Category Archives: Fraud and Phishing

BIMI Monitoring has arrived

MxToolbox is happy to announce additional support for BIMI in the form of BIMI record monitoring.  Now, you can be confident that all your important email deliverability records are properly configured and constantly monitored by our experts.

What is BIMI?

BIMI is an email delivery standard that works with other standards (SPF, DKIM and DMARC) to publish an image or logo on an end-user’s email box when an email comes from you. BIMI helps your email recipients feel confident that an email is legitimately from you and helps to protect your brand from use in fraud and phishing.

How does BIMI work?

First, you need to have SPF, DKIM and DMARC properly setup.  Next, you publish a BIMI DNS record that defines your preferred logo image.  Then, when you send email to a user on a BIMI-Supported inbox provider, like Yahoo! and, in Summer 2020, Google, the inbox provider you have a chance of displaying your logo.

Inbox providers will check for DMARC compliance on every email.  If the email passes DMARC tests, then this inbox provider will check for a BIMI record.  If a valid BIMI record is found, then the inbox provider will display your logo next to the email.  As these checks happen on each email, you need to be sure that your email is both passing DMARC and that your BIMI record is accessible every time you send email.  With a BIMI logo next to every email you send, your customers will be reassured that each email is a legitimate communication from you and have your brand top of mind.

MxToolbox BIMI Monitoring

MxToolbox is expanding our support for BIMI by announcing the inclusion of BIMI record configuration monitoring as part of MxToolbox Delivery Center.  You can already test your BIMI record with our Supertool, but now we offer integrated alerts when BIMI is non-accessible or misconfigured.

Since BIMI is dependent on SPF, DKIM and DMARC, MxToolbox highly recommends that you adopt tools, like Delivery Center, to help you setup and maintain these technologies while also monitoring your your day-to-day DMARC compliance.  MxToolbox Delivery Center leverages our email expertise to improve your email deliverability and allows you to focus on running your business.  Adding BIMI to a tool like Delivery Center will help improve your email delivery and improve the visibility of your brand.

ARC Protocol – Getting your email delivered

Recently, RFC 8617 established the Authenticated Received Chain (ARC) Protocol, a new and powerful email authentication and security standard that allows legitimate forwarded emails to be delivered without any issues.   ARC has been in testing for several years with Google and another inbox provider to transform the theoretical solution into a full-fledged standard.

What is ARC?

ARC allows mail handlers (email servers) to preserve a “chain of custody” that shows where the respective message originated and all subsequent handling entities via authentication data when forwarding emails. To get more specifics about the ARC protocol, click here.

Before ARC, a forwarded email would no longer pass DKIM alignment because there was no standard for preserving the original and subsequent DKIM signatures.  An unaligned message might then fail DMARC and be rejected by the final inbox provider and never reach your customer’s inbox.

The ARC protocol establishes a standard for preserving DKIM alignment when a message is forwarded.  This helps these messages look less suspicious to the receiving inbox providers by ensuring emails that are forwarded pass authentication and avoid being labeled as spoofed messages. 

Why is ARC important?

ARC becoming a standard applied to all inbox providers is highly important for your email deliverability. With ARC, if your business forwards email and has implemented DKIM, your email chain of custody will no longer break, resulting in higher delivery rates.  While SPF alignment breaks under most message forwarding instances, DKIM breaks when emails pass through forwarding services that modify content involving a DKIM signature. Even if the email fails SPF and DKIM validations, the inbox provider can choose to validate the ARC standard.

It is imperative that your business email implement DKIM as soon as possible to improve email deliverability and leverage the benefits of ARC.

ARC Enables more DMARC Adoption

The creation of the ARC standard shows continued support for the DKIM, SPF and DMARC standards that are the basics for email deliverability.  ARC allows messages that have been forwarded via mailing lists, list servers, and email gateways to pass DKIM authentication and not break during delivery.  DKIM is integral to achieving DMARC compliance, so the ARC standard also allows more senders to pass strict DMARC policies.  Strict DMARC block non-DMARC compliant email to improve your company’s overall email deliverability by reducing the threat of fraud and phishing using your domain.

What do I need to do to take advantage of ARC?

The first steps to leveraging ARC involve the adoption of basic email deliverability standards – SPF, DKIM and DMARC.  If you have not already read it, MxToolbox has a great guide to setting up these protocols.  Once you have SPF, DKIM and DMARC setup, inbox providers that have adopted ARC will automatically process your email appropriately.

MxToolbox Delivery Center provides everything you need to manage the on-going maintenance of email delivery.  Learn more about Delivery Center and how we can help you with email deliverability!

First Verified Mark Certificate Issued

Recently, JPMorgan Chase became the first company to adopt the VMC standard, and companies gained another tool to prevent email fraud. 

