Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Phishing, spoofing and DMARC: what IAM teams still miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Phishing has evolved from AOL credential theft in the mid-1990s to mass spoofing, malware delivery, and financially motivated campaigns that now target organisations at scale, according to DigiCert. The core failure remains trust in email identity, which means DMARC, training, and verified sender controls must be treated as governance, not hygiene.

NHIMG editorial — based on content published by DigiCert: From the 90s to Today - How Phishing, and the Strategies to Combat it, Have Evolved Over Time

By the numbers:

Questions worth separating out

Q: How should security teams reduce phishing risk without relying only on users?

A: They should combine user training with authenticated sender controls, mailbox policy enforcement, and access verification for sensitive actions.

Q: Why does phishing remain effective even when employees are trained?

A: Phishing remains effective because attackers exploit urgency, familiarity, and normal business processes, which can overwhelm training in the moment.

Q: What do organisations get wrong about DMARC and phishing prevention?

A: Many teams treat DMARC as a deliverability project rather than an identity control.

Practitioner guidance

  • Enforce authenticated sender policy Require DMARC alignment for domains that send to employees or customers, and escalate failures instead of treating them as deliverability noise.
  • Separate awareness from access decisions Use phishing training to reduce click risk, but back it with conditional access, step-up verification, and tighter approval paths for sensitive actions.
  • Review privileged workflows for email dependency Identify admin resets, payment approvals, and support escalations that still rely on email as the trust anchor, then replace them with verified channels.

What's in the full article

DigiCert's full blog post covers the historical detail this post intentionally leaves at the strategy level:

  • The early AOL-era phishing patterns and how they shaped later credential theft techniques
  • The evolution from brand spoofing to pandemic-era lure themes and spam volume
  • The practical DMARC discussion and why authenticated sender policy matters for email trust
  • The article's own list of tips for reducing user exposure to phishing links and attachments

👉 Read DigiCert's blog post on how phishing and anti-spoofing strategies evolved →

Phishing, spoofing and DMARC: what IAM teams still miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Email trust is now an identity governance problem, not a mailbox problem. The article’s history shows that phishing has always depended on a misplaced assumption that users can reliably distinguish real from fake sender context. That assumption fails as soon as attackers can mimic brands, workflows, and urgency at scale. Practitioners should treat sender authentication and downstream access controls as part of the same governance boundary.

A few things that frame the scale:

A question worth separating out:

Q: How do email security controls affect human and non-human identity risk?

A: Email controls affect both because phishing often starts with human trust and ends with credential use in systems, APIs, or admin workflows. If a human account is compromised, attackers may reach shared credentials or service access next. That makes sender verification and privileged workflow design relevant to the full identity stack.

👉 Read our full editorial: Phishing evolution shows why email trust still fails in IAM



   
ReplyQuote
Share: