We audited all 50 state chambers of commerce — the primary business advocacy organization in each state — to measure email authentication, transport security, and domain hygiene. Chambers send trusted bulk mail to thousands of member businesses; these scores show how well each organization protects its members from domain spoofing and business email compromise.
Using data from audit.emailmenow.com, we evaluated each state chamber’s primary domain across email, website, and network security — including SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.
Cybersecurity Scores of All 50 State Chambers
Overall compliance scores from audit.emailmenow.com, measured June 5, 2026. Re-run any domain at the link to verify.
| Rank | State Chamber | Domain | Overall Score | Website Score | Performance Level |
|---|---|---|---|---|---|
| 1 | Colorado Association of Commerce & Industry | cochamber.com | 70% | 45% | Good |
| 1 | Kentucky Chamber of Commerce | kychamber.com | 70% | 45% | Good |
| 1 | Pennsylvania Chamber of Business & Industry | pachamber.org | 70% | 45% | Good |
| 4 | Michigan Chamber of Commerce | michamber.com | 68% | 45% | Above Average |
| 5 | Alaska Chamber | alaskachamber.com | 66% | 45% | Above Average |
| 6 | Arizona Chamber of Commerce & Industry | azchamber.com | 64% | 45% | Above Average |
| 6 | Chamber of Commerce Hawaii | cochawaii.org | 64% | 45% | Above Average |
| 6 | Illinois Chamber of Commerce | ilchamber.org | 64% | 45% | Above Average |
| 6 | Maryland Chamber of Commerce | mdchamber.org | 64% | 45% | Above Average |
| 6 | New Jersey Chamber of Commerce | njchamber.com | 64% | 45% | Above Average |
| 6 | Ohio Chamber of Commerce | ohiochamber.com | 64% | 45% | Above Average |
| 6 | Tennessee Chamber of Commerce & Industry | tnchamber.org | 64% | 45% | Above Average |
| 6 | Association of Washington Business | awb.org | 64% | 45% | Above Average |
| 14 | Wisconsin Manufacturers & Commerce | wmc.org | 62% | 45% | Above Average |
| 15 | Kansas Chamber of Commerce | kansaschamber.org | 61% | 70% | Above Average |
| 16 | Florida Chamber of Commerce | flchamber.com | 60% | 45% | Above Average |
| 17 | Mississippi Economic Council | msec.org | 58% | 45% | Average |
| 18 | Indiana Chamber of Commerce | indianachamber.com | 54% | 45% | Average |
| 18 | Louisiana Association of Business and Industry | labi.org | 54% | 45% | Average |
| 18 | Missouri Chamber of Commerce and Industry | mochamber.com | 54% | 45% | Average |
| 18 | Las Vegas Metro Chamber of Commerce | lvchamber.com | 54% | 45% | Average |
| 18 | North Carolina Chamber of Commerce | ncchamber.com | 54% | 45% | Average |
| 18 | State Chamber of Oklahoma | okstatechamber.com | 54% | 45% | Average |
| 18 | South Dakota Chamber of Commerce & Industry | sdchamber.org | 54% | 45% | Average |
| 18 | West Virginia Chamber of Commerce | wvchamber.com | 54% | 45% | Average |
| 26 | California Chamber of Commerce | calchamber.com | 50% | 45% | Average |
| 26 | Connecticut Business & Industry Association | cbia.com | 50% | 45% | Average |
| 28 | Iowa Association of Business & Industry | iowachamber.com | 48% | 45% | Below Average |
| 28 | Maine State Chamber of Commerce | mainechamber.org | 48% | 45% | Below Average |
| 28 | Nebraska Chamber of Commerce & Industry | nebraskachamber.com | 48% | 45% | Below Average |
| 28 | North Dakota Chamber of Commerce | ndchamber.com | 48% | 45% | Below Average |
| 28 | South Carolina Chamber of Commerce | scchamber.com | 48% | 45% | Below Average |
| 33 | Arkansas State Chamber of Commerce | arkansasstatechamber.com | 44% | 45% | Below Average |
| 33 | Montana Chamber of Commerce | montanachamber.com | 44% | 45% | Below Average |
| 33 | The Business Council of New York State | bcnys.org | 44% | 45% | Below Average |
| 36 | Associated Industries of Massachusetts | aimnet.org | 40% | 45% | Below Average |
| 37 | Business Council of Alabama | bcao.org | 38% | 45% | Weak |
| 37 | Business and Industry Association of New Hampshire | nhbia.org | 38% | 45% | Weak |
| 37 | Salt Lake Chamber | slchamber.com | 38% | 45% | Weak |
| 37 | Virginia Chamber of Commerce | vachamber.com | 38% | 45% | Weak |
| 37 | Wyoming Business Alliance | wyomingbusinessalliance.com | 38% | 45% | Weak |
| 42 | Minnesota Chamber of Commerce | mnchamber.com | 36% | 45% | Weak |
| 43 | Delaware State Chamber of Commerce | dschamber.com | 34% | 45% | Weak |
| 43 | Georgia Chamber of Commerce | gachamber.com | 34% | 45% | Weak |
| 43 | Greater Providence Chamber of Commerce | provchamber.com | 34% | 45% | Weak |
| 46 | Idaho Association of Commerce & Industry | idahochamber.org | 30% | 45% | Weak |
| 46 | Association of Commerce and Industry of New Mexico | newmexico.biz | 30% | 45% | Weak |
| 46 | Oregon Business & Industry | obior.org | 30% | 45% | Weak |
| 46 | Texas Association of Business | txbusiness.org | 30% | 45% | Weak |
| 46 | Vermont Chamber of Commerce | vtchamber.org | 30% | 45% | Weak |
Website Security Scores
Scores ranged from 70% to 45%; 0 of 50 reached the 100% ideal and 49 scored below 60%.