What is VMC?

Verified Mark Certificate (VMC) is a method to watermark outbound messages to declare the email comes from an official, legitimate source.  With a certificate like this, senders get better email deliverability because email recipients will see a valid VMC as a certificate of trust emails.

Entrust Datacard, a U.S.-based provider of trusted identity and secure issuance technology solutions, recently issued the first VMC certificate to JP Morgan Chase. Entrust developed the new vendor-neutral VMC solution in collaboration with the AuthIndicators Working Group, a committee of companies responsible for creating the Brand Indicators for Message Identification (BIMI) standard.  While the VMC and BIMI standards still in the early stages of definition and adoption, this announcement indicates a big push to get BIMI into inboxes.

What is BIMI?

The BIMI protocol helps to improve email authentication and brand assurance by allowing a sender to publish a logo icon through DNS.  Inbox providers then use this logo to highlight DMARC compliant emails from the sender, thereby providing a reassurance to users that this email is free from phishing and spoofing attacks.  The logos themselves will also make it easier for customers to recognize their preferred companies in inboxes and increase brand awareness by prominently displaying trusted logos. 

How do VMC and BIMI work together?

The goal of VMC is to prove a BIMI image is authentic, not a scammer utilizing a fake image of a trusted source like the sender, Microsoft, Amazon, or JP Morgan, for example.  Validating that a BIMI-displayed logo is legitimate will make phishing and spoofing practices more difficult to accomplish. While BIMI allows companies to display logos in supported inboxes, VMC authenticates the logos are valid and owned by the actual sender of the email.

The recent exciting news that JPMorgan Chase was granted the first VMC is a promising sign that BIMI should be standardized soon. BIMI, which leverages DMARC, continues the technological trend of making it difficult for online fraudsters and phishing attacks to trick unsuspecting victims.

How MxToolbox Helps

To achieve the BIMI standard, Domain-based Message Authentication, Reporting, and Conformance (DMARC), along with SPF and DKIM, must first be implemented. MxToolbox’s team of email delivery experts and tools can help you implement and understand DMARC to help your business attain email deliverability.

First, MxToolbox provides a free DMARC lookup tool to analyze your DMARC record and make recommendations for getting your email DMARC compliant.

In addition, MxToolbox’s BIMI Lookup tool is a free diagnostic tool that will look for a BIMI record for the supplied domain name and run a series of diagnostic checks against the record to ensure compliance with standards and accessibility of the BIMI icon to inbox providers.  As the VMC standard is defined, MxToolbox will extend our tools to checking and validating VMC certificates.

Finally, MxToolbox is here to guide your company through the DMARC process and help optimize your email deliverability.  We offer several solutions to help you get your email DMARC compliant and monitor the on-going DMARC compliance of your email:

  • Delivery Center is our base package that allows you to monitor the SPF, DKIM and DMARC compliance of your email while giving you insight into emerging email threats.
  • Delivery Center Plus gives you all the great reporting of Delivery Center combined with deeper reporting on Phishing and Fraud using your domain.
  • Delivery Center Managed Services gives you access to our Email Experts who manage your DMARC compliance and free you to focus on your business.

BIMI Lookup Tool

MxToolbox is excited to announce the unveiling of another free tool for your use: the new BIMI Lookup tool. This innovative tool enables you to test your Brand Indicator for Message Identification (BIMI) records, ensuring that your BIMI record is correct and adheres to the current standards.  A missing or incorrectly formatted BIMI record means your customers may not see your domain’s logo in their inboxes. 

What’s BIMI and Why’s It Such a Big Deal?

BIMI is an industry-wide standards effort to display brand logos next to the brand’s email messages in their customer’s inboxes as indicators of trust to help message recipients recognize and avoid fraudulent emails delivered to their inboxes. This new standard, which is currently in beta testing, is important to email senders and their customers alike. Businesses get a prime opportunity to add trust to the emails they send and increase the visibility and ROI of their email programs, while recipients also benefit from senders deploying DMARC and other BIMI authentication standards to reduce the success of phishing attacks.

BIMI builds off of DMARC, with some outlets calling it DMARC 2.0, and will only display if you have deployed DMARC. Several Oath brands (Yahoo!, AOL, etc.) are currently beta testing the BIMI standard with their mailbox users. Gmail will also be rolling out their own beta test of the BIMI protocol in 2020. With Gmail’s current 1.2 billion worldwide users able to see a company’s logo displayed within a year’s time, adopting the BIMI standard will be highly beneficial to your business email practices. As DMARC and BIMI work in tandem to improve message delivery, it becomes imperative your brand utilizes these pioneering email technologies and standards.

