BEC explodes as attackers exploit email’s identity crisis

850,000 domains worldwide now have DMARC records, a 5x increase since 2016, according to Valimail.

However, less than 17% of global DMARC records are at enforcement — meaning fake emails that appear to come from those domains are still arriving in recipients’ inboxes.

Among large companies, only one in five enterprise DMARC records is at enforcement, a significant factor in the wild success of business email compromise (BEC) attacks, which has produced more than $26 billion in losses in the past three years.

“The identity crisis of email has never been more apparent,” said Alexander García-Tobar, CEO of Valimail.

“Phishing is implicated in more than 90% of all cyberattacks, and the vast majority of phishing emails leverage impersonation. This is only possible due to email’s lack of robust sender identity validation.

“The sharp rise in DMARC records worldwide is promising, but the low rate of enforcement indicates there is a long way to go in establishing real trust in one of the world’s most common forms of communication.”

According to the research findings, less than half of large U.S. tech companies’ DMARC records are at enforcement, and in most industry categories, fewer than 10% of enterprise domains are protected from impersonation.

The U.S. government, which traditionally lags behind the private sector when it comes to security readiness, has achieved an impressive 93% of DMARC records at enforcement. This is up slightly from 91% since Valimail’s last research report, an indication that the government sector is proactively tackling the problem with email identity.

This research was compiled by analyzing tens of millions of publicly accessible records as well as aggregate data from billions of authentication requests.