An independent cybersecurity review across the largest U.S. banks — national money-center and super-regional institutions including JPMorgan Chase, Bank of America, and Wells Fargo — reveals a surprisingly wide range of results. These banks safeguard trillions in deposits and commercial relationships, yet several show the same email-authentication gaps found at much smaller regional institutions.
Using data from audit.emailmenow.com, we evaluated each bank’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
Cybersecurity Scores of Major U.S. Banks
Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.
| Rank | Bank | Domain | Overall Score | Performance Level |
|---|---|---|---|---|
| 1 | Fifth Third | 53.com | 74% | Strong |
| 1 | Citizens Financial | citizensbank.com | 74% | Strong |
| 3 | U.S. Bancorp | usbank.com | 70% | Strong |
| 3 | PNC Financial | pnc.com | 70% | Strong |
| 3 | Truist | truist.com | 70% | Strong |
| 3 | Regions Bank | regions.com | 70% | Strong |
| 3 | Huntington | huntington.com | 70% | Strong |
| 8 | BNY Mellon | bnymellon.com | 68% | Good |
| 9 | JPMorgan Chase | jpmorganchase.com | 67% | Good |
| 10 | KeyBank | key.com | 66% | Good |
| 11 | TD Bank | td.com | 64% | Good |
| 12 | Ally Financial | ally.com | 60% | Above Average |
| 13 | Capital One | capitalone.com | 58% | Average |
| 14 | Bank of America | bankofamerica.com | 56% | Average |
| 15 | Wells Fargo | wellsfargo.com | 54% | Average |
| 15 | Goldman Sachs | goldmansachs.com | 54% | Average |
| 15 | M&T Bank | mtb.com | 54% | Average |
| 18 | Citigroup | citi.com | 50% | Below Average |
What the Results Reveal
- Scores range from 74% (Fifth Third, Citizens) down to 50% (Citigroup) — five banks reach a strong (70%+) posture, but none hit the showcase tier (85%+) that some regional banks achieve.
- The biggest household names do not lead: JPMorgan Chase (67%), Bank of America (56%), Wells Fargo (54%), and Citigroup (50%) all trail several super-regionals on basic email authentication.
- The gap from top to bottom is 24 points — scale and brand recognition are no guarantee of strong email hygiene.
- Without an enforced DMARC policy, criminals can spoof a bank’s own domain to phish customers or to send fraudulent wire-update instructions to commercial clients.
Why This Matters for Banks
Banks are bound by the GLBA Safeguards Rule, FFIEC examination guidance, and federal/state prudential oversight. Email authentication (SPF, DKIM, and an enforced DMARC policy) is the single highest-impact control against the business email compromise (BEC) and wire fraud that target bank customers and commercial accounts.
Check any bank’s posture at audit.emailmenow.com/?industry=financial-advisors.
See also — state audits
- Texas Banks
- California Banks
- Florida Banks
- Illinois Banks
- New York Banks
- Pennsylvania Banks
- Ohio Banks
- Georgia Banks
- Michigan Banks
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers.
- Adopt verified call-back procedures for any change to wiring instructions, and train customer-facing and commercial staff.
Stop fraud before it starts. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=financial-advisors.
Contact EmailMeNow IT Consulting for help with GLBA-aligned email security hardening.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.