impersonating colleagues, suppliers, or customers.
  
• - Strengthen passwords: Establish and enforce best practices for password management, including requiring strong passwords, regular changes, and never re-using passwords across multiple accounts.
  

To learn more about DMARC, visit: https://www.proofpoint.com/au/threat-reference/dmarc