The Proofpoint 2024 State of the Phish study reveals a troubling reality for organisations in the Asia Pacific region: a staggering 88% of top companies are still exposing their customers and stakeholders to significant risks of email fraud. With phishing attacks surging nearly 60% year-over-year in 2024, the urgency for robust email authentication measures has never been greater.
Insufficient email authentication across the region
The research indicates that only 12% of the analysed firms have implemented the most stringent level of email authentication, known as DMARC (Domain-based Message Authentication, Reporting and Conformance). DMARC serves as a critical line of defence against domain spoofing, a common tactic used by cybercriminals in phishing schemes. Despite Australia's commendable adoption rate of 71% for DMARC policies at the "reject" level, countries like Japan, South Korea, China, and Thailand lag significantly behind, with less than 20% actively protecting their customers.
George Lee
“Email remains the most common and critical threat vector across industries. While it’s encouraging that many leading companies in Asia Pacific have taken proactive steps, the rising frequency and sophistication of cyberattacks leave many organisations vulnerable.” George Lee, senior vice president APJ, Proofpoint
Regional insights on DMARC adoption
Source: Proofpoint, 2025
Proofpoint's analysis reveals stark contrasts in DMARC adoption across key Asia Pacific markets:
Australia: 71% of top companies utilise DMARC at recommended levels, with all studied firms maintaining a DMARC record.
Singapore: 46.2% have DMARC set to reject, yet 23.1% lack any DMARC record, leaving them open to fraud.
India: 50% of major firms have implemented the highest DMARC level, but 11.8% have no protections in place.
Japan: A mere 7.4% enforce DMARC at the reject level, with 65.6% only monitoring.
South Korea: Only 1.8% implement DMARC at the quarantine level, with half lacking any record.
Thailand: 17.6% adopt a reject policy, while half remain at the monitor level.
China: Alarmingly, only 4.2% enforce the strict DMARC policy, and 71.8% have no protection whatsoever.
The need for stronger email authentication is underscored by new compliance mandates, including those from major email providers like Google and Apple, which require DMARC for bulk senders. Furthermore, the Payment Card Industry Data Security Standard (PCI-DSS) mandates DMARC implementation to protect consumer payment information by March 31, 2025.
Proofpoint recommends that organisations adopt DMARC at the reject level, educate employees on recognising phishing attempts, and enforce robust password management protocols to mitigate risks.
Security leaders in Asia must prioritise implementing robust measures to protect their organisations and customers from the growing menace of email fraud. Failure to do so not only jeopardises customer trust but also exposes businesses to significant operational and reputational risks.
