Executive summary: Over half of major U.S. banks remain exposed to phishing attacks because of weak or absent DMARC enforcement, despite rising cybercrime losses and increasingly sophisticated email threats. Operational challenges, regulatory gaps, and underestimation of risk hinder stronger protections, putting customer trust and financial stability in jeopardy.
Key takeaways
- Less than half of major U.S. banks enforce strong DMARC policies (p=reject), leaving their domains open to spoofing and phishing attacks, while nearly a third passively monitor without blocking malicious emails.
- Financial institutions are the top targets for phishing, accounting for over 50% of all phishing attacks globally, with attacks growing in volume and sophistication due to generative AI and increased third-party risks.
- Operational hurdles, regulatory ambiguity, and risk aversion are the main reasons banks delay DMARC enforcement, despite its proven effectiveness in preventing email-based fraud and protecting customer trust.
Email remains the primary tool for the financial industry, and bad actors know it. In 2024, the FBI’s Internet Crime Complaint Center (IC3) tallied $16.6 billion in cyber-enabled losses, a 33% increase from the year before. Business Email Compromise (BEC)—where attackers impersonate trusted institutions via email—produced 21,489 complaints and $2.9 billion in damages, making it the second-costliest cybercrime tracked by the Bureau.
Early 2025 numbers suggest the trajectory is worsening: From the Verizon Data Breach Investigations Report 2025, of 22,000+ incidents and 12,195 confirmed breaches analyzed, credential abuse and social-engineering pretexting were top access vectors. Third-party involvement doubled to 30% of breaches, underscoring supply chain risk for banks.
Phishing continues to surge. The Anti-Phishing Working Group recorded 989,123 attacks in Q4 2024, the highest quarterly volume ever. Generative AI has only sharpened the threat: polished, typo-free messages generated by large language models erase the telltale signs consumers were trained to spot.
Why this matters to banks
Beyond direct fraud, the fallout of a breach is punishing. IBM’s 2024 Cost of a Data Breach study pegs the average incident in financial services at $6 million, well above the cross-industry average. Add to that regulatory fines, lost trading days, and reputational damage, and it becomes clear: every spoofed email is a material risk to earnings and customer trust.
Sector anxiety, by the numbers
To assess how prepared the sector is, Red Sift analysts examined DMARC (Domain-based Message Authentication, Reporting & Conformance) data from the 510 largest U.S. commercial banks. The findings are sobering:
- 210 banks (41.2%) enforce p=reject, meaning fraudulent messages are blocked outright.
- 96 (18.8%) sit at p=quarantine, parking dubious mail in spam.
- 144 (28.2%) collect reports at p=none but still deliver possible spoofs.
- 60 (11.8%) publish no DMARC record at all.
Bottom line: fewer than half of the largest U.S. banks are actively protecting their domains, and nearly a third are still passively monitoring, letting spoofed messages reach inboxes.
What’s stopping enforcement? It’s not the tech.
The reality isn’t a lack of DMARC knowledge; it’s operational complexity and risk aversion. Banks juggle hundreds of legitimate third-party senders—from marketing platforms to mortgage systems—and fear that a misconfigured policy might block critical services like payroll, loan documents, or customer statements.
Compounding this is a lack of visibility. Many security teams operate without a consolidated view of email-sending activity. With limited resources, they default to p=none, hoping attackers don’t notice their domain is easy to spoof.
They also face regulatory ambiguity: while bodies like NIST and the FFIEC recommend DMARC and other authentication standards, no formal U.S. banking regulation mandates full enforcement. In contrast, U.S. federal agencies have been required to implement p=reject since 2017 under DHS’s Binding Operational Directive 18-01. Without similar sector mandates, many banks have deprioritized enforcement.
Lastly, many underestimate the threat. Despite the rise of sophisticated, AI-powered phishing, some security leaders believe SPF and DKIM are sufficient or assume customers will recognize fakes—ignoring the surge in impersonation attacks against brands like Bank of America, which saw an explosion in spoofed texts and calls in 2024 and 2025.
How banks can accelerate their journey to p=reject
U.S. commercial banks are prime targets for phishing and BEC attacks, making domain protection not optional, but essential. Implementing DMARC with enforcement at p=reject stops unauthorized use of your domain, cutting off impersonation attempts before they ever reach your customers.
But the path can be challenging. Without the right tooling, analyzing DMARC reports and identifying legitimate senders is time-consuming. That’s why solutions like Red Sift OnDMARC are crucial. OnDMARC automates the parsing of authentication data, offers clear guidance for safe policy enforcement, and helps institutions fix issues before they disrupt operations. With native support for SPF, DKIM, TLS reporting, and MTA-STS, the platform eliminates guesswork and accelerates secure adoption.
Check your DMARC status in 30 seconds
Not sure what your current DMARC record is? Check for free now.
Final word: security, trust, and compliance
The email threat landscape is evolving rapidly. With phishing, spoofing, and BEC attacks growing more sophisticated, banks can no longer afford to delay enforcement. With the right DMARC partner, institutions can:
- Block spoofed emails at the source
- Protect customers and partners
- Preserve brand trust
- Meet rising regulatory expectations
- Reduce the risk of costly, reputation-shattering breaches
For help evaluating your current DMARC status—or choosing a partner to help you get to enforcement—start with this guide. Because in today’s threat environment, a “p=none” policy is a welcome mat for attackers.
