Phishing scams and email trust: are your controls keeping up?

TL;DR: Phishing remains a high-volume identity attack, with spam email accounting for just over 50% of global traffic in 2020 and PhishLabs reporting a 47% rise in phishing attempts from 2020 to 2021, according to DigiCert. The real lesson is that user caution helps, but domain authentication, browser trust signals, and access scoping now carry most of the defensive load.

NHIMG editorial — based on content published by DigiCert: 10 tips to avoid phishing scams

By the numbers:

• In 2020, spam emails averaged just over 50% of all global email traffic.
• PhishLabs identified a 47% increase in phishing attempts from 2020 to 2021.

Questions worth separating out

Q: How should organisations reduce phishing risk without relying only on user training?

A: Use layered controls that validate sender identity and reduce the chance of successful impersonation.

Q: Why do phishing emails still work even when users know the warning signs?

A: They work because attackers do not need perfect deception, only enough realism to defeat attention in the moment.

Q: When should organisations prioritise DMARC over more user-awareness training?

A: Prioritise DMARC when spoofed mail, brand impersonation, or executive lookalike abuse is a recurring risk.

Practitioner guidance

• Enforce domain authentication for outbound mail Deploy DMARC with aligned SPF and DKIM so receiving systems can reject or quarantine spoofed messages that claim your domain.
• Reduce user exposure to warning fatigue Tune browser and email security settings so certificate errors, secure transport failures, and suspicious sender indicators are visible and actionable.
• Limit the value of a stolen credential Use standard user accounts for everyday work and reserve administrative access for explicit tasks.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step advice on identifying fraudulent links, browser warnings, and suspicious sender patterns in day-to-day mail use
• Practical guidance on DMARC enablement for organisations that want to reduce spoofing and brand impersonation
• Explainer content on Verified Mark Certificates and how authenticated branding appears in inboxes
• User-facing reporting steps for forwarding suspicious mail to anti-phishing channels and the APWG

👉 Read DigiCert's 10 tips for avoiding phishing scams and enabling DMARC →

Phishing scams and email trust: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →