--- title: "Penetration Tests are Indicating Worse Cybersecurity Postures Across Globe; Phishing Attacks are Topping the List | DMARC Report" description: "The effectiveness of data protection measures and the utility of available patches have worsened in recent years." image: "https://dmarcreport.com/og/blog/penetration-tests-indicating-worse-cybersecurity-postures-phishing-attacks-topping-list.png" canonical: "https://dmarcreport.com/blog/penetration-tests-indicating-worse-cybersecurity-postures-phishing-attacks-topping-list/" --- Quick Answer The effectiveness of \[data \](https://www.imperva.com/learn/data-security/data-protection/)\[protection\](https://www.imperva.com/learn/data-security/data-protection/) measures and the utility of available patches have worsened in recent years. \[The Cymulate Cybersecurity Effectiveness Report 2022\](https://cymulate.com/resources/cybersecurity-effectiveness-report/) highlights that the overall data exfiltration risk score has become poor, with Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fpenetration-tests-indicating-worse-cybersecurity-postures-phishing-attacks-topping-list%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Penetration%20Tests%20are%20Indicating%20Worse%20Cybersecurity%20Postures%20Across%20Globe%3B%20Phishing%20Attacks%20are%20Topping%20the%20List&url=undefined%2Fblog%2Fpenetration-tests-indicating-worse-cybersecurity-postures-phishing-attacks-topping-list%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fpenetration-tests-indicating-worse-cybersecurity-postures-phishing-attacks-topping-list%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fpenetration-tests-indicating-worse-cybersecurity-postures-phishing-attacks-topping-list%2F&title=Penetration%20Tests%20are%20Indicating%20Worse%20Cybersecurity%20Postures%20Across%20Globe%3B%20Phishing%20Attacks%20are%20Topping%20the%20List "Share on Reddit") [ ](mailto:?subject=Penetration%20Tests%20are%20Indicating%20Worse%20Cybersecurity%20Postures%20Across%20Globe%3B%20Phishing%20Attacks%20are%20Topping%20the%20List&body=Check out this article: undefined%2Fblog%2Fpenetration-tests-indicating-worse-cybersecurity-postures-phishing-attacks-topping-list%2F "Share via Email") ![Penetration Tests are Indicating Worse Cybersecurity Postures Across Globe; Phishing Attacks are Topping the List](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) The effectiveness of [data ](https://www.imperva.com/learn/data-security/data-protection/)[protection](https://www.imperva.com/learn/data-security/data-protection/) measures and the utility of available patches have worsened in recent years. [The Cymulate Cybersecurity Effectiveness Report 2022](https://cymulate.com/resources/cybersecurity-effectiveness-report/) highlights that the overall \*\*data exfiltration risk score has become poor, with cloud service-related evaluations standing at an average score of 70, while network protocols have a moderate risk score of 43. > Domain spoofing is trivially easy without DMARC enforcement, says Brad Slavin, General Manager of DuoCircle. Anyone can send email that looks like it comes from your domain. DMARC with p=reject is the only way to tell receiving servers to block unauthorized senders completely. \_According to the [FBI’s 2022 Internet Crime Report (IC3)](https://www.ic3.gov/Media/PDF/AnnualReport/2022IC3Report.pdf), 300,497 US-based victims reported phishing incidents in a single year, and Business Email Compromise (BEC) caused more than $2.7 billion in direct losses. Phishing attacks are responsible for almost [90% of data exfiltration or breaches](https://www.cisa.gov/stopransomware/general-information). There’s no doubt that companies are investing in **cybersecurity protocols and applications**; however, they are lagging in securing the basic loopholes, and attackers are sidestepping modern technical protections. ## Popular Clouds are More Susceptible Earlier threat actors used file-sharing services like Dropbox and Box, but now their [malicious attachments](https://www.bleepingcomputer.com/news/security/just-five-file-types-make-up-85-percent-of-all-spam-malicious-attachments/) don’t pass filters and other security technologies. That’s why they have shifted to using more **generic cloud infrastructure**, like Amazon and Azure. This shift is standing as a challenge for businesses as it’s not easy to block data from trusted service providers, as they are the driving force behind many large cloud services and websites. As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition. _These metrics are applied to numerous attempts aimed at extracting data categorized as ‘controlled’ from the organization_. This