Category Archives: Fraud and Phishing

First Verified Mark Certificate Issued

Recently, JPMorgan Chase became the first company to adopt the VMC standard, and companies gained another tool to prevent email fraud. 

What is VMC?

Verified Mark Certificate (VMC) is a method to watermark outbound messages to declare the email comes from an official, legitimate source.  With a certificate like this, senders get better email deliverability because email recipients will see a valid VMC as a certificate of trust emails.

Entrust Datacard, a U.S.-based provider of trusted identity and secure issuance technology solutions, recently issued the first VMC certificate to JP Morgan Chase. Entrust developed the new vendor-neutral VMC solution in collaboration with the AuthIndicators Working Group, a committee of companies responsible for creating the Brand Indicators for Message Identification (BIMI) standard.  While the VMC and BIMI standards still in the early stages of definition and adoption, this announcement indicates a big push to get BIMI into inboxes.

What is BIMI?

The BIMI protocol helps to improve email authentication and brand assurance by allowing a sender to publish a logo icon through DNS.  Inbox providers then use this logo to highlight DMARC compliant emails from the sender, thereby providing a reassurance to users that this email is free from phishing and spoofing attacks.  The logos themselves will also make it easier for customers to recognize their preferred companies in inboxes and increase brand awareness by prominently displaying trusted logos. 

How do VMC and BIMI work together?

The goal of VMC is to prove a BIMI image is authentic, not a scammer utilizing a fake image of a trusted source like the sender, Microsoft, Amazon, or JP Morgan, for example.  Validating that a BIMI-displayed logo is legitimate will make phishing and spoofing practices more difficult to accomplish. While BIMI allows companies to display logos in supported inboxes, VMC authenticates the logos are valid and owned by the actual sender of the email.

The recent exciting news that JPMorgan Chase was granted the first VMC is a promising sign that BIMI should be standardized soon. BIMI, which leverages DMARC, continues the technological trend of making it difficult for online fraudsters and phishing attacks to trick unsuspecting victims.

How MxToolbox Helps

To achieve the BIMI standard, Domain-based Message Authentication, Reporting, and Conformance (DMARC), along with SPF and DKIM, must first be implemented. MxToolbox’s team of email delivery experts and tools can help you implement and understand DMARC to help your business attain email deliverability.

First, MxToolbox provides a free DMARC lookup tool to analyze your DMARC record and make recommendations for getting your email DMARC compliant.

In addition, MxToolbox’s BIMI Lookup tool is a free diagnostic tool that will look for a BIMI record for the supplied domain name and run a series of diagnostic checks against the record to ensure compliance with standards and accessibility of the BIMI icon to inbox providers.  As the VMC standard is defined, MxToolbox will extend our tools to checking and validating VMC certificates.

Finally, MxToolbox is here to guide your company through the DMARC process and help optimize your email deliverability.  We offer several solutions to help you get your email DMARC compliant and monitor the on-going DMARC compliance of your email:

  • Delivery Center is our base package that allows you to monitor the SPF, DKIM and DMARC compliance of your email while giving you insight into emerging email threats.
  • Delivery Center Plus gives you all the great reporting of Delivery Center combined with deeper reporting on Phishing and Fraud using your domain.
  • Delivery Center Managed Services gives you access to our Email Experts who manage your DMARC compliance and free you to focus on your business.

BIMI Lookup Tool

MxToolbox is excited to announce the unveiling of another free tool for your use: the new BIMI Lookup tool. This innovative tool enables you to test your Brand Indicator for Message Identification (BIMI) records, ensuring that your BIMI record is correct and adheres to the current standards.  A missing or incorrectly formatted BIMI record means your customers may not see your domain’s logo in their inboxes. 

What’s BIMI and Why’s It Such a Big Deal?

BIMI is an industry-wide standards effort to display brand logos next to the brand’s email messages in their customer’s inboxes as indicators of trust to help message recipients recognize and avoid fraudulent emails delivered to their inboxes. This new standard, which is currently in beta testing, is important to email senders and their customers alike. Businesses get a prime opportunity to add trust to the emails they send and increase the visibility and ROI of their email programs, while recipients also benefit from senders deploying DMARC and other BIMI authentication standards to reduce the success of phishing attacks.

