Over Half of UK Banks Are Exposing Customers to Email Fraud

Written by

Security experts have warned that a majority of the UK’s leading lenders are failing to protect their customers from email fraud, through patchy implementation of DMARC.

The Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol helps prevent email-based fraud and impersonation attempts by authenticating sender identity before a message is delivered.

However, there are three levels: monitor, quarantine and reject. Only “reject” will ensure suspicious messages don’t end up being read by the user. “Quarantine” directs them to the spam folder while “monitor” allows them straight through to the inbox.

Read more on DMARC: Just 1% of Dot-Org Domains Are Fully DMARC Protected

Proofpoint analyzed the DMARC implementation strategies of 150 UK banks and worryingly found 30% have no protection in place at all. A fifth (18%) have the weakest DMARC policy (“monitor”), providing virtually no protection to customers.

Less than half (47%) of the total number of banks assessed for the study had implemented a DMARC “reject” policy.

“Banking institutions are a prime target for cyber-criminals due to the vast amounts of sensitive personal and financial data they store,” warned Proofpoint cybersecurity strategist, Matt Cooke.

“With continuous digitalization in the banking sector and increased usage of mobile apps by customers, it is crucial for these institutions to prioritize cybersecurity measures to safeguard against potential cyber-threats. It is imperative for firms to remain vigilant and stay ahead of the evolving threat landscape to protect their customers’ data and money.”

DMARC is important not just in mitigating the phishing threat for customers, staff and other stakeholders, but also in tackling the growing menace of business email compromise (BEC), Proofpoint claimed.

BEC scammers often use phishing tactics to hijack the email account of a CEO, supplier or finance team member, in order to monitor email flows, and/or to impersonate an individual to request a big-money corporate fund transfer.

What’s hot on Infosecurity Magazine?