upsurge signifies that organizations are facing greater difficulty in preventing the unauthorized removal of **business-confidential**, personally identifiable, and other controlled data from their systems. ![Dmarc alignment](https://media.mailhop.org/dmarcreport/images/2024/01/dmarc-alignment-7451.jpg) ## Phishing Instances are Going Out of Hands Now! Since the fourth quarter of 2022, there’s been a [1,265% increase](https://www.cnbc.com/2023/11/28/ai-like-chatgpt-is-creating-huge-increase-in-malicious-phishing-email.html) in \*\*malicious phishing emails \*\*and a 967% rise in credential phishing. Phishing is a type of [social engineering attack](https://www.arkoselabs.com/explained/what-is-a-social-engineering-attack/) where a cybercriminal poses as someone you know and trust to manipulate you into giving up sensitive details, transferring money, taking an action they desire, **downloading a malware-infected file**, etc. Nowadays, with the help of readily available phishing kits and [generative AI](https://dmarcreport.com/blog/artificial-intelligence-and-the-serious-threat-of-sophisticated-email-attacks-and-automated-advertising-bots/)\-based tools like ChatGPT, it has become easier to create phishing emails and instant messages that are devoid of mistakes that are considered **red flags or warning signs**. This means that now emails don’t have poor grammar, irregular sentence formation, unprofessional tone, etc. Unlike scams like ‘[The Nigerian Prince](https://hackernoon.com/the-nigerian-prince-email-and-the-history-of-social-engineering-techniques),’ where the emails were written in broken and unreadable English, these days, scammers are developing content that is as \*\*sophisticatedly drafted as the high-paying professional writers sitting in your team do! What’s worse is that even [The Nigerian Prince scam is back](https://www.duocircle.com/phishing-protection/nigerian-prince-scam-now-being-driven-by-ai) in action, and it’s also being driven by AI. In fact, as per [Recorded Future](https://www.recordedfuture.com/i-chatbot), numerous cybercriminals have started sharing malware, social engineering tutorials, **money-making schemes**, etc., on the dark web, and ChatGPT drives all of these. ## Phishing Penetration Testing Can Save You Phishing risk tests or phishing simulations or \*\*phishing assessments are cybersecurity measures where ethical hackers or pen testers simulate a phishing attack to evaluate how good you and your team are in identifying and responding to such attacks. ![Dmarc record generator](https://media.mailhop.org/dmarcreport/images/2024/01/dmarc-record-generator-9.jpg) White hat hackers mimic real-world [phishing tactics](https://www.linkedin.com/pulse/phishing-tactics-old-new-sophisticated-andy-longhurst) to manipulate targeted employees into sharing sensitive files and information like passwords, financial details, operational strategies, or transferring money. The message is made to appear to be coming from a colleague, senior employee, CXO,\*\* third-party service provider\*\*, bank, etc. _Conducting phishing tests assists organizations in pinpointing vulnerabilities, gauging the efficacy of training programs, ensuring compliance, and mitigating risks_. This practice aids businesses in enhancing their cybersecurity measures, **safeguarding assets**, and upholding their reputation through the prevention of [data breaches](https://portswigger.net/daily-swig/dbir-2022-ransomware-surge-increases-global-data-breach-woes). ## How is Phishing Penetration Done? A simulated phishing penetration test is done in two stages: ## Stage 1: Baseline Pishing Penetration Testing This is done by simulating an \*\*ethical phishing email \*\*that is sent to all the employees of an organization without intimating them in advance. Then, the number of employees who clicked on the [malicious link](https://www.clearnetwork.com/malicious-urls/), shared sensitive details, or took any other action is recorded and reported. This creates a \*\*baseline for cybersecurity \*\*for the organization and reflects whether employees need awareness training or not. ## Stage 2: Advanced Phishing Penetration Testing A pen tester evaluates the efficacy of security programs by: - Checking firewall rules and proxy servers. - Evaluating how many devices and software are unpatched despite the patch being available. - Assessing the [patch management policy](https://www.softwaresecured.com/post/basics-of-patch-management-policies). - Testing the quality and efficacy of \*\*antivirus and antimalware installed across devices. - _Evaluating the number of employees and devices vulnerable to phishing attacks_. ## How Can Organizations Control