LONDON- Forty-one percent of leading fintechs remain vulnerable to email spoofing attacks, “exposing customers to heightened risks of phishing, payment fraud, and account takeover,” according to new research from the cybersecurity firm Red Sift.
“Despite industry awareness and repeated regulatory guidance, only 26% of the top fintechs have implemented the highest level of domain protection—DMARC enforcement at p=reject—to block impersonation before malicious emails reach inboxes,” Red Sift said in releasing its findings. “Phishing continues to drive a large share of cyber breaches and fraud across financial services.”
Citing Verizon’s 2025 Data Breach Investigations Report, the company noted social engineering and phishing remain among the top causes of security incidents.
Red Sift said its research builds on prior findings highlighting that more than half of U.S. commercial banks remain exposed to spoofing attempts.
Increasing Use of AI
“Attackers are increasingly leveraging AI to enhance phishing campaigns: writing more convincing lures, localizing language, and personalizing at scale,” the company said.
Recent reporting from Microsoft and other industry sources shows AI is improving both the quality and success rate of phishing attacks, while brand impersonation continues to rise. The human element, long seen as the weakest link, is now being systematically targeted through these sophisticated, AI-assisted schemes.”
The Key Findings
According to Red Sift, key findings from its fintech study, which is based on an analysis of 269 leading fintechs, include:
- DMARC at enforcement (any level): 159 (59.1%)
- p=reject (full enforcement): 70 (26.0%)
- p=quarantine (partial enforcement): 89 (33.1%)
- Unprotected domains: 110 (40.9%)
- p=none: 66 (24.5%)
- No DMARC record: 44 (16.4%)
Open to Spoofing
“Organizations that lack DMARC protection leave their domains open to spoofing—allowing anyone to send fake ‘verify a charge,’ ‘update your bank info,’ or ‘reset your password’ emails that appear to come from a trusted source,” Red Sift said. “This exposure directly contributes to account takeovers, payment diversion, and data loss.”
