A Q&A with Vincent D’Angelo, Senior Director with CSC Digital Brand Services

We recently sat down with Vincent D’Angelo, Senior Director at CSC Digital Brand Services, to understand why phishing has evolved into an infrastructure problem—not simply an email issue.

Vincent explains how attacker-controlled or compromised domains, DNS weaknesses, and brand impersonation now sit at the center of cyber attacks and outlines the steps organizations and insurers can take to strengthen their cyber defenses.

Why Is Phishing More Than Just an Email Problem?

Phishing has long been recognized as the entry point for many cyber incidents, yet the cybersecurity and cyber insurance industries frame it primarily as an “email” issue. In reality, phishing is fundamentally an infrastructure problem—specifically, a DNS, domain, and brand impersonation problem. Email security remains essential, but it does not address the root cause of most attacks. When you analyze how phishing campaigns operate, it becomes clear that the majority rely on attacker-controlled or compromised domains. This makes the DNS layer a critical foundation for successful cyberattacks. Industry data varies on how frequently incidents begin with phishing:

• ENISA reports phishing as the initial intrusion method in 60% of cases
• CISA reports that more than 90% of successful cyberattacks start with a phishing email

The ranges differ, but the conclusion is consistent: phishing continues to drive a significant portion of cyber events, including ransomware, wire transfer fraud, credential compromise, data breaches, business email compromise, and many others. In fact, the Verizon Data Breach Investigations Reports shares that phishing is the top action in social engineering related incidents at 57%.

How Should Insurers and Organizations Think About Domain Security and Brand Impersonation?

The critical question is not merely how often phishing occurs, but how often it relies on domains, DNS infrastructure, and brand impersonation to deceive victims. Attackers use these malicious hyperlinks and spoofed digital identities to:

• Redirect users to fake login portals
• Trigger malware downloads
• Bypass email security filters
• Impersonate trusted brands, vendors, and government entities

The KnowBe4 2025 Phishing Threat Trends Report found that 55% of phishing emails contained a malicious hyperlink. In addition, SANS reported that 69% of phishing emails attempt to take you to a website to gather information.

Notably, there are other social engineering vectors, such as smishing, malicious attachments that may eventually funnel users to external links, or voice-based phishing (vishing) attack paths that bypass email entirely. The CrowdStrike 2025 Global Threat Report highlights a 442% surge in vishing attacks from the first to the second half of 2024, underscoring how social engineering continues to diversify even as domain-centric methods remain foundational. The Interisle 2025 Phishing Landscape Report further illustrates the role of domain infrastructure in phishing attacks, showing that:

• 77% of phishing domains are intentionally registered by criminals
• 23% originate from compromised legitimate domains

This reflects a deliberately constructed malicious web infrastructure. Brand impersonation is central to this ecosystem. Lookalike domains, sometimes altered by a single character or weak DNS governance, allow attackers to hijack brands and user trust. Ultimately, it’s rarely the email alone that convinces the victim. It’s also the path and the destination: the realistic domain, the credible DNS footprint, the authoritative-looking brand façade. Without these, most phishing attacks wouldn’t be as impactful.

How Significant Are Cyber Insurance Losses from Domain-Enabled Phishing?

According to the NetDiligence Cyber Claims Study, insured cyber losses totaled $4.764 billion between 2020 and 2024 across 10,402 claims. If we assume:

• 60% of cyber claims originate with phishing (using the ENISA stat above), and
• 55% of phishing attacks involve malicious hyperlinks (using the KnowBe4 stat above)

Then the estimated losses linked to DNS, domain-enabled, and brand-impersonation attacks can be calculated as: $4.764B × 60% × 55% ≈ $1.57B. This estimate highlights that approximately 33% of insured losses over that period can be tied to domain-driven attack vectors. The scale of these losses has direct implications for underwriting strategy, risk modeling, and overall portfolio performance.

These findings also align closely with a recent LinkedIn poll I conducted, which asked: “What percentage of cyber insurance losses do you believe start with domain and DNS-based attacks?” Among 48 respondents—primarily cyber risk and cyber insurance professionals—the results were:

An overwhelming majority of respondents believe that most cyber losses stem from domain or DNS-based attack vectors. In other words, expert perception mirrors the anecdotal evidence shared above.

What Do You Think? — What Percentage of Cyber Losses Are Related to Domain-Security Risks?

FBI IC3 data reflects the same trend. In 2024, the IC3 reported $16 billion in cybercrime losses across more than 800,000 incidents. Applying the same proportional logic, $5.28 billion annually can be tied to domain-driven, DNS-enabled, and brand-impersonation attacks. The conservative estimates above represent only a portion of the financial damage to corporations and consumer user experience, as many incidents, especially ransomware attacks, go unreported.

However, this is more than a cybersecurity problem. As with phishing, fake domains, copycat websites, and brand impersonation schemes provide the core infrastructure that also fuel fraudulent advertising, revenue diversion, and counterfeit-goods sales. The OECD estimates the worldwide trade in counterfeit goods at approximately $467 billion, underscoring the scale of harm enabled by domain-based abuse and brand impersonation.

How Does AI Change Things?

AI is making phishing attacks more convincing, more personalized, and easier to scale. A Harvard Kennedy School 2024 study found that LLM-generated phishing emails generated a 54% click-through rate, compared with 12% for human-written messages, making them nearly five times more effective.

With global cybercrime losses projected to surpass $12.2 trillion annually by 2031 (Cybersecurity Ventures), the DNS layer is not simply part of the problem; it is a root cause and one of the most significant points for intervention. As organizations increasingly rely on AI vendors and share sensitive data with them, these providers must be held to strong security and compliance standards. The attack surface, especially the supply chain, is expanding, and AI-enabled attacks only amplify these risks.

While today’s defenses are largely built to protect human users from scams, the near future will see AI agents and machine-to-machine systems becoming equally vulnerable to brand abuse, domain manipulation, and DNS exploitation. As I explore in The Invisible AI Root, securing domain names and the DNS layer is becoming a foundational requirement for the next era of cybersecurity.

How Can Underwriting Controls Help Close the DNS and Domain Security Gap?

Historically, underwriting has focused on security controls such as multifactor authentication (MFA), endpoint detection and response (EDR), network segmentation, backup resilience, patching, phishing-awareness training, and email security appliances. To counter escalating phishing losses, insurers also encouraged adoption of DMARC, DKIM, and SPF, which significantly improved the industry’s ability to mitigate email spoofing, authenticate email, and filter fraudulent messages. This success demonstrated that domain-layer controls can meaningfully reduce loss frequency.

However, as email spoofing became more difficult, adversaries increasingly turned to brand impersonation, lookalike domains, domain spoofing, and hijacked DNS infrastructure—areas traditional cyber insurance underwriting does not typically address. As a result, phishing has shifted into the broader domain ecosystem, where weaknesses remain widespread.

Recent CSC domain security research underscores this growing exposure:

• 1 in 5 DNS records is vulnerable to subdomain hijacking (dangling DNS)
• 80% of domains resembling Global 2000 brands are owned by third parties, and 42% are configured to send email
• 68% of Global 2000 companies still lack foundational domain security measures such as DNSSEC, DMARC, and domain registry locks
• 107 Global 2000 companies scored zero on domain security assessments, revealing widespread gaps in protecting digital assets

Because billions in insured losses flow through attacker-controlled or compromised domains, domain security controls must be treated as loss-mitigating preventive controls, not optional ones. Modern underwriting can incorporate highly predictive, externally verifiable indicators, including:

• DNS hygiene (misconfigurations, exposed or stale records)
• Brand impersonation exposure (volume and weaponization of lookalike domain registrations)
• Domain security posture (registry locks, DNSSEC, CAA, DMARC enforcement)
• Domain portfolio governance (enterprise-class domain registrar management vs. consumer-grade registrar domain management)

These controls align with cyber risk mitigation, require no intrusive questionnaires, and allow insurers to assess and reduce phishing-driven losses at their root: the domain and DNS layer.

