In Singapore, about half of banks’ implementations of the email security protocol were not set to the strictest security: study

In an analysis of Domain-based Message Authentication, Reporting and Conformance (DMARC) by 129 local and foreign member banks in Singapore, one cybersecurity firm has noticed that have more than half had yet to implement the recommended and strictest level of DMARC protection.

DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing a message to reach its intended destination. The protocol has three levels of protection: Monitor, Quarantine and Reject — with the last level being the most secure for preventing suspicious emails from reaching the inbox.  

Of the 129 banks analyzed, 80% had adopted DMARC, with 48% properly implementing it at the highest level of security. The remaining 20% did not have any DMARC record at all, in spite of the country’s banking and financial services sector experiencing record numbers of spoofing incidents in recent years. June and September 2022 saw the highest number of phishing attempts. More than half saw China-based banks spoofed. Several of them had little to no presence in the Singapore retail banking scene and were unknown to most retail banking customers in the country! The other two sectors most spoofed in the country were that of the Government (LTA, SingPass and IRAS) and Logistics, with SingPost accounting for more than 80% of logistics-related phishing attempts.

As spoofing and other email-based attacks continue to be a prevalent method employed by cybercriminals, organizations need to prioritize the implementation of email authentication protocols to reduce attack surfaces and spoofing risks, according to Philip Sow, Head of Systems Engineering (SEA and South Korea), Proofpoint Inc.: “Business email compromise attacks should also be on organizations’ radar when it comes to email security. BEC phishing involves assuming the identity of business contacts to send fraudulent emails that aim to trick victims into believing they have received legitimate emails from reputable organizations,” Sow said.