the Instances of Exploitation of Email-Sending Domains? Threat actors often exploit a reputed organization’s \*\*email-sending domain to send phishing and [spoofing emails](https://timesofindia.indiatimes.com/city/pune/attempt-to-dupe-firm-via-email-spoofing/articleshow/60823132.cms). Since these domains have a good reputation, the email delivery rate is higher, which means the probability of the recipient engaging with a fraudulent email is also higher. So, what eventually happens is that the recipient ends up being a victim by either sharing confidential details or transferring money . Since your official domain is involved in the attack, you become liable to lawsuits and other consequences due to your inability to protect your domain. Now, on the brighter side, you still have the option to protect your domain from getting exploited by deploying [SPF](https://dmarcreport.com/what-is-spf/), [DKIM](https://dmarcreport.com/what-is-dkim/), and [DMARC](https://dmarcreport.com/). These three [email authentication protocols](https://dmarcreport.com/what-is-dmarc/) instruct recipients’ servers to either mark \*\*potentially fraudulent emails sent from your domain as spam or outrightly reject their entry. We at \*\*DMARCReport assist in [DMARC reporting and monitoring](https://dmarcreport.com/blog/alternatives-to-fraudmarcs-cost-effective-dmarc-reporting/), which allows you to catch insights on your domain’s email activities. _Evaluating these insights helps adjust policies and other settings to ensure our clients are safe from getting their reputations, finances, and operations compromised by bad actors_. Please feel free to [book a demo](https://dmarcreport.com/book-a-demo/) today to learn more about how we can help you and your **online business reputation**. ## Sources - [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) - [Microsoft Outlook DMARC Enforcement May 2025](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) (2025) - [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025) ## Topics [ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/) ![Vasile Diaconu](https://media.mailhop.org/dmarcreport/images/team/vasile-diaconu.jpg) [ Vasile Diaconu ](/authors/vasile-diaconu/) Operations Lead Operations Lead at DuoCircle. Runs project management, developer coordination, and technical support execution for DMARC Report. [LinkedIn Profile →](https://www.linkedin.com/in/vasile-diaconu/) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Penetration Tests are Indicating Worse Cybersecurity Postures Across Globe; Phishing Attacks are Topping the List","description":"The effectiveness of data protection measures and the utility of available patches have worsened in recent years.","url":"https://dmarcreport.com/blog/penetration-tests-indicating-worse-cybersecurity-postures-phishing-attacks-topping-list/","datePublished":"2024-01-08T08:14:00.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2024-01-08T08:14:00.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vasile-diaconu/#person","name":"Vasile Diaconu","url":"https://dmarcreport.com/authors/vasile-diaconu/","jobTitle":"Operations Lead","description":"Vasile Diaconu is the Operations Lead at DuoCircle, the company behind DMARC Report and AutoSPF. He coordinates between engineering, product, and technical support - running project management, interfacing with developers on customer-reported issues, and making sure work that comes in through the support channel actually gets closed out. Vasile sits at the intersection of customer feedback and engineering execution, giving him a direct view of which email authentication problems customers hit most often in production.","image":"https://media.mailhop.org/dmarcreport/images/team/vasile-diaconu.jpg","knowsAbout":["SaaS Operations","Technical Support Coordination","Customer Issue Resolution","Engineering Program Management","Deployment Operations"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vasile-diaconu/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/penetration-tests-indicating-worse-cybersecurity-postures-phishing-attacks-topping-list/"},"articleSection":"foundational","keywords":"dkim, DMARC, email security, SPF","wordCount":969,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Penetration Tests are Indicating Worse Cybersecurity Postures Across Globe; Phishing Attacks are Topping the List","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Penetration Tests are Indicating Worse Cybersecurity Postures Across Globe; Phishing Attacks are Topping the List","item":"https://dmarcreport.com/blog/penetration-tests-indicating-worse-cybersecurity-postures-phishing-attacks-topping-list/"}]} ```