BIMI builds off of DMARC, with some outlets calling it DMARC 2.0, and will only display if you have deployed DMARC. Several Oath brands (Yahoo!, AOL, etc.) are currently beta testing the BIMI standard with their mailbox users. Gmail will also be rolling out their own beta test of the BIMI protocol in 2020. With Gmail’s current 1.2 billion worldwide users able to see a company’s logo displayed within a year’s time, adopting the BIMI standard will be highly beneficial to your business email practices. As DMARC and BIMI work in tandem to improve message delivery, it becomes imperative your brand utilizes these pioneering email technologies and standards.

How MxToolbox’s BIMI Lookup Tool Works

The new BIMI Lookup tool allows you to check for any errors included in your BIMI record published content, syntax check content, DMARC record format, or image format content. By entering your company’s domain name and clicking the “BIMI Lookup” button, this diagnostic tool will parse the BIMI record for the supplied domain, display its BIMI record, and run a series of diagnostic checks against that specific record. The provided results will help you recognize any current issues in your BIMI record’s setup that may prevent your logo from being displayed in Yahoo!, AOL, and Gmail (early 2020) inboxes.

To learn more about BIMI and how it’ll benefit your business, please click here.

Ultimate Combo

MxToolbox’s free BIMI Lookup tool is a great way to ensure your BIMI record is setup correctly and displays your logo as intended. BIMI provides your business an opportunity to grow your brand and protect your customers. Implementing this standard and monitoring it with our new tool are positive steps in improving your business email delivery. Don’t let your messages be sent to the Junk folder anymore.

How to Create a BIMI Record

Brand Indicators for Message Identification (BIMI) is a standardized way for companies to use their logo as a visible indicator to help email recipients recognize and avoid fraudulent messages. BIMI builds on the DMARC email authentication protocol to develop trust with current and potential customers. For a closer look at the new BIMI standard, please click here.

Creating a BIMI Record

The following steps outline how to create a BIMI record for your domain:

1. Create Image in SVG Format

First, you’ll need to obtain a copy of your logo and convert it to SVG format. For those steps, please click here.

2. Visit DNS Hosting Provider and Select Create Record

Now that you’re ready to create a BIMI record for your domain, visit your DNS hosting provider. After logging in, locate the prompt to create a new record.

3. Add Host Value

In this field, you’ll likely input the value _bimi and the hosting provider will append the domain/subdomain following that provided value. (ex: default._bimi.example.com)

4. Select TXT DNS Record Type

Based on provider, you’ll likely see a dropdown list of DNS record types. Because a BIMI record is a kind of TXT DNS record, be sure to select the “TXT” option.

5. Add “Value” Information

There are two required tag-value pairs that MUST be present on every BIMI record: v and l.

  • The only tag-value pair for v (version) is v=BIMI1
  • Confirm l (location) tag is present and followed by a full URL of your logo using HTTPS (l is lowercase L)

6. Publish BIMI Record

Click “Save Record Set” button to generate your new BIMI record.

7. Test BIMI Record for Errors

The last step you will want to perform is to Run a BIMI Record Check to verify the record you just created has the correct values and syntax. This tool will also render how your logo will appear in email clients.

Note: Creating your BIMI record and publishing it to the DNS per the above steps doesn’t automatically display your logo in all customer inboxes. Currently, several Oath brands (Yahoo!, AOL, etc.) are testing the BIMI standard in beta with their mailbox users, and the inbox providers that participated in developing the protocol and are likely to add BIMI support soon. Gmail will also be rolling out their own beta test of the BIMI standard in 2020. By having your BIMI record and associated logo published in the DNS, your brand will easily be recognized and trusted by current and future customers. For details on all BIMI technical specifications, please click here.

Summation

Creating a BIMI record for your company’s logo to be visible in customers’ inboxes is a simple way to enhance your brand. Not only are current and prospective clients confident that your emails are legitimate, they also gain a level of trust by seeing your approved logo in their inbox. Each time a customer receives a message from your domain using the BIMI standard, at least three potential unique brand impressions are made—message list, email address in message, and within message itself. The quicker your business decides to adopt BIMI (when available via your outbound email provider), the more recognized your brand will be.

