According to Proofpoint’s latest research, the majority of financial institutions listed in the GCC are proactively implementing measures to block fraudulent emails from reaching customers. Proofpoint analysed the level of adoption of DMARC (Domain-based Message Authentication, Reporting and Conformance) by banks across the UAE, KSA, Oman, Qatar, Bahrain, and Kuwait to evaluate their email fraud prevention preparedness.
DMARC is an email validation protocol designed to protect domain names from misuse by cybercriminals. It authenticates the sender’s identity before allowing the message to reach its intended designation. ‘Reject is the strictest and recommended level of DMARC protection, a setting and policy that proactively blocks fraudulent emails from reaching their intended target.
Key Findings from the DMARC analysis of the top banks in the GCC include:
- In 2024, 96% of GCC banks have published a DMARC record (Domain-based Message Authentication, Reporting & Conformance), indicating almost all are preparing for the upcoming email authentication requirements. This means just 4% are taking no steps to protect against misuse of their domain in email fraud.
- This is up from 2023 when 94% of GCC banks had published a DMARC record.
- Almost three-quarters (71%) of GCC banks have implemented the strictest and recommended level of DMARC protection (‘reject’). This means 29% are still not proactively protecting customers against email impersonation and fraud.
- This is an improvement on 2023, when only 67% had implemented DMARC at reject level.
The improvement in DMARC performance among GCC banks is critical as financial institutions are a prime target for cybercriminals due to the vast amounts of sensitive personal and financial data they store. With rapid digitalization of the GCC banking sector, including increased usage of mobile banking by customers, it has become essential for banks to prioritize cybersecurity measures to safeguard against potential cyber threats.
“Email authentication protocols such as DMARC are critical for GCC banks to minimize impersonation risk and therefore protect customers, staff and stakeholders from malicious email attacks. Proofpoint’s research shows that the GCC banking sector is on the right track when it comes to email fraud preparedness by deploying simple yet effective email authentication best practices,” says Emile Abou Saleh, Regional Director, Middle East, Turkey and Africa for Proofpoint. “With the new email authentication requirements from Google, Yahoo! and Apple, we recommend that organizations across all sectors follow suit to minimize impersonation risk and protect customers, suppliers and staff from email fraud.”
Cybercriminals regularly use domain spoofing to pose as well-known organizations and companies by sending an email from a supposedly legitimate sender address. These emails are designed to trick people into clicking on links or sharing personal details, which can be used to steal money or identities. It can be almost impossible for an ordinary Internet user to identify a fake sender from a real one. While user awareness and education play an important role in hardening your human-centric security layer, technical controls such as DMARC protect your organization against email-based attacks and fraud.