52% of US insurance brokers remain vulnerable to email spoofing

TL;DR:

Red Sift's analysis of the top 50 US insurance brokers reveals that 26 firms (52%) have no effective DMARC protection, leaving them vulnerable to email spoofing and phishing attacks. Only 24 brokers (48%) have reached enforcement level - the standard required to actually block fraudulent emails. With $2.9 billion lost to BEC scams in 2023, insurance brokers handling sensitive client data and financial transactions need to prioritize email authentication. For the 17 firms stuck at quarantine, the move to enforcement typically takes just 6-8 weeks.

New analysis reveals that more than half of the top 50 insurance brokers in the United States have failed to implement basic email authentication protections, leaving their clients and partners exposed to phishing attacks and business email compromise (BEC).

According to Red Sift's latest DMARC compliance analysis, 26 of the 50 largest US insurance brokers (52%) have no DMARC protection in place whatsoever. Meanwhile, only 24 firms (48%) have reached enforcement - the level required to actually block fraudulent emails from reaching inboxes.

The data reveals three distinct groups across the top 50 insurance brokers:

• 26 firms (52%) completely unprotected: No DMARC policy (16 firms) or monitoring-only policies (10 firms) that take no action against spoofed emails
• 17 firms (34%) at quarantine: Policies implemented but not progressing to full enforcement
• 24 firms (48%) at enforcement: Active rejection of unauthorized emails

Insurance brokers handle confidential client data, facilitate substantial financial transactions, and maintain high-frequency communication about policies, claims, and renewals. Without DMARC at enforcement, attackers can send emails that appear to come from legitimate broker domains - emails that bypass standard security filters and land in client inboxes with complete authenticity.

The result: policy fraud, claims interception, credential theft, and supply chain attacks that exploit the trusted relationship between brokers and their clients.

If you're not sure of your DMARC status, check for free now with Red Sift Investigate.

Identify every system sending email on your behalf: email platforms, CRMs, marketing automation, third-party services.

Start with a 'none' policy to gather intelligence without impacting delivery. Use reports to identify legitimate sources and unauthorized attempts.

Test your configuration under real conditions while maintaining business continuity.

Move to 'reject' policies that actively block spoofed emails. Most organizations complete this journey in 6-8 weeks with proper support.

If you're among the 17 brokers at quarantine, you've completed the heavy lifting. The final push to enforcement typically takes weeks, not months. Resolve remaining deliverability issues and make the transition before an incident forces your hand.

DMARC isn't just security infrastructure - it's a competitive differentiator. As enterprise clients and regulators increasingly expect email authentication, brokers without enforcement risk losing business to competitors who can demonstrate stronger security postures. The 24 firms at enforcement have already proven it's achievable.

The FBI's Internet Crime Complaint Center reported $2.9 billion in BEC losses in 2023 alone. For insurance brokers, a single successful impersonation attack can destroy decades of client relationships and erode trust across an entire portfolio.

The question isn't whether to implement DMARC - it's how much damage your firm will sustain before you do.

Red Sift provides DMARC implementation and management solutions designed for financial services firms. Our Red Sift OnDMARC application typically achieves enforcement in 6-8 weeks, with ongoing monitoring and Dynamic SPF technology to prevent configuration drift.