MxToolbox is here to Help!

MxToolbox Delivery Center is the most effective email deliverability solution for your business. With MxToolbox you get our decades of experience helping businesses just like yours manage your online reputation and improve your email delivery.

MxToolbox Delivery Center Features:

  • Insight into your SPF, DKIM and DMARC (and BIMI!) configuration to ensure your sending email properly
  • DMARC Compliance checks for all of your reported email
  • Adaptive Blacklist Monitoring of all your email senders
  • Recommendations for improving DMARC compliance and DMARC policies
  • Event-based reminders for emergent issues and on-going maintenance

DMARC is a necessity for your business!  Improve your Email Delivery!

Google Joins BIMI Working Group

If you haven’t heard the exciting news, as announced in late July, Google is joining the AuthIndicators Working Group, agreeing to pilot the Brand Indicators Message Identification (BIMI) standard. Google will beta the concept in Gmail soon, so now is the time to start getting prepared by adopting DMARC and soon BIMI.

What Does this mean to me?

Google’s decision to join the BIMI working group is a strong indicator that the BIMI standard will successfully make it out of draft stage and will likely be adopted as DMARC 2.0. For those new to BIMI, BIMI is a new authentication standard that will allow domain owners to display their company logos inside of email platforms like Gmail, Yahoo! Mail, and potentially Outlook.com/Office 365 inboxes.

The intention of BIMI is to add an additional trust layer to the validity of email senders to help thwart email phishing attacks, as domains who are DMARC and BIMI authenticated will have their logos displayed front and center in those inboxes. Beyond the boost to the fight against email phishing, domain owners should be excited by BIMI, as this will allow them to get their logos directly in email inboxes; a long sought after real estate for marketers.

What Is BIMI?

BIMI is an industry-wide standards effort to use brand logos as indicators to help email recipients recognize and avoid fraudulent messages. Essentially, it allows email inboxes like Google’s Gmail to securely display approved logos beside DMARC authenticated messages, signaling to users that the received emails are legitimate and safe to open.

The BIMI standard also allows domain owners control over which logos email recipients see. For example, an insurance company could use BIMI to display its logo next to authenticated messages sent from its domain or an alternative logo at its choosing. This gives the insurance company complete control over which images are displayed, providing brand exposure, as well as protection against spoofing.

Using BIMI requires DMARC authentication is to be implemented on the respective domain. In fact, the BIMI standard is considered an extension of the DMARC protocol, i.e. DMARC 2.0 to some. At the current time, BIMI is still in draft stage and is being beta tested in Verizon Media (Yahoo! Mail, AOL, etc.) and will be in beta in Gmail in the near future.  However, MxToolbox is here to help you get ahead with our own BIMI Lookup tool.  

For further reading about BIMI please click here

What Is the BIMI Working Group?

The AuthIndicators Working Group is responsible for developing the BIMI standards. Currently, the Working Group’s public members include Agari, Comcast, LinkedIn, Return Path, Valimail, Verizon Media, and now Google. With a shared goal of reducing email fraud, the Working Group committee of companies is aiming to help create a safer inbox experience for all email users. 

The Future of Email Delivery

With the DMARC protocol slowly becoming such a vital aspect of email delivery over the years, BIMI in combination with DMARC will only improve on the DMARC standard. Improving protection in the fight against email phishing and opening up a new and exciting avenue for brand advertising/awareness for domain owners, brands, and marketers may finally be boost needed to spark rapid DMARC adoption. With BIMI still in beta, this is a great opportunity to adopt DMARC if you haven’t yet or have been too afraid to. 

Learn more about BIMI here

Get started with DMARC here

MxToolbox BIMI Lookup

 

What is Business Email Compromise (BEC)?

 

Email fraud targeting companies is a rampant and global problem.  According to the Federal Bureau of Investigation (FBI), cybercriminals stole $12.5 billion worldwide from businesses between October 2013 and May 2018 by compromising their official email accounts and using them to initiate fraudulent wire transfers.1 The Internet Crime Complaint Center (IC3) and the FBI are asking individuals to be aware of scams targeting businesses that work with foreign suppliers.

