--- title: "A Guide to Preventing Phishing in 2024: Insights from CSC's 2023 Report | DMARC Report" description: "A Guide to Preventing Phishing in 2024: Insights from CSC" image: "https://dmarcreport.com/og/blog/preventing-phishing-2024-insights-from-cscs-2023-report.png" canonical: "https://dmarcreport.com/blog/preventing-phishing-2024-insights-from-cscs-2023-report/" --- Quick Answer \_According to the FBI's 2022 Internet Crime Report (IC3), 300,497 US-based victims reported phishing incidents in a single year, and Business Email Compromise (BEC) caused more than $2.7 billion in direct losses. DMARC Report A Guide to Preventing Phishing in 2024: Insights from CSC’s 2023 Report Related: [Free DMARC Checker](/tools/dmarc-checker/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fpreventing-phishing-2024-insights-from-cscs-2023-report%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=A%20Guide%20to%20Preventing%20Phishing%20in%202024%3A%20Insights%20from%20CSC's%202023%20Report&url=undefined%2Fblog%2Fpreventing-phishing-2024-insights-from-cscs-2023-report%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fpreventing-phishing-2024-insights-from-cscs-2023-report%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fpreventing-phishing-2024-insights-from-cscs-2023-report%2F&title=A%20Guide%20to%20Preventing%20Phishing%20in%202024%3A%20Insights%20from%20CSC's%202023%20Report "Share on Reddit") [ ](mailto:?subject=A%20Guide%20to%20Preventing%20Phishing%20in%202024%3A%20Insights%20from%20CSC's%202023%20Report&body=Check out this article: undefined%2Fblog%2Fpreventing-phishing-2024-insights-from-cscs-2023-report%2F "Share via Email") ![A Guide to Preventing Phishing in 2024: Insights from CSC's 2023 Report](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg) ![Dmarc record generator 2 150x150](https://media.mailhop.org/dmarcreport/images/2024/02/dmarc-record-generator-2-150x150.jpg) > Domain spoofing is trivially easy without DMARC enforcement, says Brad Slavin, General Manager of DuoCircle. Anyone can send email that looks like it comes from your domain. DMARC with p=reject is the only way to tell receiving servers to block unauthorized senders completely. \_According to the [FBI’s 2022 Internet Crime Report (IC3)](https://www.ic3.gov/Media/PDF/AnnualReport/2022IC3Report.pdf), 300,497 US-based victims reported phishing incidents in a single year, and Business Email Compromise (BEC) caused more than $2.7 billion in direct losses. DMARC Report A Guide to Preventing Phishing in 2024: Insights from CSC’s 2023 Report ```

00:00 ``` / ``` 2:02 ``` RSS Feed ``` Share Link Embed ``` /\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-10885” readonly/> ``` ``` Year after year, cyberattacks become **more rampant and aggressive**, and 2023 was no different. You’d be surprised to know that last year, the [global average cost of a data breach was USD 4.45 million, which was a whopping 15% increase over 3 years](https://www.ibm.com/reports/data-breach). As a business owner, you would agree with us when we say that these attacks cost more than just financial loss and inconvenience. It is also about compromised **sensitive information**, tarnished reputations, lost customers, and potentially long-term financial damage. And the worst part? The situation is \*\*only going to deteriorate as the digital landscape evolves, year after year. _Moreover, to think that your organization can dodge these attacks might set you up for an unpleasant surprise_. As we enter 2024, the best thing you can do to [mitigate the risk of cyberattacks](https://dmarcreport.com/blog/unlocking-the-power-of-dmarc-shielding-you-and-your-customers-from-phishing-attacks/) like phishing is to learn from the mistakes made in 2023 and **leverage those strategies in 2024**. ## Common Domain-Based Attacks in 2023 2023 was a year that changed the course of the cybersecurity industry with the **intervention of Artificial Intelligence**. As [AI-powered attacks](https://dmarcreport.com/blog/artificial-intelligence-and-the-serious-threat-of-sophisticated-email-attacks-and-automated-advertising-bots/) became more adverse in the last year, they pushed organizations to prioritize domain security to prevent attacks such as [supply chain attacks](https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-breach-cyberlink-in-supply-chain-attack/), ransomware, and phishing attacks, among others. As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition. Before we talk about the ways to reduce the risk of these attacks, let us take a look at some of the most common [domain-based attacks](https://www.verdict.co.uk/dns-attacks-are-increasing/?cf-view) that loom over 2023 . ![Dmarc record generator](https://media.mailhop.org/dmarcreport/images/2024/02/dmarc-record-generator-10.jpg) ## Domain