A new report from cybersecurity firm Proofpoint reveals that 88% of top organisations in Asia Pacific are failing to implement the highest level of email authentication, leaving their customers and stakeholders at risk of email fraud. As phishing attacks surged by nearly 60% in 2024, businesses across the region remain highly vulnerable to domain spoofing and impersonation scams.
The findings are based on an analysis of Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption among Asia Pacific companies listed on the Forbes Global 2000. DMARC is an email validation protocol that prevents cybercriminals from faking an organisation’s domain to send fraudulent emails. Despite its effectiveness in blocking phishing attempts, only 12% of the region’s largest businesses have enforced DMARC at the highest level.
“Email remains the most common and critical threat vector across industries. It’s encouraging that many leading companies in Asia Pacific have taken proactive steps to protect their customers from email fraud,” said George Lee, Senior Vice President of Asia Pacific and Japan at Proofpoint. “However, the rising frequency, sophistication, and cost of cyberattacks make it especially concerning that many remain highly vulnerable, exposing them to significant risks from malicious email-based threats such as phishing. Prioritising robust cybersecurity measures is essential to safeguard against these threats and protect customers’ valuable data.”
Australia leads in email security, while Japan, South Korea, and China lag behind
The report shows stark differences in DMARC adoption across Asia Pacific. Australia leads the region, with 71% of its top companies enforcing DMARC at the highest level (reject), meaning suspicious emails are blocked outright. In contrast, less than 20% of large businesses in Japan, South Korea, China, and Thailand have implemented the same level of protection.
Key findings from the report include:
Australia has the highest adoption rate, with 71% of its top companies setting DMARC to reject, and all major organisations analysed having a DMARC record in place. Singapore follows with 46.2% of businesses enforcing DMARC at the strictest level, though 23.1% lack any protection, leaving them exposed to phishing and email fraud. In India, 50% of leading firms have implemented the strongest DMARC settings, while 30.9% use a lower quarantine setting and 11.8% have no record.
In contrast, Japan has one of the lowest adoption rates, with only 7.4% of its major organisations enforcing DMARC at the reject level. A majority (65.6%) are still in monitoring mode, which collects data but does not actively prevent email fraud. South Korea fares even worse, with just 1.8% implementing DMARC at the quarantine level, none at the reject level, and 51.8% lacking any DMARC record. In Thailand, 17.6% of organisations enforce the reject policy, 17.6% use quarantine, and 52.9% remain at the monitoring stage.
China has one of the weakest security postures, with just 4.2% of its top companies using the strictest DMARC setting, while a staggering 71.8% have no email authentication in place at all. This leaves businesses and their customers highly vulnerable to phishing scams and impersonation attacks.
Push for stronger security measures amid compliance requirements
Several global email providers, including Google, Yahoo, and Apple, have taken steps to enforce stronger email authentication. In October 2023, they announced new requirements for bulk email senders, including the use of DMARC, to curb spam and phishing attempts.
Additionally, organisations handling payment data must comply with the latest Payment Card Industry Data Security Standard (PCI DSS v4.0.1), which mandates DMARC implementation by 31 March 2025. Non-compliance could result in financial penalties and increased security risks.
Proofpoint recommends that organisations take immediate action to strengthen their email security. Businesses should implement DMARC by setting it to reject, which prevents domain spoofing and ensures fraudulent emails do not reach inboxes. Companies should seek expert guidance to avoid mistakenly blocking legitimate emails.
Equally important is educating employees about phishing attempts, particularly those impersonating colleagues, suppliers, or customers. Training staff to identify suspicious emails can reduce the risk of falling victim to cyber threats. Additionally, businesses should enforce strong password policies, requiring employees to use complex passwords, update them regularly, and avoid reusing them across accounts.
As cyber threats continue to grow, businesses in Asia Pacific must prioritise email security to protect their reputation and customers from rising phishing attacks.
