Phishing containment and DMARC hardening for an industrial SME

Sector

Manufacturing · SME · 80-150 employees · operations in two countries · mid-three-figure annual revenue.

Initial situation

After a CEO fraud attempt was stopped by an alert administrative response, management wanted to understand what had failed in the technical controls and how much real exposure the organisation carried. The corporate domain lacked strong email authentication policies and employees had never received specific social engineering training.

Approach

We started with a full technical review of the domain: SPF, DKIM and DMARC configuration, external reputation lists, presence of typosquatting variants and legacy MX records. We rolled out DMARC progressively, starting in monitoring mode, moving to quarantine for two weeks and closing with a reject policy. In parallel, we designed a three-wave phishing simulation and a short training module written in the actual language used by the organisation.

Result

The click rate in simulations dropped from an initial 31% to 4% by the third wave. Six months after project closure the organisation had registered no successful phishing incidents nor any completed fraud attempts.

Lesson

A well-deployed DMARC policy removes most of the external impersonation; training removes most of what remains.

Time and effort

8-12 weeks · 40-60 consulting hours · technical report + three simulation waves + two training sessions.