Years after they were first used to catch out unwary users, simple phishing scams sent via email are both common and effective. On the face of it this is surprising. Businesses installed email-filtering gateways a decade ago, some even investing in technologies designed to authenticate messages such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC).
While this has made some difference in filtering out spam and unwanted messages, phishing email has evolved to counter these techniques. The plain truth is that users have to open email, some of that will have been targeted well enough to allay suspicion, and getting around the defenses that have been thrown up is still more than possible.