Phishing evolution shows why email trust still fails in IAM

At a glance

What this is: This is an overview of how phishing changed from early credential theft to modern spoofing and why email authentication is now a governance issue.

Why it matters: It matters because phishing still exploits identity trust, so IAM, PAM, and human access programmes need controls that reduce spoofing, not just user error.

By the numbers:

• From May 2004 to May 2005, 1.2 million victims in the United States had financial losses totaling $929 million from phishing.
• About 50% of all email traffic in 2020 was spam.

👉 Read DigiCert's blog post on how phishing and anti-spoofing strategies evolved

Context

Phishing is a trust problem before it is a content problem. The attacker’s goal is to impersonate a legitimate sender, convince a recipient to act, and turn that action into credential theft, fraud, or broader compromise. In identity terms, the attack works when humans are asked to authenticate trust from a message rather than from a controlled access boundary.

DigiCert’s timeline shows that phishing moved from stealing AOL usernames and passwords to spoofed eBay and PayPal emails, then to mass campaigns shaped by current events and workplace patterns. That evolution matters to IAM practitioners because email remains a primary identity entry point, and the controls around it now influence both human identity security and downstream NHI exposure. The starting point is typical: most organisations still have to govern trust after delivery, not before.

The practical lesson is that phishing defence is no longer just awareness training. It is sender authentication, mailbox trust reduction, and identity-aware policy enforcement across email, federated access, and privileged workflows.

Key questions

Q: How should security teams reduce phishing risk without relying only on users?

A: They should combine user training with authenticated sender controls, mailbox policy enforcement, and access verification for sensitive actions. Training helps users spot obvious lures, but technical controls reduce the number of believable lures that reach them. The strongest programmes treat email trust as part of identity governance, not as a standalone awareness issue.

Q: Why does phishing remain effective even when employees are trained?

A: Phishing remains effective because attackers exploit urgency, familiarity, and normal business processes, which can overwhelm training in the moment. Users are being asked to judge authenticity from context alone. When the sender is not verified, the organisation is still depending on human suspicion instead of controlled trust signals.

Q: What do organisations get wrong about DMARC and phishing prevention?

A: Many teams treat DMARC as a deliverability project rather than an identity control. That misses its real value, which is to reduce sender spoofing and make unauthorised domain use visible. DMARC works best when it is part of a broader policy that also governs how users act on messages.

Q: How do email security controls affect human and non-human identity risk?

A: Email controls affect both because phishing often starts with human trust and ends with credential use in systems, APIs, or admin workflows. If a human account is compromised, attackers may reach shared credentials or service access next. That makes sender verification and privileged workflow design relevant to the full identity stack.

Technical breakdown

How email spoofing turns into identity compromise

Phishing succeeds by separating appearance from authentication. A forged message can mimic a brand, a business process, or a helpdesk request while bypassing the recipient’s instinctive trust checks. In practice, the attacker leverages human identity behaviour, then uses the resulting click, reply, or credential entry to move into accounts, payment systems, or internal services. That is why phishing should be treated as an identity attack path, not only a message-level nuisance. The more believable the sender context, the less likely the user is to challenge the request before acting.

Practical implication: reduce trust in unauthenticated email and require authenticated sender controls before users can act on sensitive requests.

Why DMARC changes the sender trust model

DMARC is an email authentication, policy, and reporting protocol that tells receiving systems how to handle messages that claim to come from a domain but fail alignment checks. Its value is not just blocking spoofing. It also creates visibility into who is sending on behalf of a brand and where policy gaps still exist. For identity teams, that matters because phishing frequently depends on domain impersonation to create false legitimacy. If spoofed mail is still reaching users, the organisation has not yet closed the trust gap around its own identity surface.

Practical implication: enforce DMARC with reporting and escalation so spoofed domain use becomes measurable, not invisible.

Why training alone does not solve modern phishing

Awareness training helps users recognise suspicious messages, but it cannot compensate for weak sender validation or inconsistent mail handling. Modern phishing campaigns exploit current events, remote work habits, and normal business workflows, which means the attacker is often targeting behaviour that training cannot reliably suppress under pressure. In identity governance terms, training is a compensating control, not the primary control. The primary control is whether the organisation can prove that a message, sender domain, and follow-on access request are legitimate before a human decision is required.

Practical implication: pair training with technical sender verification and risk-based access controls so human judgment is not the only defence.

Threat narrative

Attacker objective: The attacker’s objective is to convert message trust into credential access, financial gain, or a foothold for wider compromise.

