Brand Protection

    Brand Impersonations Surge but DMARC Protections Lag

    Web- and email-based spoofing attacks are on the rise, but most organizations aren’t using DMARC or other brand monitoring tools to protect themselves. 


    Key Points

    • More than nine in 10 organizations have experienced a web- or email-based spoofing attack in the last year, according to Mimecast’s State of Email Security 2022 report. 
    • Yet, fewer than three in 10 are “completely” prepared to respond to such an attack.
    • Though the number of domain names protected by a DMARC policy continues to rise, the growth in organizations using DMARC is flat.


    Mimecast’s State of Email Security 2022 (SOES) report shows that organizations around the world are facing more frequent and sophisticated web- and email-based spoofing attacks. The research shows security teams making some progress in addressing these exploits, which mimic real domain names to launch phishing attacks and malicious websites. But their brand protection and cyber resilience strategies fall short when it comes to Domain-based Message Authentication, Reporting and Conformance (DMARC), an email authentication standard that helps owners of a given internet domain identify unauthorized email senders and pass only valid emails to recipients.

    A Treacherous State of Affairs

    There’s significant evidence that the landscape of cyber threats is only getting more treacherous. Consider the following statistics from the SOES research, which surveyed 1,400 security and IT professionals in 12 countries across five continents:

    • Over the last 12 months, the volume of email threats rose for 72% of organizations. Among these organizations, 88% were impacted by a ransomware attack, with nearly three in four describing the harm as significant.
    • More than 90% of organizations have seen a web- or email-based spoofing attack in the last 12 months. These types of attacks are on the rise for about 46% of organizations, compared to just 19% who say they are declining. 

    Additional research paints a similar picture: Nearly half of cyberattacks now involve some form of brand spoofing,[1] and organizations can expect to face nearly 1,100 spoofed domain exploits each year.[2] Simply put, brand exploitation is a bigger issue than many organizations realize, heightening cyber risk in hybrid and remote work environments. That’s because brand exploitation attacks using look-alike email and web addresses to harvest data, drop malware or steal money are typically more sophisticated than run-of-the-mill phishing campaigns, which employees are less likely to fall for.[3]

    5 Weak Spots in Brand Protection

    The good news is that the SOES research shows that most organizations are taking steps to address the threats that web- and email-based attacks pose. The bad news is that those steps often aren’t big enough. In five key areas, organizations are still falling short:

    • Cyber resilience strategy. Brand protection is one component of an overarching cyber resilience strategy that enables organizations to adapt to a changing threat landscape and minimize the impact of cyberattacks when they happen. Nearly all organizations (96%) currently have a cyber resilience strategy or plan to roll one out within the next 12 months. However, the share of organizations saying they have a strategy in place right now (36%) has actually declined since 2018 (46%). This suggests that strategies in place aren’t evolving as quickly as the threats they are intended to protect against.
    • Cyber resilience spending. The SOES survey shows organizations allocating nearly 14% of overall IT spending to cyber resilience. However, respondents say the figure should be closer to 17%. Not only does this shortfall impact overall cyber resilience; it also contributes to a lack of staff and technology to adequately address web- or email-based spoofing attacks, and it limits investment in training employees to keep from falling victim to attacks.
    • Response preparedness. Most organizations are “mostly” or “somewhat” prepared to respond to a spoofing attack. In fact, only 4% say they are “not at all” prepared. Unfortunately, only 29% say they are “completely” prepared to respond.
    • Use of detection and protection technology. More than three in four organizations have technology in place to detect and protect against web- or email-based spoofing, with 39% using a third-party service and 37% using a home-grown solution. Another 14% are rolling out such a service. These figures are encouraging, but in the context of the previous point – with fewer than 30% of organizations completely prepared to respond to spoofing attacks – they suggest that many of the services in place don’t seem to be up to the task.
    • DMARC use. One critical tool for preventing spoofing attacks is DMARC, which builds on other email authentication mechanisms (Sender Policy Framework, or SPF, and DomainKeys Identified Mail, or DKIM) by letting domain owners publish protection policies. The number of domains globally with a DMARC policy in place grew 84% in 2021 and approached 5 million by the end of the year,[4] and only 5% of organizations in the SOES research have no plans to roll out DMARC, which is a significant drop from 17% in 2016. On the other hand, the current share of organizations already using DMARC (27%) is hardly changed from 2016 (24%). This reflects the cost and complexity of implementing the DMARC protocol and establishing a DMARC policy, especially in light of limited resources.

    DMARC, Brand Monitoring and Training Can Fill the Gaps

    The SOES research shows that many organizations have a long way to go to protect their brands from spoof attacks. Fortunately, the findings also suggest that there are some simple steps they can take to be better prepared and protected.

    • Step 1: Deploy DMARC. DMARC is essential for brand protection because, in addition to authenticating email, it identifies who’s using a brand’s domain (legitimately or otherwise) and it enables organizations to set a policy to report, quarantine or reject suspicious messages. Getting to the most mature DMARC policy, rejection, requires ongoing monitoring and analysis of DMARC reporting. This is a heavy lift for many organizations – especially those that routinely handle sensitive data – which points to the value of third-party services over home-grown solutions that may be difficult to adapt to rapidly changing threats.
    • Step 2: Implement brand monitoring. Using DMARC and brand monitoring uncovers anyone abusing your domain for web cloning as well as email phishing. Any brand with an online presence is at risk, but they are unlikely to identify spoofed websites – let alone get them taken down – if they don’t know they exist.
    • Step 3: Increase training. While 87% of organizations in the SOES research offer cybersecurity training at least once a quarter, only 23% conduct training on an ongoing basis. Additional training can go a long way to preventing employees from making security mistakes, since 76% of organizations say there is at least some risk associated with errors ranging from poor password management to the use of online collaboration tools.

    The Bottom Line

    Web- and email-based spoofing attacks are on the rise, and they show little sign of slowing down. While organizations are generally doing the right things to protect themselves amid an ever-changing threat landscape, the SOES research indicates that they should be doing more – especially regarding DMARC – and that they put themselves at risk if they don’t. Read on about today’s cybersecurity trends and solutions such as DMARC in Mimecast’s State of Email Security 2022 report.

    [1]Brand abuse attacks dominate list of fraud trends: report,” ZD Net

    [2]Average company faces 1000+ spoofed domain threats per year,” Security Magazine

    [3]The antidote to brand impersonation attacks is awareness,” Help Net Security

    [4]DMARC policies up 84% for 2021,”


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top