Hijacking in the Age of AI [Domain hijacking](https://www.cryptotimes.io/balancer-domain-hijacked-238k-worth-of-crypto-stolen/) is a technique that threat actors employ to \*\*change the registration of a domain name without the domain owner’s knowledge. Now that more businesses are recognizing the relevance of AI and purchasing their own [.AI (dot AI) domain names](https://www.namecheap.com/blog/what-is-ai-domain-dp/), it serves as a lucrative opportunity for attackers to claim these domains before legitimate owners can secure them. According to [CSC’s latest report](https://www.cscdbs.com/assets/pdfs/2023-Domain-Security-Report.pdf), _84% of AI domains_ meant for top companies are actually in the hands of others. _You can only imagine the gravity of the situation when industries like banking, IT software, and services are the worst hit_! ## Malicious Domain Registration In 2023, cyberattackers resorted to a classic technique - [employing homoglyphs to dupe the uninformed user](https://www.feroot.com/education-center/what-is-a-homoglyph-attack/) with the aim of divulging sensitive information and implementing their nefarious intentions. But how do they even pull this off? The basic premise of this strategy is to \*\*trick the untrained eye into clicking suspicious links to execute a phishing attack. _By using homoglyphs - characters that look similar but are different - attackers create domain names that are visually indistinguishable from the genuine ones_. For example, a lowercase ‘l’ might be **replaced with the numeral** ‘1’ or a ‘0’ (zero) with an ‘O’ (uppercase letter o). You would be surprised to know that there are **more than 79**% of these [homoglyph (fake) domains](https://cyberscoop.com/homoglyph-zero-day-verisign-soluble/) owned by third parties other than the Global 2000 brands . ## Subdomain Hijacking _Creating subdomains has now become a common practice among organizations that have various verticals_. But what happens when these subdomains are \*\*unused and forgotten about? They become \*\*bait for the uninformed user. These subdomains fall into the hands of cybercriminals who use them for malicious activities like phishing or [malware distribution](https://www.indiatvnews.com/technology/news/microsoft-takes-action-against-malware-distribution-through-app-installer-2023-12-31-909745), all under the garb of a **reputable brand**. But why did subdomain hijacking suddenly become a thing of concern in 2023, you ask? According to [CSC’s 2023 Domain Security Report](https://www.cscdbs.com/assets/pdfs/2023-Domain-Security-Report.pdf), out of the 6 million domain records that were examined, around 440,000 were at [risk for subdomain hijacking](https://www.pcworld.com/article/430729/forgotten-subdomains-boost-risk-of-account-hijacking-other-attacks.html), especially those connected to **cloud services**. ## Security Trends that Shaped the 2023 Cybersecurity Landscape The year 2023 witnessed many [cybersecurity](https://dmarcreport.com/blog/how-to-educate-or-train-employees-on-cybersecurity/) trends come and go. This made navigating the \*\*realm of cybersecurity more complex than ever. So, what is it that you should take away from 2023 that you should keep in mind moving forward? Here are some of the key trends that you should know about: ![Dmarc office 365](https://media.mailhop.org/dmarcreport/images/2024/02/dmarc-office-365-7662.jpg) ## Increase in Registry Locks, Yet High Risk for Global 2000 In 2023, more companies in the Global 2000 adopted [registry locks](https://www.nameshield.com/en/cybersecurity/registry-lock/), with the \*\*numbers rising from 17% in 2020 to 23% in the last year. _A registry lock is basically a tool that enables end-to-end domain name transaction security to prevent any unauthorized entity from making any changes to your domain_. This trend garnered some limelight last year; however, there are still many domains that remain vulnerable, partly because **not all global registries offer this service**. ## Inconsistent Implementation of Key DNS Security Measures The adoption of crucial [DNS security](https://www.fortinet.com/resources/cyberglossary/dns-security#:~:text=DNS%20Security%20Definition&text=Domain%20Name%20System%20%28DNS%29%20security,is%20operating%20efficiently%20and%20reliably.) measures was not as straightforward as it should have been in 2023\. While more companies employed [domain name system security extensions (DNSSEC)](https://www.warmupinbox.com/post/dnssec), growing from 3% in 2020 to 8% last year, there was an unprecedented drop in [DNS redundancy](https://nordvpn.com/cybersecurity/glossary/dns-redundancy/#:~:text=DNS%20redundancy%20refers%20to%20having,of%20service%20%28DDoS%29%20attack.) as it went down by 1% to 19%. Moreover, the use of [Certification