TL;DR: Phishing remains a high-volume identity attack, with spam email accounting for just over 50% of global traffic in 2020 and PhishLabs reporting a 47% rise in phishing attempts from 2020 to 2021, according to DigiCert. The real lesson is that user caution helps, but domain authentication, browser trust signals, and access scoping now carry most of the defensive load.
At a glance
What this is: This is a phishing-scam guide that pairs user-level tips with domain authentication and browser trust controls to reduce credential theft and impersonation risk.
Why it matters: It matters because phishing still targets human identity, and the same trust failures also create downstream NHI, access, and certificate governance problems for IAM teams.
By the numbers:
- In 2020, spam emails averaged just over 50% of all global email traffic.
- PhishLabs identified a 47% increase in phishing attempts from 2020 to 2021.
👉 Read DigiCert's 10 tips for avoiding phishing scams and enabling DMARC
Context
Phishing is a social engineering problem that abuses trust in email, web pages, and direct messages to steal credentials or other sensitive information. For IAM teams, that means the attack is not only about user vigilance, but about whether authentication signals, certificate warnings, and access boundaries give people any reliable way to distinguish legitimate sessions from impersonation.
The article’s core point is that individual caution is necessary but insufficient. Organisations need controls such as DMARC, trusted certificate handling, browser protections, and least-privilege access patterns so a single deceptive message does not become account compromise, brand abuse, or broader identity exposure.
Key questions
Q: How should organisations reduce phishing risk without relying only on user training?
A: Use layered controls that validate sender identity and reduce the chance of successful impersonation. DMARC, aligned SPF and DKIM, browser protections, and least-privilege access reduce the number of decisions a user must make under pressure. Training still matters, but it should support technical controls rather than substitute for them.
Q: Why do phishing emails still work even when users know the warning signs?
A: They work because attackers do not need perfect deception, only enough realism to defeat attention in the moment. Familiar brands, urgent language, and lookalike interfaces exploit routine behaviour and trust shortcuts. The issue is not ignorance alone, but the mismatch between human judgment and the speed of modern social engineering.
Q: When should organisations prioritise DMARC over more user-awareness training?
A: Prioritise DMARC when spoofed mail, brand impersonation, or executive lookalike abuse is a recurring risk. Awareness training helps people notice suspicious messages, but DMARC changes whether spoofed mail reaches the inbox in the first place. That makes it a higher-leverage control when email is the main attack path.
Q: Who is accountable when phishing leads to account compromise?
A: Accountability is shared, but security leadership owns the control environment that made impersonation succeed. Email authentication, browser trust configuration, access scoping, and incident reporting are governance responsibilities, not just end-user habits. If phishing can repeatedly turn into compromise, the control model is failing at the organisational level.
Technical breakdown
How phishing exploits trust in web sessions and email
Phishing works by making a fraudulent message or page look enough like the real thing that a user behaves as if the session is legitimate. Attackers rely on familiar brands, urgent language, and lookalike links to capture credentials, payment data, or personal information. The technical weakness is not just deception. It is the gap between what the user thinks is authenticated and what the browser, mail system, or domain infrastructure can actually prove. That is why phishing remains effective even when users know the basic scam patterns.
Practical implication: treat user awareness as a last line of defence, not the primary control.
Why certificate and browser warnings still matter
Browser warnings, HTTPS indicators, and certificate validation are often ignored because users experience them as noise. But those signals are among the few runtime trust checks that can interrupt a phishing flow before credentials are entered. When organisations train people to bypass warnings reflexively, they weaken the only visible control many users see during a malicious session. Secure browsing is therefore an identity control as much as a web control, because it helps confirm whether the counterparty is actually who it claims to be.
Practical implication: harden browser trust settings and train users to stop on certificate anomalies.
How DMARC and verified sender identity reduce spoofing
DMARC improves email trust by checking whether a message claiming to come from a domain is actually authorised to do so. Combined with aligned SPF and DKIM, it gives receiving systems a policy basis for rejecting or quarantining spoofed mail. The article’s mention of Verified Mark Certificates adds a human-recognition layer, allowing authenticated organisations to display branded indicators in supported inboxes. This does not stop all phishing, but it narrows the space in which spoofing can masquerade as legitimate business communication.
Practical implication: enforce DMARC at policy and use sender authentication to reduce brand impersonation.
NHI Mgmt Group analysis
Phishing is still an identity control failure, not just a user behaviour problem. The article correctly frames phishing as trust exploitation, but the deeper issue is that organisations still lean too heavily on end-user discernment. When spoofed email, browser warnings, and lookalike sessions are the main battleground, identity assurance has already slipped upstream. The practitioner conclusion is that phishing defence has to be treated as a control architecture problem, not a training reminder.
