Phishing, spoofing and DMARC: what IAM teams still miss

TL;DR: Phishing has evolved from AOL credential theft in the mid-1990s to mass spoofing, malware delivery, and financially motivated campaigns that now target organisations at scale, according to DigiCert. The core failure remains trust in email identity, which means DMARC, training, and verified sender controls must be treated as governance, not hygiene.

NHIMG editorial — based on content published by DigiCert: From the 90s to Today - How Phishing, and the Strategies to Combat it, Have Evolved Over Time

By the numbers:

• From May 2004 to May 2005, 1.2 million victims in the United States had financial losses totaling $929 million from phishing.
• About 50% of all email traffic in 2020 was spam.

Questions worth separating out

Q: How should security teams reduce phishing risk without relying only on users?

A: They should combine user training with authenticated sender controls, mailbox policy enforcement, and access verification for sensitive actions.

Q: Why does phishing remain effective even when employees are trained?

A: Phishing remains effective because attackers exploit urgency, familiarity, and normal business processes, which can overwhelm training in the moment.

Q: What do organisations get wrong about DMARC and phishing prevention?

A: Many teams treat DMARC as a deliverability project rather than an identity control.

Practitioner guidance

• Enforce authenticated sender policy Require DMARC alignment for domains that send to employees or customers, and escalate failures instead of treating them as deliverability noise.
• Separate awareness from access decisions Use phishing training to reduce click risk, but back it with conditional access, step-up verification, and tighter approval paths for sensitive actions.
• Review privileged workflows for email dependency Identify admin resets, payment approvals, and support escalations that still rely on email as the trust anchor, then replace them with verified channels.

What's in the full article

DigiCert's full blog post covers the historical detail this post intentionally leaves at the strategy level:

• The early AOL-era phishing patterns and how they shaped later credential theft techniques
• The evolution from brand spoofing to pandemic-era lure themes and spam volume
• The practical DMARC discussion and why authenticated sender policy matters for email trust
• The article's own list of tips for reducing user exposure to phishing links and attachments

👉 Read DigiCert's blog post on how phishing and anti-spoofing strategies evolved →

Phishing, spoofing and DMARC: what IAM teams still miss?

Explore further

View Full Forum →  |  NHI Foundation Course →