Email Security Blog

DMARC Report: 85% of Fortune 500 Leave Their Customers Vulnerable to Impersonation Scams

Michael Paiko March 12, 2020 DMARC

Despite increased adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC), the vast majority of Fortune 500 companies remain at risk of email-based brand impersonation, according to our new Q1 2020 Email Fraud & Identity Deception Trends report.

According or the report, global DMARC adoption rates surged 83% in 2019, to more than 11.6 million email domains with recognizable DMARC policies. But that represents just a tiny fraction of a total universe of more than 366 million domains surveyed by the Agari Cyber Intelligence Division (ACID) in the largest quarterly study of DMARC adoption trends worldwide.

And despite measured progress over the past year, 85% of the Fortune 500 remain vulnerable to cybercriminals seeking to highjack their domains—and their brand identities—for use in email scams targeting their customers and other consumers and businesses.

Just ask DHL, American Express, Microsoft or any number of other organizations impersonated in a growing number of phishing, BEC and other email attacks that led to more than $3.5 billion in business and consumer losses in 2019, according to the FBI’s 2019 Internet Crimes (IC3) report.

Essential to Brand Protection

Email figures into more than 80% of all brand impersonation scams, which have surged 11X since 2014. This matters because for more than 72% of consumers and 86% of business professionals, email is the preferred communications channel for interacting with the brands with which they do business.

With an ROI of $38 for every $1 invested, email marketing and communications are by far the most important digital channels for revenue generation in a brand’s arsenal—and cybercriminal organizations know that. As it stands now, 22.9 new phishing attacks impersonate trusted businesses every minute. Nearly one in five emails is now suspicious.

Get impersonated, and your brand will be blamed for it—and it could cost you plenty. The negative publicity can get your own, legitimate email campaigns blacklisted by receiver systems. Even if they don’t, deliverability rates can still take a nosedive. The impact on your bottom line can be brutal.

DMARC is a standard email authentication protocol that prevents hackers from using your domains to launch email scams by giving you control over who is allowed to send emails on your behalf. It also enables ISPs (Google, Yahoo!, Microsoft, etc.) to recognize when an email isn’t coming from one of your company’s approved domains, and tells the ISP what to do with those unauthorized email messages.

But just because you assign a DMARC record to your domains doesn’t mean you’re truly protected. DMARC must be implemented at its highest enforcement level, p=reject, to prevent your domains from being used to stage outbound phishing attacks impersonating your brand.

Adoption Trends and the Fortune 500

By the end of 2019, our data shows that only 15% of Fortune 500 companies have a DMARC record set to p=reject—up just 5% year-over-year. By comparison, 18% of the UK’s FTSE 100 companies have fully implemented DMARC. (If it’s any consolation, just 10% of Australia’s ASX 100 have done the same.)

But this begs another question. If DMARC adoption rose more than 80% worldwide last year, what’s keeping the world’s most powerful companies—the ones most likely to be impersonated due to the enormous brand equity they’ve fostered with customers—in the slow lane?

The truth is, implementing DMARC can be daunting for large companies with thousands of domains spanning numerous various business units, outside agencies, and other email distribution partners.

But organizations using email authentication solutions such as Agari Brand Protection™, emails sent by fraudsters seeking to impersonate their businesses rapidly drop to near zero. What’s more, Forrester Research has found that large organizations using Agari Brand Protection have seen their email conversion rates climb an average 10%, leading to an average $4 million boost in revenues thanks to increased email engagement.

To learn more about DMARC and best practices for preventing phishing-based brand impersonation, download a free copy of the Q1 2020 Email Fraud & Identity Deception Trends report.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

February 7, 2020 Ramon Peypoch

DMARC and Lookalike Domains: How to Protect Your Customers from Getting Duped

Hint: DMARC Alone Won't Cut It Think the prospect of cybercriminals using your domains to…

Agari Blog Image

January 3, 2020 Armen Najarian

DMARC for Transportation: How to Stop Email-based Brand Impersonation Attacks

Can an email authentication protocol known as DMARC protect freight and package carriers from brand…

DMARC for Email Security

December 11, 2019 Ramon Peypoch

Beyond DMARC: What It Really Takes to Ensure Email Security

As important as Domain-based Message Authentication, Reporting & Conformance (DMARC) is to the fight against…

Agari Blog Image

September 26, 2019 Doug Jones

How to Prevent Phishing Attacks that Target Your Customers with DMARC and Office 365

Editor's Note: This post originally appeared on the Microsoft Security blog and has been republished…

Agari Blog Image

September 16, 2019 Jacob Rideout

5 Big Myths about DMARC, Debunked

With email attacks contributing to billions of lost dollars each year, a growing number of…

mobile image