Financial Services

DMARC for Financial Services

How are you protecting your assets from email fraud?

With the transition to online banking, virtual financial services and cryptocurrency, it’s no surprise that the financial services sector is a top target for cybercriminals.

Without having domains secured with a DMARC enforcement policy, criminals can pose as a bank or investment firm and send phishing emails to customers with a goal of gaining access to accounts, stealing personal information, redirecting payments, and installing ransomware.

When a financial institution has its domains exploited by phishing, not only are there financial losses from misdirected funds and clean-up costs, but with the media attention and tarnished brand reputation there is a loss of trust with your customers. DMARC allows domain owners to view who is sending email on their behalf, confirm the legitimate sources and disqualify the rest.

It was a pleasure working with Ash Morin on this project. His expertise in DMARC compliance and overall email security was evident throughout. My team and I gained valuable insights and learned a great deal over the course of this successful collaboration—a true value add for our organization.

Ruben Corrales United Business Bank SVP and Information Technology Director

Our dmarcian Deployment Manager was extremely helpful with any issues we had along the way, as well as a wealth of knowledge to work around or fix them. He always returned mails promptly and made sure we were satisfied with the responses. He was a huge help to me during the project rollout, so thank you once again.

Lee Carruth Fenergo System Administrator

Cyber threats are 300 times as likely to target the broader financial services industry as companies in other sectors.

Boston Consulting Group

Overview
A global financial software provider delivering enterprise-level solutions recognized phishing attempts that impersonated the company’s CEO. Following the attempts, the client recognised the need to take decisive action to protect their domain and brand reputation.

Situation
Email is a critical communication channel for the company; they send thousands of high-value emails each month across multiple email services, including Microsoft 365, Amazon SES and many others. The goal was to implement DMARC across their entire email ecosystem and achieve a p=reject policy on all domains.

Challenge
When the client first engaged with dmarcian’s Professional Services, the situation reflected common realities:

The primary domain had DMARC set to p=none; many subdomains had no DMARC policy at all.
Reports of spoofed emails mimicking support and billing addresses were increasing.
Multiple third-party vendors (e.g., CRMs, payment processors, marketing platforms) were sending emails without properly configured SPF or DKIM.
Minimal visibility into email flows and authentication.
No structured process in place to review DMARC reports or evaluate source alignment.
Concerns about shadow IT and unmanaged senders added further risk.

Result
At the conclusion of the deployment project, we helped the client achieve a DMARC enforcement policy of p=reject for all active domains. Spoofing complaints stopped appearing; the client adopted a formal, company-wide email security review process; they had complete control over email flow and senders; and IT Security, DevOps, and Marketing Departments became fully aligned.

Takeaways
From initial discovery through DMARC reporting, dmarcian’s deployment specialist guided the fintech company through each step of the journey, revealing technical hurdles, strategic decisions and practical outcomes that transformed their email security posture.

Fintech Organisations are high-value targets for spoofing. DMARC is crucial for email trust.
Cross-functional collaboration is essential—align IT, security and marketing teams as early as possible.
Visibility tools reduce complexity to make DMARC reports useful, not overwhelming.
Enforcement is achievable even in complex environments. A p=reject policy is attainable with effective project management.
DMARC isn’t just about policy; it’s a framework for trust and control.

DMARC Status of Top 100 Global Banks

According to IBM, “financially-motivated cyber criminals make up the greatest portion of active cyber threat actors targeting financial entities, and the allure of financial companies to a cybercriminal is clear: potentially significant and rapid payouts—in the millions—for a successful attack.” And for four years running, the finance and insurance industries have experienced the highest number of attacks.

With financial institutions continuing to be a top target for phishing exploits, we examined the DMARC status of the world’s top 100 banks based on assets as reported.

Read on

dmarcian is here to help financial institutions deploy DMARC authentication to fight business email compromise, phishing and spoofing with our DMARC Management Platform, educational resources, and expert support.