From July through October 2018, attackers overwhelmingly used display name deception to launch business email compromise attacks, stealing money and credentials from their victims while damaging trust in the brands and domains they impersonated. Among Agari’s findings:

  • 54% of attacks leveraged impersonated brands, particularly Microsoft and Amazon, in the sender display name to convince victims the email was legitimate.
  • Raw DMARC policy adoption rose by 51%, according to the most comprehensive DMARC snapshot to date—but not all DMARC adoption was benevolent.
  • The US federal government sector led DMARC policy adoption, with a 76% DMARC reject rate.

Download your copy of the Q4 2018 Email Fraud and DMARC Adoption Trends report now to learn which brands and identities were targeted most and how DMARC authentication helps businesses protect their brands and domains.

About this Report 

This report contains metrics from data collected and analyzed by the following sources:

Inbound Threat Data:

For inbound threat protection, Agari uses machine learning—combined with knowledge of an organization’s email environment— to model good or authentic traffic. Each message received by Agari is scored and plotted in terms of email senders’ and recipients’ identity characteristics, expected behavior, and personal, organizational, and industry-level relationships. For the attack categorization analysis, we leveraged anonymous aggregate scoring data that automatically breaks out identity deception-based attacks that bypass upstream SEGs into distinct threat categories, such as Display Name Deception, Compromised Account, and more.

Global Domain Snapshots:

For broader insight into DMARC policies beyond what we observed in email traffic targeting Agari’s customer base, we obtained and analyzed two large snapshots, representing virtually all the publicly accessible domains in DNS over the course of Q3.


Over the course of this period, our base domain list increased by 38 million, mostly in newly detected country code top-level domain (CCTLDs.) These snapshots will form the basis for trend tracking in subsequent reports.

Agari Threat Center:

The Agari Threat Center continually aggregates anonymized DMARC reporting data that we track over our customer domains in several industry sectors. Over the period of this report, over 576 trillion emails were visible to the Agari Threat Center, traversing over 14,200 top level and subdomains. Visit to explore authentication results across various verticals and time frames. To maintain complete confidentiality, the Threat Center database does not store company-specific information of any kind. Threat Center data is primarily representative of business-to-consumer (B2C) email for the countries and industries in which we have significant market penetration.

In order to compare and contrast the global DMARC insights provided by our domain snapshots with the data tracked by Agari, we grouped public data into corresponding vertical categories represented in the Agari Threat Center. Note that for other analyses, such as the Fortune 500, US federal government, and large industry sections, we obtained the domain names from public sources and determined DMARC authentication status using Agari lookup tools.

About Agari Cyber Intelligence Division

The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spearphishing investigation. ACID supports Agari’s unique mission of protecting communications so that humanity prevails over evil. ACID uncovers identity deception tactics, criminal group dynamics, and relevant trends in advanced email attacks. Created by Agari in 2018, ACID helps to impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners.

Learn more at

Close button
Mail Letter

Would you like the confidence to trust your inbox?