Authority Authorization (CAA) records](https://www.thesslstore.com/blog/what-is-caa-record-certificate-authority-authorization/) saw a **notable increase**, moving from 3.8% to 8.4%. ## Rapid Adoption of DMARC With cyberattacks like phishing getting more frequent and sophisticated, organizations were left with no choice but to take cybersecurity seriously. A big step towards \*\*fortifying defenses has been the rapid [DMARC adoption](https://dmarcreport.com/blog/why-you-should-take-dmarc-adoption-seriously/). Back in 2020, about 39% of companies were on board with [DMARC](https://dmarcreport.com/), but by 2023, that \*\*number shot up to a whopping 67% . Wondering what drove this sudden surge in the implementation? The [Anti-Phishing Working Group (APWG)](https://en.wikipedia.org/wiki/Anti-Phishing%5FWorking%5FGroup) reported that 2022 broke records with over [4.7 million phishing attacks](https://finance.yahoo.com/news/apwg-4q-report-phishing-attacks-004500379.html#:~:text=This%20is%20more%20than%20in,2020%2C%20and%20779%2C200%20in%202019.), so to keep up with the [ever-evolving threat landscape](https://cybermagazine.com/articles/the-rapidly-evolving-threat-landscape-of-2024), you need \*\*strong defenses like DMARC in your cybersecurity strategy. _Looks like the custodians of security are in the right direction, but there’s still a need to gain momentum_. As we head into 2024, it is crucial to recognize the dynamics of the current \*\*cybersecurity landscape and adopt measures to mitigate the blow of [cyberattacks like phishing and ransomware](https://economictimes.indiatimes.com/news/how-to/phishing-ransomware-beyond-here-are-seven-types-of-cyberattacks-you-should-know/articleshow/102276412.cms?from=mdr). Want to know more about how [DMARC implementation](https://dmarcreport.com/what-is-dmarc/) can help your organization **keep adversaries at bay**? [Get in touch ](https://dmarcreport.com/book-a-demo/)with one of our experts today! ## Sources - [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) - [IBM Cost of a Data Breach Report 2024](https://www.ibm.com/reports/data-breach) (2024) - [Microsoft Outlook DMARC Enforcement May 2025](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) (2025) - [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025) ## Topics [ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/) ![Vasile Diaconu](https://media.mailhop.org/dmarcreport/images/team/vasile-diaconu.jpg) [ Vasile Diaconu ](/authors/vasile-diaconu/) Operations Lead Operations Lead at DuoCircle. Runs project management, developer coordination, and technical support execution for DMARC Report. [LinkedIn Profile →](https://www.linkedin.com/in/vasile-diaconu/) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"A Guide to Preventing Phishing in 2024: Insights from CSC's 2023 Report","description":"A Guide to Preventing Phishing in 2024: Insights from CSC's 2023 Report from DMARC Report explains practical steps for email authentication, domain.","url":"https://dmarcreport.com/blog/preventing-phishing-2024-insights-from-cscs-2023-report/","datePublished":"2024-02-12T11:04:03.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2024-02-12T11:04:03.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/vasile-diaconu/#person","name":"Vasile Diaconu","url":"https://dmarcreport.com/authors/vasile-diaconu/","jobTitle":"Operations Lead","description":"Vasile Diaconu is the Operations Lead at DuoCircle, the company behind DMARC Report and AutoSPF. He coordinates between engineering, product, and technical support - running project management, interfacing with developers on customer-reported issues, and making sure work that comes in through the support channel actually gets closed out. Vasile sits at the intersection of customer feedback and engineering execution, giving him a direct view of which email authentication problems customers hit most often in production.","image":"https://media.mailhop.org/dmarcreport/images/team/vasile-diaconu.jpg","knowsAbout":["SaaS Operations","Technical Support Coordination","Customer Issue Resolution","Engineering Program Management","Deployment Operations"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/vasile-diaconu/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/preventing-phishing-2024-insights-from-cscs-2023-report/"},"articleSection":"foundational","keywords":"DMARC, email security","wordCount":1323,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-report-4236.jpg","caption":"A Guide to Preventing Phishing in 2024: Insights from CSC's 2023 Report","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"A Guide to Preventing Phishing in 2024: Insights from CSC's 2023 Report","item":"https://dmarcreport.com/blog/preventing-phishing-2024-insights-from-cscs-2023-report/"}]} ```