What Is Business Email Compromise?

The FBI officially defines business email compromise (BEC) as “a sophisticated scam targeting businesses working with foreign suppliers and businesses that regularly perform wire transfer payments.” Formerly known as the man-in-the-email scams, these schemes compromise official business email accounts to conduct unauthorized fund transfers.  And, there has been a significant increase of computer intrusions linked to BEC scams in recent years.

How Do BEC Attacks Work?

The most common cons involve fraudsters impersonating high level executives, sending phishing emails from seemingly legitimate sources, and requesting wire transfers to alternate, fraudulent accounts.  BEC scams often begin with an online fraudster compromising a business executive’s email account or any publicly listed email they can get their hands on. This is usually done using keylogger malware or phishing methods—where attackers create a domain similar to the target company—or spoofing email that tricks the target victim into providing account details. Upon monitoring the compromised email account, the cybercriminal will try to determine who initiates wires and who requests them. The scammers often perform a fair amount of research, looking for a company that has had a change in leadership in the C-suite of the finance function, companies where executives are traveling, or by leading an investor conference call. The perpetrators recognize and use these as opportunities to execute the scheme.

There are five distinct versions of BEC scams:

  • Bogus Invoice Scheme/Supplier Swindle: Cybercriminal compromises employee email ► Compromised account used to send notifications to customers ► Payments transferred to cybercriminal’s account ► Cybercriminal receives money
  • CEO Fraud: Cybercriminal poses as company executive and emails finance employee ► Finance sends funds to cybercriminal’s account ► Cybercriminal receives money
  • Account Compromise: Compromised employee account used to request money ► Recipients transfer payments to cybercriminal’s account ► Cybercriminal receives money
  • Attorney Impersonation: Cybercriminal poses as lawyer and emails finance employee ► Finance sends funds to cybercriminal’s account ► Cybercriminal receives money
  • Data Theft: Cybercriminal compromises employee email ► Compromised account used to request PII of other employees/executives ► PII sent to cybercriminal’s account ► Cybercriminal receives PII, uses it for further compromise attacks

DMARC – Defending Against BEC Scams

To combat BEC scams from affecting your business, DMARC is your friend. Your inbound email servers should be configured to filter email that fails DMARC compliance, especially when it comes to email that purports to being from your own domain.

The DMARC protocol was designed to improve email quality: What should happen to messages that fail authentication and compliance test (SPF and DKIM)?  Should you Quarantine, reject, or approve?  How do you tell the purported sender that their email is failing compliance checks?  With DMARC implemented and correctly configured on your inbound servers, your company will have an advantage in reducing BEC attacks. Even with malware filtering, blacklist filtering and enhanced training/policies, DMARC reduces the threat of BEC attacks to your teams.

But what about your Customers, Suppliers and Partners?

DMARC really shines when it is configured correctly for outbound email as well as used to filter inbound email.  Outbound email leveraging DMARC, DKIM and SPF protocols protects your brand from being used in spam, phishing and malware attacks.  The key is to work with your internal and external email senders to properly configure SPF and DKIM.  Once your legitimate sent email is DMARC compliant, you can instruct recipient organizations to automatically reject non-compliant email.  Inbox Providers love DMARC because they can more easily screen for spam, malware and scam emails.  Senders love it because Inbox Providers are more likely to prioritize DMARC compliant email.

Aside from achieving DMARC compliance, businesses are advised to stay vigilant and educate staff on how to prevent being victimized by BEC scams and other similar attacks. Cybercriminals don’t discriminate on company size.  In fact, it is often easier to scam more small-to-medium companies than a single large organization. Additionally, online fraudsters don’t need to be highly technical as they have access to tools and services that cater to all levels of technical expertise in the cybercriminal underground. Because email is such a vital aspect of business communications, a single compromised account is all it takes to financially damage your company. Here are some tips on how to stay protected and secure:

  • Carefully scrutinize all emails. Be wary of irregular emails that are sent from C-suite executives, as they are used to trick employees into acting with urgency. Review emails that request transfer of funds to determine if the requests are irregular.
  • Educate and train staff. While employees are a company’s biggest asset, they’re also usually its weakest link when it comes to security. Commit to training them according to the company’s best practices. Remind all that adhering to company policies is one thing, but developing good security habits is another.
  • Confirm any changes in vendor payment location by using a secondary sign-off by company personnel.
  • Stay updated on your customers’ habits, including the details and reasons behind payments.
  • Verify requests for transfer of funds when using phone verification as part of two-factor authentication (use known numbers).
  • If you suspect that you have been targeted by a BEC email, immediately report the incident to law enforcement or file a complaint with the IC3.

