Email a Pervasive Threat With 20% Fraudulent

One in five emails were from unauthorized senders — meaning those emails were almost certainly fraudulent, according to research from San Francisco-based Email Authentication as a Service provider ValiMail.

The research also indicated large financial services companies with revenues of at least $1 billion scored well in comparison to other sectors. Only tech unicorns finished higher in terms of having the highest rate of email fraud protection through domain-based message authentication reporting and conformance standards.

ValiMail noted despite this encouraging sign, there is still massive room for improvement: more than 10% of the top U.S. financial institutions have deployed DMARC at enforcement; nearly 20% have published DMARC records, though they are not set to enforcement (i.e., they will not reject or quarantine unauthenticated emails). Setting a policy to either reject or quarantine would triple the fraud protect rate in this category alone. The cybersecurity firm also found 68% of top FinServ companies have no DMARC record at all, leaving their domains open spoofing in phishing campaigns by bad actors.

In addition, the findings based on the review of nearly three billion emails that ValiMail processed for customers in October, revealed:

  • Email fraud is a pervasive threat. One in five messages sent come from unauthorized senders, indicating massive amounts of fraudulent activity.
  • Virtually all domains lack adequate protection. Just .5% of the top million domains have protected themselves from impersonation by email authentication, leaving almost all vulnerable.
  • Incorrectly deployed domain-based message authentication reporting and conformance standards prevent email protection. Over three-fourths of domains deployed DMARC records remain unprotected from fraud, either through misconfiguration or by setting a permissive DMARC policy.
  • The difficulty of fully implementing and maintaining DMARC leads to inadequate protection. Only 15 to 25% of companies that attempt DMARC succeed at achieving protection from fraud, depending on category.
  • DMARC is accessible to most domains More than 76% of the world’s email inboxes support DMARC and will enforce domain owners’ authentication policies, if those policies exist. 
  • Implementing email authentication would save the average company $8.1 million per year in cybercrime costs — $16.2 billion annually across the Fortune 2000.


“Email has been weaponized by hackers as the leading way to infiltrate networks, and the vast majority of businesses are leaving themselves vulnerable by either incorrectly configuring their authentication systems or forgoing protection entirely,” Alexander García-Tobar, CEO and co-founder of ValiMail, said. “Businesses are asking their employees to complete an impossible task: identifying who is real and who is an impersonator, by closely examining every message in their inboxes. The only sustainable solution is for companies to take control of their email security at the technology level and stop placing the onus on employees to prevent phishing attacks.”

Advertisement. Closing in 15 seconds.