| Rank | State Chamber | Domain | Website Score | Rating |
|---|---|---|---|---|
| 1 | Kansas Chamber of Commerce | kansaschamber.org | 70% | Good |
| 2 | Colorado Association of Commerce & Industry | cochamber.com | 45% | Below Average |
| 2 | Kentucky Chamber of Commerce | kychamber.com | 45% | Below Average |
| 2 | Pennsylvania Chamber of Business & Industry | pachamber.org | 45% | Below Average |
| 2 | Michigan Chamber of Commerce | michamber.com | 45% | Below Average |
| 2 | Alaska Chamber | alaskachamber.com | 45% | Below Average |
| 2 | Arizona Chamber of Commerce & Industry | azchamber.com | 45% | Below Average |
| 2 | Chamber of Commerce Hawaii | cochawaii.org | 45% | Below Average |
| 2 | Illinois Chamber of Commerce | ilchamber.org | 45% | Below Average |
| 2 | Maryland Chamber of Commerce | mdchamber.org | 45% | Below Average |
| 2 | New Jersey Chamber of Commerce | njchamber.com | 45% | Below Average |
| 2 | Ohio Chamber of Commerce | ohiochamber.com | 45% | Below Average |
| 2 | Tennessee Chamber of Commerce & Industry | tnchamber.org | 45% | Below Average |
| 2 | Association of Washington Business | awb.org | 45% | Below Average |
| 2 | Wisconsin Manufacturers & Commerce | wmc.org | 45% | Below Average |
| 2 | Florida Chamber of Commerce | flchamber.com | 45% | Below Average |
| 2 | Mississippi Economic Council | msec.org | 45% | Below Average |
| 2 | Indiana Chamber of Commerce | indianachamber.com | 45% | Below Average |
| 2 | Louisiana Association of Business and Industry | labi.org | 45% | Below Average |
| 2 | Missouri Chamber of Commerce and Industry | mochamber.com | 45% | Below Average |
| 2 | Las Vegas Metro Chamber of Commerce | lvchamber.com | 45% | Below Average |
| 2 | North Carolina Chamber of Commerce | ncchamber.com | 45% | Below Average |
| 2 | State Chamber of Oklahoma | okstatechamber.com | 45% | Below Average |
| 2 | South Dakota Chamber of Commerce & Industry | sdchamber.org | 45% | Below Average |
| 2 | West Virginia Chamber of Commerce | wvchamber.com | 45% | Below Average |
| 2 | California Chamber of Commerce | calchamber.com | 45% | Below Average |
| 2 | Connecticut Business & Industry Association | cbia.com | 45% | Below Average |
| 2 | Iowa Association of Business & Industry | iowachamber.com | 45% | Below Average |
| 2 | Maine State Chamber of Commerce | mainechamber.org | 45% | Below Average |
| 2 | Nebraska Chamber of Commerce & Industry | nebraskachamber.com | 45% | Below Average |
| 2 | North Dakota Chamber of Commerce | ndchamber.com | 45% | Below Average |
| 2 | South Carolina Chamber of Commerce | scchamber.com | 45% | Below Average |
| 2 | Arkansas State Chamber of Commerce | arkansasstatechamber.com | 45% | Below Average |
| 2 | Montana Chamber of Commerce | montanachamber.com | 45% | Below Average |
| 2 | The Business Council of New York State | bcnys.org | 45% | Below Average |
| 2 | Associated Industries of Massachusetts | aimnet.org | 45% | Below Average |
| 2 | Business Council of Alabama | bcao.org | 45% | Below Average |
| 2 | Business and Industry Association of New Hampshire | nhbia.org | 45% | Below Average |
| 2 | Salt Lake Chamber | slchamber.com | 45% | Below Average |
| 2 | Virginia Chamber of Commerce | vachamber.com | 45% | Below Average |
| 2 | Wyoming Business Alliance | wyomingbusinessalliance.com | 45% | Below Average |
| 2 | Minnesota Chamber of Commerce | mnchamber.com | 45% | Below Average |
| 2 | Delaware State Chamber of Commerce | dschamber.com | 45% | Below Average |
| 2 | Georgia Chamber of Commerce | gachamber.com | 45% | Below Average |
| 2 | Greater Providence Chamber of Commerce | provchamber.com | 45% | Below Average |
| 2 | Idaho Association of Commerce & Industry | idahochamber.org | 45% | Below Average |
| 2 | Association of Commerce and Industry of New Mexico | newmexico.biz | 45% | Below Average |