Conclusion

Unfortunately, cybercriminals are a major threat to your business email. By devising malicious social engineering and computer intrusion schemes to fool employees into wiring money, cybercriminals create a serious risk for business whether large or small. This emerging global risk of business email compromise (BEC) has victimized thousands of companies around the world.

Fortunately, there are technologies, like DMARC, that help secure your company’s email  and fight against BEC and other phishing scams. By implementing DMARC and educating employees, the prevalence of online fraudsters and their BEC cons will be minimized. At MxToolbox, our knowledgeable team has over a dozen years helping companies improve their email delivery and protecting companies from email-based threats.  Our latest product, MxToolbox Delivery Center, leverages DMARC to protect your brand from fraud and phishing and improve your email deliverability.

1Information Security Media Group, Corp. https://www.bankinfosecurity.com/fbi-alert-reported-ceo-fraud-losses-hit-125-billion-a-11206

Delivery Center Events

At MxToolbox we strive to create features that improve your insight and control over email deliverability. Today, we are pleased to announce a new Events warning system in all versions of MxToolbox Delivery Center.  The new Events tab and associated emails provide ongoing updates regarding specific delivery activity.  Emails will alert Delivery Center customers to any current email delivery problems. Think of Events as an early warning system that helps your business avoid serious issues with email deliverability and online reputation.

Events will alert you to the following potential issues:

  • Large Outbound email volume changes (increase or decrease)
  • Email delivery DNS record issues (SPF/DKIM/DMARC)
  • Email authentication problems
  • Potential phishing campaigns posing as your business

Delivery Center provides keen insight into your company’s overall email delivery status and performance.  Any activity that has negative email delivery consequences will be detected by Delivery Center and you will be immediately alerted, allowing you to act quickly before issues become major problems.

Alerts can be configured to alert only within the Delivery Center application, and/or via email . This helps you receive vital intelligence, no matter where you are, which could save you from a business email nightmare down the road.

Currently, there are three alert types:

  • DMARC Record Configuration Problem – A critical alert that means you are missing DMARC delivery information.
  • Verified Volume Changed – Large changes in email volume can indicate a new campaign, issue with a sender or phishing/fraud being committed using your domain name.
  • Adaptive Blacklist Alert – Warning that your sending IP addresses have been  Blacklisted.
events1

Example 1 – one Active Event (Verified Volume Changed) and two Inactive Events (Adaptive Blacklist—Last 7 Days, DMARC Record) are noted, with a “Critical” designation for DMARC. 

events2

Example 2 – Message categories provides a helpful summary of each event’s current standing.

events3

Example 3 – The Date field indicates when the situation was last reported.

events4

Example 4 – There are two option: select either the “Notify in Delivery Center” option or the “Notify by Email” choice.

MxToolbox Delivery Center continuously scans for delivery issues and updates you when your email delivery might be compromised. With Delivery Center, your company stays ahead of bigger issues.

If you are an existing Delivery Center user, be sure to try this new feature!

If you’re not already a Delivery Center subscriber, you can learn more about how Delivery Center will help your business email deliverability.

Stay tuned! More events are coming!

What is Whale Phishing?

The number and type of malicious online attacks seems to be increasing daily.  Whaling/Whale Phishing is another in a long line of scams, this time leveraging and targeting senior executives.  The term “whaling” was coined because of the magnitude of the targets and attacks relative to those of typical phishing ploys.

What Is Whaling Phishing?

A whaling attack, also referred to as whaling phishing, is a specific form of phishing attack that explicitly targets high-profile employees—CEOs, CFOs, or other executives (known as whales)—in order to steal sensitive information from a company.  Executives/Whales can be either the target recipient or the spoofed origin of the phishing emails.  Whales are carefully chosen due to their overall authority and access to secure company information. The goal of a whaling attack is to con the executive or employee into exposing corporate credentials, customer information or sending money via wire transfer.

