Editor's Note: This article is Part 2 in a three-part series based on findings from the Q4 2018 Email Fraud & Identity Deception Trends report. Click here to read Part 1.
First there's the good news: 51% percent of Fortune 500 companies have adopted DMARC, the open email-authentication standard designed to prevent fraudsters from impersonating brands in email scams, according to the Email Fraud & Identity Deception Trends report from Agari.
The bad news? Just 13% have set up the DMARC enforcement policies needed to activate that protection. What's more, out of the 283 million registered public domains the study examined from July through October, only a tiny fraction have done the same.
And it shows. Email-based brand impersonations are up 11x since 2014. Every day, consumers and businesses are hit with 6.4 billion fraudulent emails that appear to come from brands they know and trust.
The objective of these malicious messages: to fool recipients into revealing sensitive information or making payments that secretly go to the con artists' bank accounts. Last year, consumers lost $172 billion through these and other forms of online fraud.
The Q4 Trends report from Agari is the largest analysis of DMARC adoption ever conducted. And it may offer the best look yet at corporate vulnerabilities to brand impersonation attacks.
The prognosis? While the data points to signs of progress, the rapidly escalating volume of email scams threatens serious damage to revenue growth, shareholder value, and long-term brand equity for the organizations these phishing campaigns impersonate.
From Trust—to Dust?
So what makes email-based brand impersonation so dangerous? For one thing, email remains every business's most important channel for communicating with customers and prospects.
In fact, despite the growth of newfangled options like texting, social media, and trendy messaging platforms, email is 40x more effective at acquiring new customers than these other channels. It generates $40 for every $1 spent—by far the highest of any digital medium. And 72% of consumers say they prefer email as their primary mode of communication with brands.
Unfortunately, fraudsters have noticed. While brand impersonation on mobile and social media platforms seems to generate more buzz these days, 80% of attacks come through email. One out of every 10 emails is now a scam, and in a recent survey, 25% of consumers said they’d opened phishing emails.
The damage done from these email-based brand impersonations extends far beyond victims who suffer direct, and often devastating, financial losses.
Even when a customer hasn't been personally defrauded, publicity about scams bearing your brand identity can mean they'll be hesitant to open the next legitimate email you do send. Email deliverability can nosedive, as can open rates. Social media buzz and Google searches mean the black-eye dealt to your brand may last a while—or even forever. DMARC is designed to help change all that.
DMARC & Identity Deception
Formally known as Domain-based Message Authentication, Reporting and Conformance, DMARC gives organizations unprecedented visibility into legitimate and fraudulent email being sent using their domain names.
By authenticating outbound emails claiming to come from your organization, DMARC stops billions of email-based brand impersonation attacks by enabling senders and receivers to exchange data that can help them detect and block scams.
In fact, when policies are set properly, DMARC helps ensure only authorized senders can use an organization's domain name in emails, and has been shown to drive phishing rates impersonating brands down to near zero.
How? By giving brands the ability to help email receiver systems recognize when an email isn't coming from a specific brand's approved domains, and giving them instructions regarding what to do with these unauthenticated email messages.
DMARC policy settings include "p=none," instructing the email receiver system to allow the email to be delivered anyway; and two enforcement settings, "p=quarantine" and "p=reject," which block the email from ever reaching its target.
.govs Ahead of the Fortune 500
It’s worth noting that the United States federal government now leads all industry verticals in DMARC adoption, with an 84% DMARC adoption rate. October 16 was the deadline to meet the Department of Homeland Security's Binding Operational Directive (BOD) 18-01, which mandates all executive branch domains must adopt DMARC and implement a reject policy.
More than 76% of agencies covered by the directive have implemented a reject policy, with remaining agencies expected to follow suit in coming weeks, putting them well ahead of most private sector organizations.
In its examination of more than 280 million domains, Agari identified an increase in DMARC adoption from 3.5 million domains in July to 5.3 million domains in October—a 51% jump, mostly from .com websites. While that's progress, it still means that just a little more than 2% of domains have DMARC records at all. Far fewer have set quarantine or reject policies.
Indeed, for all its gains, 87% of the Fortune 500 remains vulnerable to brand impersonation fraud—even as scams are surging.
But there's still reason for hope.
DMARC adoption is accelerating. And as you'll see in Part 3 of this series, Brand Indicators for Message Identification (BIMI) is an industry-wide standards effort that uses brand logos as an indicator that an email has been authenticated through the DMARC standard, offering an assurance to recipients that the message really did come from the brand.
Based on data captured in the Q4 report, BIMI is showing tremendous promise, and we expect adoption to gain traction in the months ahead.
To learn more about email-based brand impersonation scams and other advanced email threats, download a FREE copy of Q4 2018 Email Fraud & Identity Deception Trends from Agari.