The Agari Cyber Intelligence Division analyzed trillions of emails and nearly 500 million Internet domains to uncover the scope and impact of this email fraud… and the trends that benchmark enterprise security teams’ ability to respond to email threats.
This report delivers data and key findings, including:
In a snapshot of more than 426 million+ Internet domains, we analyze adoption trends for Domain-based Message Authentication, Reporting, and Conformance (DMARC) from July through December 2020.
But don’t break out the champagne just yet. While this notable increase in the number of domains with an identifiable DMARC policy is encouraging, it still represents just a tiny fraction of the half-billion domains our researchers scanned worldwide.
Failure to implement DMARC with the p=reject enforcement leaves organizations at risk from cybercriminals seeking to pirate their brand and domains to target phishing attacks at their customers and other consumers and businesses. These domains may also be blacklisted by receiver systems, or experience reduced deliverability rates for the brand’s legitimate email messages, resulting in costly disruptions to their email-based marketing and revenue streams. But when implemented properly, DMARC has been shown to reduce domain spoofing to near zero while boosting email conversion rates as much as 10%, according to Forrester Research.
As part of this report, ACID examines the state of DMARC adoption by key geographies during the second half of 2020. In any given period, a rising number of new domains can cause changes to the total percentage of domains with DMARC policies, as well as those with DMARC policies at full enforcement.
Among the ten largest country-code domains, the United States racked up a 21% increase in the percentage of domains with DMARC policies set to the strictest possible enforcement level in just six months, helping it to outpace The Netherlands. But during the same period, Germany achieved a remarkable 38% increase in DMARC policies at full enforcement, the level needed to prevent domains from being used to send phishing attacks.
Among all countries, just three have at least 50% of domains with DMARC policies set to their strictest enforcement level—Germany, Colombia, and the British Virgin Islands.
This report captures DMARC adoption trends among some of the world’s most prominent companies through the second half of 2020—including Germany’s HDAX, which joins the Fortune 500, FTSE 100 and the ASX 100 in our index for the first time. It’s important to note that even when organizations have assigned DMARC records to their domains, they are not truly protected unless they are set to a level of enforcement. The sizable proportion of “no record” and “monitor only” policies highlights the fact that these organizations can still be impersonated in phishing campaigns that put their customers and other consumers and businesses at risk of serious financial harm.
From July through December 2020, the number of malicious emails spoofing corporate or government domains topped 5.8 billion (or 2.28% of all email). That’s 32 million fraudulent emails impersonating the domains of well-known brands every day of the week, at a rate of 1.3 million per minute.
That’s an increase of 20% from June 2020. Together with the 8% of DMARC-assigned domains with a p=quarantine policy, 32% of Fortune 500 domains with DMARC policies set with at least some level of protection rose 10% during the same period.
Maybe it got put on the back-burner because of everything else 2020 threw their way. Whatever the case, 76% of Fortune 500 companies lack the protection needed to prevent email threat actors from hijacking their domains and impersonating their brands in phishing attacks. Which may help explain why Gartner ranks DMARC implementation17 as a top priority for every organization in 2021.
The number of companies on the UK’s FTSE 100 with domains protected by DMARC set to p=reject grew to 25 during the second half of 2020—up from 20 at mid-year. While commendable, it still means that 75% of the FTSE 100 does not yet have protections in place to prevent threat actors from impersonating their brands in email attacks targeting customers, investors, and the general public.
Amid a push to increase the number of Australian government domains protected by DMARC18, the private sector is still struggling with deployment, even as the total number of domains in use continues to rise. Today, just 14% of ASX 100 companies have DMARC policies set to full enforcement—leaving 85% at risk of email threat actors pirating their domains for use in phishing attacks.
A sustained onslaught of BEC and phishing campaigns were implicated in attacks that have cost the German government19 and businesses20 tens of millions of euros in 2020—and even led to loss of life21. These dramatic wake-up calls were likely a factor in that country’s spike in domains with DMARC policies set at reject, noted earlier. But for the large companies within the HDAX stock index, deployment across a very large number of domains can be costly and time consuming. As a result, just 9% of the 110 companies in the index have domains with DMARC policies at full enforcement, and another 8% at quarantine. That leaves 91% of HDAX companies with domains at risk of abuse by fraudsters.
Data in our H1 2021 report includes DMARC adoption across key industry verticals and is based on public DNS records for primary corporate website domains of large companies with revenues above $1 billion USD. Every vertical has shown incremental improvements in the percentage of their DMARC-enabled domains at p=reject since our last report.
Putting a fine point on the need for DMARC protection: During the second half of 2020, organizations in technology, healthcare, and government were impersonated most in phishing attacks leveraging unprotected email domains. None of which is surprising, given the ongoing COVID-19 pandemic and the resulting 57% of corporate employees working from home. Ever the opportunists, fraudsters also sought to exploit unprotected domains for attacks related to US political crises—leading to a noticeable spike in spoofed domains leading up to the November presidential elections through the first several days of 2021.
With real-time statistics from the domains of top banks, social networks, healthcare providers, major government agencies and thousands of other organizations, the Agari Email Threat Center is the largest set of detailed DMARC data in the world both in terms of email volume and domains. This data enables us to understand how enforcement rates across industries compare with those of Agari customers. To generate real-time threat intelligence, the Agari Email Threat Center analyzed more than 257.9 billion emails from more than 20,727 domains from July through December 2020.
Take the worst pandemic in modern history. Add fear, confusion, and unprotected email domains and mix. From phishing campaigns impersonating Vanderbilt University Medical Center to the Centers for Disease Control (CDC) to Health and Human Services (HHS) and other healthcare authorities, Agari customers in the sector had ample reason to beef up DMARC implementation efforts. As of December 2020, 84% of Agari healthcare customers’ domains are set at a p=reject enforcement level. That’s 6X the industry average of only 14% of domains protected with DMARC at its highest enforcement level.
Brand Indicators for Message Identification (BIMI) benefits the entire email ecosystem by providing businesses with a standardized method for publishing their brand logos next to their email messages within a recipient ‘s inbox, with built-in protections against brand spoofing. At a time when email’s role as the indispensable digital channel has never been more critical to marketers, the launch of Google’s high-profile BIMI pilot provided additional rocket fuel for this rapidly growing standard.
BIMI only works with email that has been authenticated through the DMARC standard for which the domain owner has specified a DMARC policy enforcement, so only authenticated email messages can be delivered. DMARC has been shown to boost deliverability rates. BIMI adds a verified logo indicating the email is legitimate and comes from an authentic domain from the brand. Though it will take time for BIMI to gain additional mindshare and trust, early tests show it has already been shown to boost open rates by as much as 10%22.
During the second half of 2020, BIMI adoption grew 72% from just 5,282 in H1. One significant contributing factor: the July launch of Google’s BIMI pilot, which allowed a select group of organizations who authenticate their emails using DMARC to validate ownership of their corporate logos and securely use them in email messages. Once these authenticated emails pass Google’s anti-abuse checks, Gmail displays the logo in existing avatar slots within the Gmail interface. Google and other inbox providers are expected to expand their BIMI pilots to more brands in 2021.
As the financial and reputational damage from phishing, BEC, and other advanced email threats continue to mount, Agari has become the market leader in protecting brands and people from devastating phishing and socially-engineered attacks through solutions that include:
Leveraging applied data science and a diverse set of signals, Agari protects the workforce from inbound BEC scams, supply chain fraud, spear-phishing, and account-takeover-based attacks—reducing business risk and restoring trust to the inbox. Agari also prevents spoofing of outbound email from the enterprise to customers, increasing deliverability and preserving brand integrity and reputation. Learn more at www.agari.com.
ACID has established a classification system for cyber threats—a threat taxonomy—that breaks down common email-based attacks in terms of how they are carried out and what the perpetrators aim to achieve. This taxonomy helps readers understand the terms used in this report and what they mean to email security.
The metrics and data analyzed in this report are collected from the sources indicated below.
For inbound threat protection, Agari uses machine learning—combined with knowledge of an organization’s email environmen —to model good, legitimate traffic. Each message received by Agari is scored and plotted in terms of email senders’ and recipients’ identity characteristics, expected behavior, and personal, organizational, and industry-level relationships. For the attack categorization analysis, we leveraged anonymous aggregate scoring data that automatically breaks out identity deception-based attacks that bypass upstream Secure Email Gateways (SEGs) into distinct threat categories, such as display name deception, compromised accounts, and more. See section on “Taxonomy of Advanced Email Attacks” on the preceding page.
This report presents results from a survey of large organizations in a cross-section of industries conducted by Agari in December 2020.
For broader insight into DMARC policies beyond what we observed in email traffic targeting Agari’s customer base, we analyzed 426 million domains, ultimately observing 10,744,092 domains with recognizable DMARC policies attached. This constantly updated list of domains serves as the basis for trend tracking in subsequent reports.