Email Security Blog

DMARC Adoption Rising, but 87% of Fortune 500 Still Vulnerable to Email-based Brand Impersonation

Fareed Bukhari November 13, 2018 Brand Protection
Vulnerability Fortune

Editor’s Note: This article is Part 2 in a three-part series based on findings from the Q4 2018 Email Fraud & Identity Deception Trends report. Click here to read Part 1.

First there’s the good news: 51% percent of Fortune 500 companies have adopted DMARC, the open email-authentication standard designed to prevent fraudsters from impersonating brands in email scams, according to the Q4 2018 Email Fraud & Identity Deception Trends report from Agari.

The bad news? Just 13% have set up the DMARC enforcement policies needed to activate that protection. What’s more, out of the 283 million registered public domains the study examined from July through October, only a tiny fraction have done the same.  

And it shows. Email-based brand impersonations are up 11x since 2014. Every day, consumers and businesses are hit with 6.4 billion fraudulent emails that appear to come from brands they know and trust.

The objective of these malicious messages: to fool recipients into revealing sensitive information or making payments that secretly go to the con artists’ bank accounts. Last year, consumers lost $172 billion through these and other forms of online fraud.

The Q4 Trends report from Agari is the largest analysis of DMARC adoption ever conducted. And it may offer the best look yet at corporate vulnerabilities to brand impersonation attacks.  

The prognosis? While the data points to signs of progress, the rapidly escalating volume of email scams threatens serious damage to revenue growth, shareholder value, and long-term brand equity for the organizations these phishing campaigns impersonate.

From Trust—to Dust?

So what makes email-based brand impersonation so dangerous? For one thing, email remains every business’s most important channel for communicating with customers and prospects.  

In fact, despite the growth of newfangled options like texting, social media, and trendy messaging platforms, email is 40x more effective at acquiring new customers than these other channels. It generates $40 for every $1 spent—by far the highest of any digital medium. And 72% of consumers say they prefer email as their primary mode of communication with brands.

Unfortunately, fraudsters have noticed. While brand impersonation on mobile and social media platforms seems to generate more buzz these days, 80% of attacks come through email. One out of every 10 emails is now a scam, and in a recent survey, 25% of consumers said they’d opened phishing emails.  

The damage done from these email-based brand impersonations extends far beyond victims who suffer direct, and often devastating, financial losses.

Even when a customer hasn’t been personally defrauded, publicity about scams bearing your brand identity can mean they’ll be hesitant to open the next legitimate email you do send. Email deliverability can nosedive, as can open rates. Social media buzz and Google searches mean the black-eye dealt to your brand may last a while—or even forever. DMARC is designed to help change all that.

DMARC & Identity Deception

Formally known as Domain-based Message Authentication, Reporting and Conformance, DMARC gives organizations unprecedented visibility into legitimate and fraudulent email being sent using their domain names.

By authenticating outbound emails claiming to come from your organization, DMARC stops billions of email-based brand impersonation attacks by enabling senders and receivers to exchange data that can help them detect and block scams.

In fact, when policies are set properly, DMARC helps ensure only authorized senders can use an organization’s domain name in emails, and has been shown to drive phishing rates impersonating brands down to near zero.

How? By giving brands the ability to help email receiver systems recognize when an email isn’t coming from a specific brand’s approved domains, and giving them instructions regarding what to do with these unauthenticated email messages.

DMARC policy settings include “p=none,” instructing the email receiver system to allow the email to be delivered anyway; and two enforcement settings, “p=quarantine” and “p=reject,” which block the email from ever reaching its target.

.govs Ahead of the Fortune 500

It’s worth noting that the United States federal government now leads all industry verticals in DMARC adoption, with an 84% DMARC adoption rate. October 16 was the deadline to meet the Department of Homeland Security’s Binding Operational Directive (BOD) 18-01, which mandates all executive branch domains must adopt DMARC and implement a reject policy.

More than 76% of agencies covered by the directive have implemented a reject policy, with remaining agencies expected to follow suit in coming weeks, putting them well ahead of most private sector organizations.

In its examination of more than 280 million domains, Agari identified an increase in DMARC adoption from 3.5 million domains in July to 5.3 million domains in October—a 51% jump, mostly from .com websites.  While that’s progress, it still means that just a little more than 2% of domains have DMARC records at all. Far fewer have set quarantine or reject policies.

Indeed, for all its gains, 87% of the Fortune 500 remains vulnerable to brand impersonation fraud—even as scams are surging.

But there’s still reason for hope.

DMARC adoption is accelerating. And as you’ll see in Part 3 of this series, Brand Indicators for Message Identification (BIMI) is an industry-wide standards effort that uses brand logos as an indicator that an email has been authenticated through the DMARC standard, offering an assurance to recipients that the message really did come from the brand.

Based on data captured in the Q4 report, BIMI is showing tremendous promise, and we expect adoption to gain traction in the months ahead.

To learn more about email-based brand impersonation scams and other advanced email threats, download a FREE copy of Q4 2018 Email Fraud & Identity Deception Trends from Agari.

Computer Showing Secure Email Server

March 9, 2022 John Wilson

Securing Your Email with DMARC

Understanding the What, How, and Why of DMARC You probably already know this, but it…

Agari Blog Image

March 4, 2022 Jessica Ellis

Top Social Media Threats Targeting the Retail Industry

Social media threats targeting enterprises more than doubled last year. Attacks on the retail industry specifically…

Woman-shopping on cell phone

November 30, 2021 Mike Jones

It’s the Most Wonderful Time of the Year… for Cybercriminals

The holiday season is upon us, which means it’s also the busiest time of the…

Agari Blog Image

May 12, 2020 Chuck Holland

Hosted DMARC: Accelerating Protection Against Email-based Brand Jacking Scams

The coronavirus pandemic is shining a spotlight on the importance of hosted Domain-based Message Authentication,…

Agari Blog Image

April 16, 2020 John Wilson

Romance Scams and Business Email Compromise in the Time of Coronavirus

As cybercrime gangs exploit COVID-19 to target the lonely, victims (and their banks) could get…

mobile image