Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Phishing scams and email trust: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Phishing remains a high-volume identity attack, with spam email accounting for just over 50% of global traffic in 2020 and PhishLabs reporting a 47% rise in phishing attempts from 2020 to 2021, according to DigiCert. The real lesson is that user caution helps, but domain authentication, browser trust signals, and access scoping now carry most of the defensive load.

NHIMG editorial — based on content published by DigiCert: 10 tips to avoid phishing scams

By the numbers:

Questions worth separating out

Q: How should organisations reduce phishing risk without relying only on user training?

A: Use layered controls that validate sender identity and reduce the chance of successful impersonation.

Q: Why do phishing emails still work even when users know the warning signs?

A: They work because attackers do not need perfect deception, only enough realism to defeat attention in the moment.

Q: When should organisations prioritise DMARC over more user-awareness training?

A: Prioritise DMARC when spoofed mail, brand impersonation, or executive lookalike abuse is a recurring risk.

Practitioner guidance

  • Enforce domain authentication for outbound mail Deploy DMARC with aligned SPF and DKIM so receiving systems can reject or quarantine spoofed messages that claim your domain.
  • Reduce user exposure to warning fatigue Tune browser and email security settings so certificate errors, secure transport failures, and suspicious sender indicators are visible and actionable.
  • Limit the value of a stolen credential Use standard user accounts for everyday work and reserve administrative access for explicit tasks.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step advice on identifying fraudulent links, browser warnings, and suspicious sender patterns in day-to-day mail use
  • Practical guidance on DMARC enablement for organisations that want to reduce spoofing and brand impersonation
  • Explainer content on Verified Mark Certificates and how authenticated branding appears in inboxes
  • User-facing reporting steps for forwarding suspicious mail to anti-phishing channels and the APWG

👉 Read DigiCert's 10 tips for avoiding phishing scams and enabling DMARC →

Phishing scams and email trust: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Phishing is still an identity control failure, not just a user behaviour problem. The article correctly frames phishing as trust exploitation, but the deeper issue is that organisations still lean too heavily on end-user discernment. When spoofed email, browser warnings, and lookalike sessions are the main battleground, identity assurance has already slipped upstream. The practitioner conclusion is that phishing defence has to be treated as a control architecture problem, not a training reminder.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when phishing leads to account compromise?

A: Accountability is shared, but security leadership owns the control environment that made impersonation succeed. Email authentication, browser trust configuration, access scoping, and incident reporting are governance responsibilities, not just end-user habits. If phishing can repeatedly turn into compromise, the control model is failing at the organisational level.

👉 Read our full editorial: Phishing scams expose the limits of user-focused email defenses



   
ReplyQuote
Share: