Which finance brands can be spoofed in email?
Banks, payment processors, and fintech platforms are the highest-impersonated category in phishing. Regulators (FFIEC, FCA, EBA) lean on email authentication as table-stakes for consumer protection, and yet plenty of well-known names still publish DMARC at p=none. The pattern matters: a payment processor that can be spoofed lets attackers send fake 'your account is locked' emails that go straight to inbox.
Spoofable
0 (0%)
No DMARC, or DMARC at p=none. Anyone can send from these domains.
Partial protection
7 (28%)
DMARC at p=quarantine, or p=reject with pct<100. Spoofed mail may slip through.
Not practically spoofable
18 (72%)
DMARC p=reject pct=100 + SPF -all or DKIM. Spoofed mail rejected at SMTP.
| Brand | Domain | Verdict | |
|---|---|---|---|
| Bank of America | bankofamerica.com | Maybe | See the math → |
| Binance | binance.com | Maybe | See the math → |
| Goldman Sachs | goldmansachs.com | Maybe | See the math → |
| Morgan Stanley | morganstanley.com | Maybe | See the math → |
| Robinhood | robinhood.com | Maybe | See the math → |
| Visa | visa.com | Maybe | See the math → |
| Wells Fargo | wellsfargo.com | Maybe | See the math → |
| American Express | americanexpress.com | Protected | See the math → |
| Barclays | barclays.com | Protected | See the math → |
| Capital One | capitalone.com | Protected | See the math → |
| Charles Schwab | schwab.com | Protected | See the math → |
| Citi | citi.com | Protected | See the math → |
| Coinbase | coinbase.com | Protected | See the math → |
| Fidelity | fidelity.com | Protected | See the math → |
| HSBC | hsbc.com | Protected | See the math → |
| JPMorgan Chase | jpmorganchase.com | Protected | See the math → |
| Klarna | klarna.com | Protected | See the math → |
| Kraken | kraken.com | Protected | See the math → |
| Lloyds Bank | lloydsbank.com | Protected | See the math → |
| Mastercard | mastercard.com | Protected | See the math → |
| PayPal | paypal.com | Protected | See the math → |
| Plaid | plaid.com | Protected | See the math → |
| Square (Block) | block.xyz | Protected | See the math → |
| Stripe | stripe.com | Protected | See the math → |
| Vanguard | vanguard.com | Protected | See the math → |
Other categories
What does "spoofable" actually mean?
A domain is spoofable when a third party can send mail FROM addresses at that domain (e.g. [email protected]) and have it land in inboxes. The mechanism that prevents this is DMARC enforcement combined with SPF and DKIM. Without all three, receivers have no policy to apply against unauthorised senders.
Want the same check on your own domain? Run the free Spoofability check.
This category last scored: .