TL;DR: Account takeover fraud cost e-commerce businesses and retail banks $11.4 billion in 2022, up 90% year over year, according to DigiCert’s source article citing Javelin Strategy & Research. Visible sender trust cues matter because recipients make trust decisions in seconds, and hidden authentication signals leave phishing and impersonation harder to spot.
NHIMG editorial — based on content published by DigiCert: Helping Users Avoid Account Takeover
Questions worth separating out
Q: How should organisations reduce account takeover risk in email channels?
A: Start by enforcing DMARC, then add visible trust signals such as BIMI and certificate-backed sender validation where mailbox providers support them.
Q: Why do DMARC and BIMI need to work together?
A: DMARC validates the message path, but BIMI helps users see that validation in the inbox.
Q: What breaks when email authentication is invisible to users?
A: Users are left to judge trust from appearance alone, which makes them more likely to open malicious messages from lookalike domains or fake brands.
Practitioner guidance
- Enforce DMARC at reject or quarantine Move beyond monitoring-only DMARC policies and require handling that blocks unauthenticated lookalike mail before it reaches users.
- Deploy BIMI only after authentication is stable Use BIMI after SPF, DKIM, and DMARC alignment are consistently operating, so the visual indicator reflects a verified sender rather than a cosmetic badge.
- Validate certificate and trademark ownership Make sure the organisation can prove both domain ownership and trademark rights before pursuing Verified Mark Certificates, because the certificate depends on that proof chain.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- Header-level examples showing how authentication results appear in real email flows
- Walkthrough of how DMARC, BIMI, and VMCs combine to produce visible sender trust
- Practical explanation of how mailbox providers decide whether to display a brand logo
- Discussion of why trademark validation raises the bar for impersonation
👉 Read DigiCert's analysis of BIMI, VMCs, and account takeover risk →
Email authenticity and account takeover: are your controls keeping up?
Explore further
Visible email trust is now part of identity assurance, not a branding garnish. Mail authentication that stays hidden from users still leaves the final trust decision to human instinct, which attackers exploit with lookalike domains and urgency cues. DMARC is necessary, but it does not close the gap between protocol validation and human recognition. Practitioners should treat visible sender authentication as a control that sits alongside identity verification, not outside it.
A few things that frame the scale:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities. That confidence gap matters because identity programmes often treat machine trust as easier to automate than human trust, even when the opposite is true.
- Another finding from the same research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which leaves delegated access and sender-adjacent trust chains under-monitored.
A question worth separating out:
Q: Who is accountable when email impersonation leads to account takeover?
A: Accountability sits with the organisation that owns the sender domain, the security team operating mail authentication, and the business owners responsible for customer communication. If brand trust is weak, those functions have to coordinate the controls and maintain them over time.
👉 Read our full editorial: Account takeover risk persists when email trust stays invisible