How Do Whaling Attacks Work?

Whaling attacks work on the trust of executives and employees.  When spammers impersonate an executive, an employee is unlikely to look deeper into the origin of the email and simply comply with the request.  When spammers target an executive as the victim, the goal is to get access to the power of that executive: credentials, authorization of funds, even confidential information that only the executive can access.

Whaling attack emails and websites are highly customized and personalized, and they often incorporate the target’s name, job title, or other relevant information collected from a variety of sources.  Due to this level of personalization and their highly targeted nature, whaling attacks are usually more difficult to detect than standard phishing attacks. Whaling phishing attacks rely on the same social engineering methods that traditional phishing uses, but in this highly targeted approach.  Attackers will send hyperlinks or attachments to infect their victims with malware or to solicit sensitive information. By targeting high-value victims, fraudsters might also persuade them to approve fraudulent wire transfers using business email compromise techniques. In some cases, the attacker impersonates the CEO or other corporate officers to convince employees to carry out damaging financial transfers.

Examples of Whaling Attacks

Perhaps the most notable whaling phishing attack occurred in 2016 when a high-ranking Snapchat employee received an email from a fraudster impersonating the company’s CEO. The employee was duped into giving the attacker confidential employee payroll information. The FBI subsequently investigated the attack.1

Another newsworthy whaling scam from 2016 involved a Seagate employee who unknowingly emailed the income tax data of several current and former company employees to an unauthorized third party. After reporting the phishing scam to the IRS and FBI, it was announced that thousands of peoples’ personal data was exposed in that whaling attack.2

How do you protect yourself?

Whaling phishing uses the same entry methods as traditional phishing methods: email, malware infected links and attachments, believable email addresses and well-replicated branding and logos.  To protect yourself from whaling, you need to be vigilant with every email and mindful of the financial or privacy implications of any response, even to your CEO.  We recommend improving both your information security awareness training and internal policies regarding financial and privacy data handling.  For example, add a corporate policy to require verbal authorizations in addition to the original email for financial or privacy transactions.   Many companies operate at break-neck speed, to protect your business, you often need to slow down and think through the implications of acting upon every emails.

As a corporate inbox provider, keeping up your incoming spam and malware filtering will help reduce the flow of potentially dangerous email, but it cannot prevent it.  Setting up your inbound email services so that they provide DMARC reports on email received to the original senders.  This information is invaluable to combating incoming spam and phishing attempts.  Also, ensure your that your inbound email services support senders restrictive DMARC policies (Quarantine or Reject) and process non-DMARC compliant email appropriately.  Rejecting email that is not DMARC compliant will greatly reduce the amount of spam and phishing attempts that arrive in your inboxes.

How do you protect your brand from being used in Whaling?

The trust your partners, vendors, and customers place in your email is directly related to the value of your email and the amount of spam, malware and phishing attacks that appear to come from your domain.  You cannot prevent fraudsters from creating spam and impersonating your domain, but, you can stop the spam and phishing from affecting your reputation.  To shutdown phishing that appears to come from your domain, you need to adopt DMARC for your outbound email and manage your DMARC compliance rate for outbound email.  Once your legitimate email is compatible, you can start instructing inbox providers to quarantine or reject non-compliant email.  At that point, the majority of non-compliant email should be spam and phishing attempts using your brand.  Managing your email is not a set it and forget it strategy, but an on-going process that requires regular monitoring and update.

MxToolbox’s Delivery Center

MxToolbox Delivery Center provides you with everything you need to setup, monitor and manage your DMARC compliance.  Email deliverability requires constant monitoring and tuning and MxToolbox has over 10 years experience working with companies large and small to improve email delivery.  Delivery Center gives you insight into Who is sending email on behalf of your domain, How Much of your email is DMARC compliant, Where email threats are coming from, How to improve your email configuration and When to make your DMARC policies more restrictive to prevent phishing using your domain.

https://www.scmagazineuk.com/snapchat-whaled-employee-payroll-released/article/1478171

2 https://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/