Email authenticity and account takeover: are your controls keeping up?

TL;DR: Account takeover fraud cost e-commerce businesses and retail banks $11.4 billion in 2022, up 90% year over year, according to DigiCert’s source article citing Javelin Strategy & Research. Visible sender trust cues matter because recipients make trust decisions in seconds, and hidden authentication signals leave phishing and impersonation harder to spot.

NHIMG editorial — based on content published by DigiCert: Helping Users Avoid Account Takeover

Questions worth separating out

Q: How should organisations reduce account takeover risk in email channels?

A: Start by enforcing DMARC, then add visible trust signals such as BIMI and certificate-backed sender validation where mailbox providers support them.

Q: Why do DMARC and BIMI need to work together?

A: DMARC validates the message path, but BIMI helps users see that validation in the inbox.

Q: What breaks when email authentication is invisible to users?

A: Users are left to judge trust from appearance alone, which makes them more likely to open malicious messages from lookalike domains or fake brands.

Practitioner guidance

• Enforce DMARC at reject or quarantine Move beyond monitoring-only DMARC policies and require handling that blocks unauthenticated lookalike mail before it reaches users.
• Deploy BIMI only after authentication is stable Use BIMI after SPF, DKIM, and DMARC alignment are consistently operating, so the visual indicator reflects a verified sender rather than a cosmetic badge.
• Validate certificate and trademark ownership Make sure the organisation can prove both domain ownership and trademark rights before pursuing Verified Mark Certificates, because the certificate depends on that proof chain.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Header-level examples showing how authentication results appear in real email flows
• Walkthrough of how DMARC, BIMI, and VMCs combine to produce visible sender trust
• Practical explanation of how mailbox providers decide whether to display a brand logo
• Discussion of why trademark validation raises the bar for impersonation

👉 Read DigiCert's analysis of BIMI, VMCs, and account takeover risk →

Email authenticity and account takeover: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →