Proofpoint has released new research identifying that 53% of banking institutions incorporated in the United Kingdom are lagging behind on basic cybersecurity measures, subjecting customers, staff and stakeholders to a higher risk of email-based impersonation attacks.

These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the 150 banks incorporated in the UK. DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender's identity before allowing a message to reach its intended destination. DMARC has three levels of protection monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.  

Proofpoint's research reveals that 70% of the banking institutions incorporated in the UK have taken the initial steps to protecting customers from email fraud by publishing a basic DMARC record. However, 30% have no DMARC protection in place at all and are therefore subject to cybercriminals impersonating their domains to target customers with email fraud. 

Worryingly, only 47% of the UK banks incorporated in the UK have implemented the strictest and recommended level of DMARC (reject) and are therefore taking appropriate measures to proactively block spoofed emails from reaching recipients inboxes, decreasing the risk of email fraud. 27 banks (18%) only have a monitoring policy in place for spoofed emails, thereby still allowing potentially malicious spoofed emails into the recipients inbox.

"Banking institutions are a prime target for cybercriminals due to the vast amounts of sensitive personal and financial data they store," says Matt Cooke, Cybersecurity Strategist at Proofpoint.

"With continuous digitalisation in the banking sector and increased usage of mobile apps by customers, it is crucial for these institutions to prioritise cybersecurity measures to safeguard against potential cyber threats. It is imperative for firms to remain vigilant and stay ahead of the evolving threat landscape to protect their customers data and money."

The lack of protection against email fraud is unfortunately commonplace, exposing countless parties to impostor emails, also referred to as business email compromise (BEC). BECs are a form of social engineering designed to trick victims into thinking they have received a legitimate email from an organisation or institution. According to Proofpoint's 2023 State of the Phish report, 86% of UK organisations reported an attempted BEC attack last year.

"Email authentication protocols such as DMARC are essential in fortifying defences against email fraud and safeguarding customers, staff and stakeholders from malicious attacks," Cooke says. 

"While individuals play a crucial role in defending against email fraud, their actions also present one of the biggest vulnerabilities for organisations. DMARC remains the only technology capable of not just defending against but eliminating domain spoofing and the risk of impersonation. 

"By achieving full DMARC compliance, organisations can prevent malicious emails from reaching the inboxes, thereby eliminating the risk of human interference."

Best practices for customers, staff, and other stakeholders:

• Check the validity of all email communication and be aware of potentially fraudulent emails impersonating financial organisations. 
• Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn't clicked. 
• Follow best practices when it comes to password hygiene, including using strong passwords, never re-using them across multiple accounts and using multi-factor authentication where available.

This analysis was conducted in May 2023 using data from the list of 150 banks incorporated in the UK.