What is social engineering and how can you prevent it?

Executive summary: Email phishing has evolved and criminals now use social engineering to impersonate executives, suppliers, and even government agencies, persuading recipients to approve payments or disclose credentials. Because human judgment sits at the heart of these attacks, technical controls that eliminate spoofed messages before they reach the inbox are essential. DMARC provides that control by validating sender identity at Internet scale. 

Key Takeaways

  • The human element is present in roughly 60% of confirmed data breaches, with phishing and Business Email Compromise (BEC) leading the pack.
  • A DMARC policy set to p=reject prevents exact-domain spoofing, improves email deliverability, and reduces incident-response noise.
  • Red Sift OnDMARC guides organizations from no policy to full enforcement in a matter of weeks, earning the top G2 DMARC rating in Europe for 2025.

Social engineering: Precision over volume

Phishing no longer relies on clumsy misspellings or obvious malware attachments. Attackers study finance calendars, harvest executive signatures, and use large-language models to draft messages that read like internal memos. When the email header claims to come from payments@your-domain.com, most users will trust it. 

Verizon’s 2025 Data Breach Investigations Report confirms that social engineering, not software flaws, fuels the majority of breaches, underscoring the need to remove impostor mail at the boundary rather than hope every employee spots the ruse.

Choose authentication by implementing DMARC

Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) validate pieces of an email, yet neither alone tells a receiving server what to do with a failure. Domain-based Message Authentication, Reporting, and Conformance (DMARC) ties those checks to your public DNS. When alignment fails, the server follows your published rule—none, quarantine, or reject. Progressing to a policy of p=reject stops exact-domain spoofs outright, stripping credibility from phishing campaigns and forcing criminals to use look-alike domains that savvy filters detect more easily.

Adoption is climbing fast. Red Sift research found DMARC adoption has increased by 67% since January 2024, though the majority of domains still have no policy, leaving a wide attack surface. Security-minded organizations that move early gain both protection and competitive trust.

Overcome the hurdles with Red Sift OnDMARC

Implementing DMARC can stall when teams encounter SPF lookup limits, knowing which SaaS vendor to choose, or common fears of blocking legitimate mail. Red Sift OnDMARC addresses each challenge head on:

  • Automated SPF flattening reduces DNS lookups to stay within the 10-query limit.
  • Real-time dashboards visualize every source using your domain and show pass-fail status. Giving you and your organization full visibility.
  • Fast and optimized threat management, backed by the industries first LLM-powered triage capability Red Sift Radar.
  • Our dedicated and award-winning customer success team ensures you are guided through implementation step-by-step, meaning you don’t have to lose sleep over email blocking.

Most customers complete the journey inside two fiscal quarters, freeing security teams for projects that add new value instead of chasing spoofed mail. 

Why should I care? What’s the business impact?

Blocking domain spoofing directly lowers the likelihood of wire-fraud losses, credential compromise, and related legal exposure. Marketing teams benefit as well: authenticated mail enjoys higher inbox placement, boosting open rates and click-through. 

Additionally, DMARC enforcement aligns with PCI DSS guidance, the latest SEC incident-disclosure rules, and emerging NIST recommendations, helping organizations prove due-diligence in audits. Many Red Sift clients recover implementation costs within twelve months through reduced incident hours and preserved customer trust. A true ROI for your cybersecurity strategy.Remember, social engineering attacks will keep adapting, but domain spoofing is a solvable problem today.

Check your domain settings with Red Sift Investigate to see how your DMARC policy stacks up to get started.

PUBLISHED BY

Jack Lilley

1 Aug. 2025

SHARE ARTICLE:

Recent Posts

VIEW ALL
Email

What is social engineering and how can you prevent it?

Jack Lilley

Executive summary: Email phishing has evolved and criminals now use social engineering to impersonate executives, suppliers, and even government agencies, persuading recipients to approve payments or disclose credentials. Because human judgment sits at the heart of these attacks, technical controls that eliminate spoofed messages before they reach the inbox are essential. DMARC provides that…

Read more
Cybersecurity

Attackers are abusing Microsoft 365: Here’s how to stay protected

Jack Lilley

Executive summary: Varonis has surfaced an active phishing campaign that spoofs internal users by abusing Microsoft 365’s Direct Send feature. Because Direct Send doesn’t require authentication and is treated as “internal,” these messages often bypass the checks you rely on for outside mail. Microsoft now offers an opt-in switch, RejectDirectSend, to block the pathway,…

Read more
BEC

SVGs with JavaScript are bypassing traditional email security: Learn how to stay…

Jack Lilley

Executive summary: Hackers are hiding JavaScript inside SVG attachments that pass as harmless images, and slipping past Secure Email Gateways (SEGs). To stay secure, organizations need to enforce a DMARC policy of p=reject, easily implemented with Red Sift OnDMARC, to stop compromised SVGs before they reach the end user. Key takeaways: Scalable Vector Graphics…

Read more
DMARC

More than 50% of US banks remain vulnerable to phishing attacks

Stuart Rogers

Executive summary: Over half of major U.S. banks remain exposed to phishing attacks because of weak or absent DMARC enforcement, despite rising cybercrime losses and increasingly sophisticated email threats. Operational challenges, regulatory gaps, and underestimation of risk hinder stronger protections, putting customer trust and financial stability in jeopardy. Key takeaways Email remains the primary…

Read more