1. Entry occurs when the attacker sends spoofed or malicious email that appears to come from a trusted brand or internal process, creating a believable initial touchpoint.
2. Credential access or abuse follows when the recipient clicks a link, enters credentials, or responds to the message, handing the attacker account access or sensitive data.
3. Impact emerges through financial loss, account compromise, or further fraud, with phishing at scale creating broad organisational exposure and user trust erosion.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• Emerald Whale breach — exposed Git config files led to 15K secrets stolen and 10K repo compromises.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Email trust is now an identity governance problem, not a mailbox problem. The article’s history shows that phishing has always depended on a misplaced assumption that users can reliably distinguish real from fake sender context. That assumption fails as soon as attackers can mimic brands, workflows, and urgency at scale. Practitioners should treat sender authentication and downstream access controls as part of the same governance boundary.

DMARC addresses spoofing, but it does not close the full trust chain. Email authentication reduces one attack path, yet the article also shows that phishing evolved because attackers moved with user behaviour and business context. That means identity governance must extend beyond blocked messages to the access decisions that follow them. The practical conclusion is that email trust controls and session-level verification need to be aligned.

Phishing pressure exposes weak links across human identity and NHI governance. A stolen human credential often becomes the start of a wider chain that reaches shared accounts, service integrations, or admin workflows. That is why phishing cannot be isolated to awareness programmes alone. The governance response must connect mail authentication, privileged access, and non-human access paths into one risk model.

Identity trust debt accumulates when organisations rely on user suspicion instead of verified sender signals. The concept is simple: every message that looks legitimate but is not authenticated increases the burden on humans to detect fraud. Over time, that creates an unmanageable trust deficit. Practitioners should read phishing trends as evidence that controls are lagging behind attacker realism.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• In the same research, 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, which shows how quickly identity trust issues spread beyond the inbox.
• The 52 NHI breaches Report is the next resource to use when you want breach patterns, root causes, and identity-specific failure modes beyond phishing.

What this signals

Phishing programmes now sit inside a broader identity trust problem. As more access decisions depend on messages, links, and external workflows, security teams need to ask where the organisation still accepts identity claims without verification. The practical signal is simple: if sender authentication and access verification are managed separately, attackers can still bridge them.

Sender trust debt: every spoofable domain, unmanaged third-party mail path, and approval flow that starts in email increases the burden on human judgment. That is a governance gap, not just a detection problem. Teams should map which business processes still treat inbox trust as sufficient proof of identity and close those paths first.

The pattern also reaches NHI governance because a phishing-led human compromise frequently becomes the bridge to tokens, service accounts, and delegated access. If your IAM programme does not connect mail security, privileged access, and non-human credentials, it is leaving the attacker’s easiest escalation path intact. The signal to watch is whether email-triggered events can still create access without independent verification.

For practitioners

• Enforce authenticated sender policy Require DMARC alignment for domains that send to employees or customers, and escalate failures instead of treating them as deliverability noise.
• Separate awareness from access decisions Use phishing training to reduce click risk, but back it with conditional access, step-up verification, and tighter approval paths for sensitive actions.
• Review privileged workflows for email dependency Identify admin resets, payment approvals, and support escalations that still rely on email as the trust anchor, then replace them with verified channels.
• Audit third-party sender surfaces Check which vendors, SaaS tools, and outsourced services can send on your behalf and remove unauthorised mail paths before they become spoofing cover.

Key takeaways

• Phishing has evolved from simple credential theft into a broad identity trust attack that now affects both users and downstream access paths.
• The scale is material, with public data in the article citing $929 million in U.S. losses in one year and $2 billion in annual organisational losses.
• DMARC, verified sender policy, and access controls for sensitive workflows are the controls that reduce dependence on human judgment alone.

Key terms

• Phishing: Phishing is a deceptive message-based attack that tries to make a person reveal credentials, transfer money, or approve an action. It usually works by imitating a trusted brand or process, then using urgency or familiarity to bypass normal caution and create an identity compromise path.
• DMARC: DMARC is an email authentication and policy framework that helps receiving systems decide whether a message claiming to come from a domain is legitimate. It reduces spoofing, provides reporting on sender use, and gives organisations a way to make email trust more measurable and enforceable.
• Sender spoofing: Sender spoofing is the practice of جعلing an email appear to come from a trusted domain, person, or service when it does not. In identity security terms, it exploits the gap between message appearance and authenticated origin, which is why it remains a core phishing enabler.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: From the 90s to Today - How Phishing, and the Strategies to Combat it, Have Evolved Over Time. Read the original.