Real News About Fake Email: It's In The Billions Per Day, Study Finds

The world is now beset by 6.4 billion fake emails per day, according to the Q2 2018 Email Fraud Landscape, a study by Valimail.

And the main source is not Russia or Nigeria — it is the United States. No other country even comes close. 

The UK, which only hit the top 10 this quarter, is second. France is now third. France, Canada and Germany have moved down. Vietnam is now in the top ten.

This has fueled mass hijacking of brands. “Impersonation has moved to a few field: Fake emails as a vector for system compromise,” Valimail notes.

It also contributes to an ever-growing use of email by hacking artists. Ninety-one percent of all cyber attacks now begin with a phishing email, the study notes.  

In addition to the financial loss, this is causing collateral damage to email marketing as people are afraid to open emails.  

Existing security systems can help — up to a point. Take DMARC (Domain-based Message Authentication, Reporting and Conformance — the standard email authentication tool). 



Among the emails studied by Valimail in the first half of 2018, 96.2% passed DMARC. Another 1.5% failed DMARC, although they originated from known and legitimate senders.

But 2.3% failed DMARC and deserved to fail because they are “potentially malicious” — a seemingly small percentage, but not in light of the overall volume.

Last year, Valimail found that 5% of emails were deemed suspicious and that 20% of all messages sent in October were fraudulent. But don’t be deceived: The lower rate is “not necessarily a sign of continuing progress but rather a temporary anomaly,” the study states.

Happily, DMARC support now covers 5 billion inboxes worldwide, compared with 4.8 billion last year and 2.7 billion in 2015.

The U.S. federal government leads all other sectors in DMARC usage and enforcement, followed by U.S. tech companies and the Fortune 500.

But there is more to DMARC than simple implementation. “Publishing a DMARC record is one thing, but configuring it correctly and completely is another,” the study states.

The enforcement failure rate ranges from 75% to 80% for all the sectors studied.

As for erosion of brand trust, there is a remedy in the works: BIMI, or Brand Indicators or Message Identification, an authentication standard that allows brand logos to appear in the subject line. The logo appears only if the email has been authenticated. 

Developed by a group that includes Agari, Valimail, Comcast, Google, Microsoft and Oath, BIMI is now being offered in trials by Yahoo Mail. 

For this study, Valimail analyzed billions of email message authentication requests, and over 3 million publicly accessible DMARC records.


Next story loading loading..