DMARC is a governance control for sender identity, not a branding feature. The article treats Verified Mark Certificates as a trust signal, but the important point is that sender authentication creates enforceable rules around who can speak for a domain. That matters because spoofed mail often succeeds before any security team sees an incident. The practitioner conclusion is that domain-level identity proofs belong in the core email security stack, not the marketing layer.
Trust boundary erosion: Phishing succeeds when users are trained to ignore the very signals meant to distinguish legitimate sessions from counterfeit ones. That assumption was designed for low-volume warning environments, not for today’s constant stream of branded deception. The implication is that organisations must rethink how trust is conveyed in the browser and inbox, because human judgement alone cannot carry the decision load.
Least privilege still matters because phishing usually needs a second step after compromise. The article’s advice to use standard user accounts reflects an identity principle that remains sound: reduce the blast radius of any captured credential. That is especially relevant where email compromise becomes lateral movement into corporate systems, SaaS accounts, or privileged workflows. The practitioner conclusion is to make stolen credentials less useful by constraining their reach from the start.
Named concept: phishing trust debt. The more often people are asked to override warnings, inspect links manually, or guess whether a sender is real, the more trust debt the organisation accumulates. That debt is paid when a convincing message lands at the right time and the wrong account. The practitioner conclusion is to reduce the number of human trust decisions required per message.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- From our research: Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
- From our research: For teams extending phishing defence into NHI and access governance, Ultimate Guide to NHIs , The NHI Market helps frame the broader identity security tooling landscape.
What this signals
Phishing defence is converging with identity governance. As more attack paths move from inbox deception to account compromise, the programme question is no longer whether users can spot scams, but whether domain authentication, session trust, and access scoping reduce the downstream blast radius. For practitioners, that means phishing controls should be reviewed alongside IAM, not only in awareness training.
Phishing trust debt: every time users are trained to override warnings, the organisation accumulates a hidden governance liability. That liability becomes visible when a convincing message succeeds at scale, because the inbox has been conditioned to tolerate uncertainty. Teams should treat warning fatigue as an operational metric, not a soft usability concern.
For IAM and security leaders, the practical signal is whether email authentication and browser trust settings are enforced consistently across the enterprise, including subsidiaries and third-party mail flows. If spoofed mail still reaches users with convincing fidelity, the control model is failing before the user ever sees the message.
For practitioners
- Enforce domain authentication for outbound mail Deploy DMARC with aligned SPF and DKIM so receiving systems can reject or quarantine spoofed messages that claim your domain. Move policy toward enforcement, not monitoring only, and review mailbox vendors and business units that still bypass the control.
- Reduce user exposure to warning fatigue Tune browser and email security settings so certificate errors, secure transport failures, and suspicious sender indicators are visible and actionable. Pair that with short, repeatable user guidance on when to stop and verify rather than click through.
- Limit the value of a stolen credential Use standard user accounts for everyday work and reserve administrative access for explicit tasks. That reduces the damage if a phishing campaign captures a password or session token and keeps the compromise from immediately becoming elevated access.
- Report and triage phishing centrally Create a simple reporting path for suspicious mail and ensure security teams can rapidly inspect sender identity, URLs, and domain lookalikes. Include operational links to the Anti-Phishing Working Group and internal abuse handling so reports are actionable.
Key takeaways
- Phishing persists because it attacks trust in identity signals, not just user awareness.
- Email authentication, browser warnings, and least-privilege access reduce the impact of a successful phish more effectively than training alone.
- Organisations that still treat phishing as a user problem are underinvesting in the controls that actually limit impersonation and account compromise.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Phishing succeeds through identity and access confusion at the point of authentication. |
| NIST SP 800-63 | Email and session trust intersect with digital identity assurance for human users. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Phishing often creates access pathways that zero trust should constrain. |
Strengthen identity proofing and access controls so impersonation is less likely to become compromise.
Key terms
- Phishing: Phishing is a social engineering attack that impersonates a trusted person or service to trick users into revealing data or credentials. It works by abusing trust signals in email, web pages, or messages, then using the stolen information for fraud, theft, or account takeover.
- DMARC: Domain-based Message Authentication, Reporting and Conformance is an email authentication policy that helps receiving systems judge whether a message claiming to come from a domain is authorised. It reduces spoofing by combining authentication results with a domain owner’s stated enforcement policy.
- Verified Mark Certificate: A Verified Mark Certificate is a certificate that lets an organisation display validated brand markers in supported email clients. It adds a recognisable trust signal for recipients, but only after the message has already passed authentication checks such as DMARC alignment.
- Certificate warning: A certificate warning is a browser or client alert that the site’s trust properties do not match expected security requirements. In phishing defence, these warnings matter because they can interrupt a fake session before credentials are submitted, if users are trained not to dismiss them reflexively.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by DigiCert: 10 tips to avoid phishing scams. Read the original.
Published by the NHIMG editorial team on 2026-02-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