| 2 | Oregon Business & Industry | obior.org | 45% | Below Average |
| 2 | Texas Association of Business | txbusiness.org | 45% | Below Average |
| 2 | Vermont Chamber of Commerce | vtchamber.org | 45% | Below Average |
What the Results Reveal
- Scores span 70% down to 30% — 3 of 50 state chambers reach a Good (70%+) posture.
- 34 of 50 scored below 60%, meaning member businesses in most states receive mail from chambers with significant email authentication gaps.
- Any chamber can offer members a free instant domain check at audit.emailmenow.com — a zero-cost cybersecurity benefit for the membership.
Attack exposure in this audit
Domains scoring near 45% combine weak identity enforcement, missing inbound transport protections, and sub-60% website hardening. Without naming specific organizations, entities in that tier are disproportionately exposed to:
- Business email compromise (BEC) — spoofed messages appearing to come from executives or accounts payable, used to redirect wires and ACH payments.
- Brand impersonation phishing — fake billing, HR, and vendor notices that pass visual inspection because DMARC and SPF are not fully enforced.
- Credential harvesting — login pages linked from forged
@company.commail aimed at employees, contractors, and customers. - Invoice and procurement fraud — altered payment instructions sent to finance teams and partners who trust the corporate domain.
- Account-recovery abuse — password-reset and MFA prompts triggered from impersonated sender addresses.
- Inbound mail downgrade attacks — absence of enforced MTA-STS allows opportunistic TLS stripping on messages destined for the organization.
- Clickjacking and session risks — missing HSTS, CSP, and frame protections on the public site increase browser-side attack surface for visitors and logged-in users.
- Supply-chain targeting — partners who whitelist the domain for deliverability become secondary victims when spoofed mail originates unchecked.
- Header gaps at scale — 49 of 50 domains scored below 60% on website security in this audit. Clickjacking and session risks are not confined to the bottom tier; many names share a 45% website score — the same floor shared by 48 other domains in this audit.
These are not theoretical edge cases. State breach portals and FBI IC3 reporting consistently tie weak email authentication and header gaps to measurable financial loss at large enterprises.
Real attacks, told as stories
The stories below are made up, but they are based on real crimes that police and cybersecurity teams see every year. No state chamber of commerce is named. Each story shows how weak domain settings can hurt real people — customers, partners, and staff in this sector.
Story 1: Maria and the payment that was not real

Maria works in accounts payable at Midwest Parts, a supplier that has sold to a big national brand for ten years.
On a Tuesday morning, she gets an email that looks normal:
From: accounts-payable@bigbrand.com
Subject: New bank info for March invoices
The logo looks right. The tone sounds like past emails. A PDF lists a new routing number.
Maria does not know that bigbrand.com has weak email security. A stranger sent the message from their own server and pretended to be the big brand. That is called brand impersonation.
She approves a $284,000 wire. The money goes to the attacker, not the real company.
The next day, the same fake sender emails two more partners Maria knows from trade shows. One ignores it. One also changes bank details. That is supply-chain targeting — hurting partners by faking the main organization’s name.
Attack vectors in this story: brand impersonation · invoice and procurement fraud · supply-chain targeting · business email compromise (BEC)
Simple fix: Strict DMARC (p=reject), SPF (-all), and a rule that every bank change needs a phone call to a known contact — not just email.
