Powered by MOMENTUMMEDIA
For breaking news and daily updates, subscribe to our newsletter

Majority of Australian banks still lack strongest email protection, Proofpoint warns

Cyber security firm says almost 60 per cent of banks are not enforcing the strictest DMARC policy, increasing the risk of AI-powered phishing and domain impersonation attacks.

Thu, 02 Jul 2026
Majority of Australian banks still lack strongest email protection, Proofpoint warns

Most Australian banks have yet to implement the strongest level of email authentication despite growing threats from AI-enabled cybercrime, according to new research from Proofpoint.

The cyber security company analysed 78 financial institutions listed on the Australian Prudential Regulation Authority's authorised deposit-taking institution register and found that 59 per cent are not using the recommended ‘reject’ setting for Domain-based Message Authentication, Reporting and Conformance (DMARC), an email authentication protocol designed to prevent domain spoofing and phishing attacks.

According to the Australian Signals Directorate's 2024-25 Annual Cyber Threat Report, online banking fraud is among the three most commonly reported cybercrimes affecting individuals, while Proofpoint's own 2026 AI and Human Risks Landscape Report found email remains the leading attack vector for Australian organisations.

 
 

Proofpoint's analysis found that 41 per cent of banks had implemented the highest level of DMARC protection, while 18 per cent used a quarantine policy, 23 per cent operated in monitoring mod,e and 18 per cent had no DMARC record at all.

“Banks must remember that even the most advanced AI-driven attack often relies on a single person making a mistake,” Steve Moros, senior director of the Advanced Technology Group for Asia Pacific and Japan at Proofpoint, said in a statement.

“While AI can often accelerate the attacker's playbook, these threats are still ultimately designed to manipulate people. To stay ahead of the evolving threat landscape, Australian banks must adopt stronger protections for their customers, such as enforcing the strictest recommended Reject level of DMARC and ensuring they adopt a human-centric approach to cyber security.”

Proofpoint noted that adoption of the strongest DMARC policy has improved since its first banking sector analysis in 2023, rising from 22 per cent to 41 per cent. However, the company believes progress has been slower than expected given DMARC is widely recognised as a foundational email security control.

The company also urged organisations to adopt phishing-resistant multifactor authentication, such as passkeys, and encouraged customers to remain vigilant for unsolicited emails requesting login credentials or containing urgent requests to click links.

Cyber DailyWant to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.
Tags:

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.