Identity deception attacks continue to grow, but the type of attack seems to be changing. During Q3, 2019, phishing campaigns impersonating brands dropped by 6% over the previous quarter. Attacks impersonating individuals, however, increased by 10%. The drop in brand impersonation may be partly related to increased industry adoption of DMARC, which is up 49% over the last year.
However, although DMARC is increasingly being implemented, it is not yet being effectively used. Only the "p=reject" enforcement option will protect against email-based brand impersonation scams. Germany and the U.S. are the two countries with the highest use of DMARC. Germany has a higher number of implementations than the U.S., but a lower percentage of DMARC records set to the p=reject enforcement level. This could improve over the next few years since the recommended DMARC implementation plan is to start with p=none, and work up to p=reject -- for many companies, DMARC implementation may still be in its early stages.
In the meantime, however, the latest Agari Email Fraud & Identity Deception Trends report (PDF) notes that more than 80% of Fortune 500 companies have no DMARC protection. Although only 38% have no DMARC at all (down from 59% in the same quarter last year), 44% of those with DMARC have yet to set an enforcement level. "Currently," says Agari, "only 13% of the Fortune 500 has a DMARC record set to the p=reject enforcement policy."
DMARC is a bit like vaccination. Just because ten people have been vaccinated, that doesn't prevent you from being infected by an eleventh unvaccinated person. A 95% vaccination rate is required before health officials will consider a country safe from a particular disease. The same principle applies to phishing ..
Support the originator by clicking the read the rest link below.