What Are Some High-Value Next Steps and Underwriter Controls for Improving Domain Security?

Source: CSC: Domain Security Checklist

1. Adopt a defense-in-depth approach for domain management and security:

Build a layered domain security posture, starting with an enterprise-class domain registrar

• Eliminate third-party risk by assessing your domain registrars’ security, technology, and processes, and by being Internet Corporation for Assigned Names and Numbers (ICANN) and registry-accredited
• Secure vital domain names, domain name system (DNS), and digital certificates with advanced security protocols, including:
  • Implementing two-factor authentication
  • Regulating permissions—both normal and elevated—and watching for any changes, as well as adding an authorized contact policy with 24x7x365 support
  • Monitoring DNS activity and deploying distributed denial-of-service (DDoS) protection
  • Using security measures like domain registry locks, DNS security extensions (DNSSEC), domain-based message authentication reporting and conformance (DMARC), certificate authority authorization (CAA) records, and redundancy on DNS hosting
• Manage legacy DNS records to protect against subdomain hijacking attacks

2. Continuously monitor and protect the domain space and key digital channels (marketplaces, apps, social media, and email) for brand abuse, infringements, phishing, and fraud:

• Identify domain and DNS spoofing tactics, such as homoglyphs (fuzzy matches and international domain names), cousin domains, keyword match, and homophones
• Register domains that could be high-value targets related to your brands (i.e., homoglyphs, or country domains) to mitigate the risk of bad actors using them
• Identify trademark and copyright abuse on web content, online marketplaces, social media, and apps (including emerging AI ecosystems)

3. Use global enforcement, including takedowns and internet blocking:

• Use phishing monitoring and a fraud-blocking network of browsers, partners, internet service providers (ISPs), and security vendors (SIEM, SOAR, EDR, firewalls, email) to block malicious activity
• Use a range of technical and legal approaches for enforcement, selecting the most appropriate approach per case
• Use a combination of actions to enforce the penalty against IP infringements and fraud, including:
  • Primary enforcement: Marketplace delistings, social media page suspensions, mobile app delistings, cease and desist letters, fraudulent content removal, and complete threat vector mitigation
  • Secondary enforcement: Registrar-level domain suspensions, invalid WHOIS domain suspensions, and fraud alerting
  • Tertiary enforcement: Uniform Domain Name Dispute-Resolution Policy (UDRP) and Uniform Rapid Suspension (URS) procedures, domain acquisitions, in-depth investigations, and test purchasing

Mark Greisiger, President of NetDiligence®, on How an Actionable Incident Response Plan Minimizes Loss in DNS-Driven Attacks

“When these domain-enabled cyberattacks succeed, rapid response becomes critical to limiting damage. The speed and clarity of your initial response directly impacts total losses, making an accessible incident response plan essential. That’s why we built Breach Plan Connect®: a mobile-accessible platform that lets you build your first incident response plan or migrate an existing plan into our system. By streamlining coordination and guiding those critical first hours, organizations can reduce operational chaos and minimize both financial and regulatory consequences of domain-enabled attacks.”

4. Confirm vendor business practices aren’t contributing to fraud and brand abuse

The following are often common issues with consumer-grade domain registrars:

• Operating domain marketplaces that drop catch, auction, and sell domain names containing trademarks to the highest bidder
• Domain name spinning and advocating the registration of domain names containing trademarks
• Monetizing domain names containing trademarks with pay-per-click sites
• Frequently occurring breaches resulting in DNS attacks, phishing, and business email compromise

Want to Learn More?

To learn more about how CSC helps organizations strengthen domain, DNS, and digital brand defenses, visit their website for detailed resources and service offerings.

Cyber insurance professionals can also explore CSC’s vendor listing inside the eRiskHub® portal—a comprehensive cyber risk management platform powered by NetDiligence and leveraged by insurers, brokers, and policyholders worldwide to prevent and respond to cyber incidents.

If you’re an insurer or broker, make sure your team is registered to access the eRiskHub and discover CSC and other pre-vetted vendors under your portal’s “preferred providers.”