Story 2: Jordan clicks “reset password”

Jordan is a facilities manager at a large tech company. On Wednesday at 2 p.m., his phone buzzes:
From: it-security@bigbrand.com
Subject: Reset your password in 2 hours or lose access
Jordan is busy. The email looks like IT mail he has seen before. He clicks the link.
The page looks like his company login. It is not. It is a copy on a similar-looking website (bigbrand-secure.com). He types his username and password. The attacker saves them.
This is account-recovery abuse and credential harvesting. The criminal used a fake “reset your account” message because people trust mail from @company.com.
That night, the attacker signs into Jordan’s mailbox and reads old threads about a possible acquisition. On Thursday, they email the CFO’s assistant:
From: cfo@bigbrand.com
Subject: Urgent — confidential wire for escrow
That is BEC — business email compromise. The assistant almost approves it. A bookkeeper asks, “Did you talk to the CFO on the phone?” The wire stops. Jordan still has to change every password he reused.
Attack vectors in this story: account-recovery abuse · credential harvesting · business email compromise (BEC)
Simple fix: DMARC p=reject, train staff that IT will never rush a reset by email alone, and require a callback before any wire.
Story 3: The contract email no one knew could be copied

Priya is a lawyer at the same big brand. She emails a draft contract to an inbox at @bigbrand.com. The send button works. Her screen says Delivered.
What Priya cannot see: on part of the internet path, the mail server connection was downgraded from locked (TLS) to unlocked. Without MTA-STS set to mode=enforce, the recipient’s mail system still accepts the message. An attacker on that path can copy attachment text in plain form.
This is an inbound mail downgrade attack. Most people worry about fake outgoing email. MTA-STS protects incoming mail — mail sent to your organization.
Priya’s IT team sees green checkmarks in their dashboard. Nothing looks wrong. Weeks later, a competitor seems to know bid details early. The leak might have started on the wire, not in someone’s inbox.
Attack vector in this story: inbound mail downgrade (no MTA-STS)
Simple fix: Publish MTA-STS in enforce mode and turn on TLS-RPT reports so IT gets alerted when encryption fails.
Story 4: Alex applies for a job online

Alex is a college senior. He is already logged into his school portal in one browser tab. In another tab, he opens a job post: “Big Brand — analyst role, fast track.”
The site asks him to “confirm your profile” on what looks like the real company careers page. He clicks.
He does not know the page is a trap. The real login screen is hidden inside an invisible frame on a scam site. That trick is called clickjacking. The company’s website scored 45% on security headers — a floor shared by 49 of 50 domains in this audit, missing strong HSTS, CSP, and frame blocking.
Alex thinks he is on the real site. He is really interacting with a layer the attacker controls. If he had been logged into the company’s vendor portal in another tab, the same trick could hijack that session.
No phishing email was needed. The attack lived on the website, not in the inbox.
Attack vectors in this story: clickjacking · session risks (missing HSTS/CSP)
Simple fix: Add HSTS, Content-Security-Policy, and frame-ancestors / X-Frame-Options so login pages cannot be embedded on random sites.
How the stories connect
All four stories can hit one organization with a weak audit score (near 45%):
| Story | Who got hurt | Main gap |
|---|---|---|
| Maria (partner) | Outside partners | Fake mail from your domain |
| Jordan (employee) | Inside staff | Fake password-reset mail |
| Priya (professional) | Confidential data in transit | Incoming mail not forced to stay encrypted |
| Alex (visitor) | Website visitors | Login page can be framed by attackers |
Together, that is not one bug — it is a pattern. Fixing it means better DNS (DMARC, MTA-STS), better website headers, and better office rules (call back before you wire).
Why This Matters for Chamber Members Nationwide
A spoofed chamber alert reaches an entire local business community at once. Dues invoices, event payment links, and advocacy updates all carry implicit trust — which makes enforced DMARC the single highest-impact control a chamber can deploy for member protection.
See also — industry hub
Recommendations
- Enforce DMARC (
p=reject), strict SPF, and DKIM signing. - Add MTA-STS and website security headers.
- Share audit.emailmenow.com/?industry=chambers-of-commerce with members as a free self-check.
Check any chamber’s posture. Run a free Instant Cybersecurity Audit at audit.emailmenow.com/?industry=chambers-of-commerce.
Contact EmailMeNow IT Consulting for help with email security hardening and member-benefit content.
Source & methodology: Overall compliance scores from the free scan at audit.emailmenow.com, measured June 5, 2026 — each domain checked for email authentication (SPF, DKIM, DMARC), transport security (MTA-STS/TLS), website security headers, and network security. Re-run any domain at the link to verify.