More than three quarters of top GCC banks leave customers vulnerable to email fraud
Proofpoint research shows that DMARC adoption among GCC banks decreased from 96% in 2024 to 77% in 2025, emphasizing gaps in email fraud defences
After demonstrating improvements in their email security protocols in 2024, Domain-based Message Authentication, Reporting, and Conformance (DMARC) authentication adoption among GCC banks has fallen from 96% last year to 77% in 2025, leaving customers vulnerable to phishing and other fraudulent activity. This is according to the latest research by leading cybersecurity and compliance company, Proofpoint, which evaluated the top banks across the UAE, KSA, Oman, Qatar, Bahrain, and Kuwait, to assess their email fraud preparedness in 2025.
DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine, and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.
Proofpoint’s study shows that almost a quarter (23%) of the top financial institutions in the GCC are taking no steps to protect against misuse of their domain in email fraud, which means that transactional emails, including password resets, appointment reminders, and more, are at risk. Furthermore, only 60% are implementing the strictest level of DMARC protection (reject) in 2025 compared to 71% in 2024, meaning 40% are not proactively protecting customers against email impersonation and fraud.
Emile Abou Saleh, Vice President, Northern Europe, Middle East, Turkey and Africa at Proofpoint said: “We are witnessing a worrying trend this year as the number of financial institutions in the GCC with a published a DMARC record has decreased, potentially exposing vast amounts of sensitive personal and financial data to cybercriminals. This lack of protection against email fraud is disconcerting given that there has been consistent improvement in DMARC performance among GCC banks over the past two years. However, it is never too late for banks to re-visit security protocols and protect their email traffic against phishing and other fraudulent activity.”
In 2024, Proofpoint’s research showed that 96% of GCC banks had published a DMARC record, while 71% had implemented the strictest and recommended level of DMARC protection (‘reject’). This was higher than in 2023, where 94% of GCC banks had published a DMARC record.
Banks that implement DMARC are better equipped to protect their customers, employees, and brand from email fraud. By safeguarding email traffic, they can ensure that legitimate email is properly authenticated and that fraudulent activity appearing to come from domains under the bank’s control is blocked before it reaches customers.