How MxToolbox’s BIMI Lookup Tool Works

The new BIMI Lookup tool allows you to check for any errors included in your BIMI record published content, syntax check content, DMARC record format, or image format content. By entering your company’s domain name and clicking the “BIMI Lookup” button, this diagnostic tool will parse the BIMI record for the supplied domain, display its BIMI record, and run a series of diagnostic checks against that specific record. The provided results will help you recognize any current issues in your BIMI record’s setup that may prevent your logo from being displayed in Yahoo!, AOL, and Gmail (early 2020) inboxes.

To learn more about BIMI and how it’ll benefit your business, please click here.

Ultimate Combo

MxToolbox’s free BIMI Lookup tool is a great way to ensure your BIMI record is setup correctly and displays your logo as intended. BIMI provides your business an opportunity to grow your brand and protect your customers. Implementing this standard and monitoring it with our new tool are positive steps in improving your business email delivery. Don’t let your messages be sent to the Junk folder anymore.

How to Create a BIMI Record

Brand Indicators for Message Identification (BIMI) is a standardized way for companies to use their logo as a visible indicator to help email recipients recognize and avoid fraudulent messages. BIMI builds on the DMARC email authentication protocol to develop trust with current and potential customers. For a closer look at the new BIMI standard, please click here.

Creating a BIMI Record

The following steps outline how to create a BIMI record for your domain:

1. Create Image in SVG Format

First, you’ll need to obtain a copy of your logo and convert it to SVG format. For those steps, please click here.

2. Visit DNS Hosting Provider and Select Create Record

Now that you’re ready to create a BIMI record for your domain, visit your DNS hosting provider. After logging in, locate the prompt to create a new record.

3. Add Host Value

In this field, you’ll likely input the value _bimi and the hosting provider will append the domain/subdomain following that provided value. (ex: default._bimi.example.com)

4. Select TXT DNS Record Type

Based on provider, you’ll likely see a dropdown list of DNS record types. Because a BIMI record is a kind of TXT DNS record, be sure to select the “TXT” option.

5. Add “Value” Information

There are two required tag-value pairs that MUST be present on every BIMI record: v and l.

  • The only tag-value pair for v (version) is v=BIMI1
  • Confirm l (location) tag is present and followed by a full URL of your logo using HTTPS (l is lowercase L)

6. Publish BIMI Record

Click “Save Record Set” button to generate your new BIMI record.

7. Test BIMI Record for Errors

The last step you will want to perform is to Run a BIMI Record Check to verify the record you just created has the correct values and syntax. This tool will also render how your logo will appear in email clients.

Note: Creating your BIMI record and publishing it to the DNS per the above steps doesn’t automatically display your logo in all customer inboxes. Currently, several Oath brands (Yahoo!, AOL, etc.) are testing the BIMI standard in beta with their mailbox users, and the inbox providers that participated in developing the protocol and are likely to add BIMI support soon. Gmail will also be rolling out their own beta test of the BIMI standard in 2020. By having your BIMI record and associated logo published in the DNS, your brand will easily be recognized and trusted by current and future customers. For details on all BIMI technical specifications, please click here.

Summation

Creating a BIMI record for your company’s logo to be visible in customers’ inboxes is a simple way to enhance your brand. Not only are current and prospective clients confident that your emails are legitimate, they also gain a level of trust by seeing your approved logo in their inbox. Each time a customer receives a message from your domain using the BIMI standard, at least three potential unique brand impressions are made—message list, email address in message, and within message itself. The quicker your business decides to adopt BIMI (when available via your outbound email provider), the more recognized your brand will be.

MxToolbox is here to Help!

MxToolbox Delivery Center is the most effective email deliverability solution for your business. With MxToolbox you get our decades of experience helping businesses just like yours manage your online reputation and improve your email delivery.

MxToolbox Delivery Center Features:

  • Insight into your SPF, DKIM and DMARC (and BIMI!) configuration to ensure your sending email properly
  • DMARC Compliance checks for all of your reported email
  • Adaptive Blacklist Monitoring of all your email senders
  • Recommendations for improving DMARC compliance and DMARC policies
  • Event-based reminders for emergent issues and on-going maintenance

DMARC is a necessity for your business!  Improve your Email Delivery!

Google Joins BIMI Working Group

If you haven’t heard the exciting news, as announced in late July, Google is joining the AuthIndicators Working Group, agreeing to pilot the Brand Indicators Message Identification (BIMI) standard. Google will beta the concept in Gmail soon, so now is the time to start getting prepared by adopting DMARC and soon BIMI.

What Does this mean to me?

Google’s decision to join the BIMI working group is a strong indicator that the BIMI standard will successfully make it out of draft stage and will likely be adopted as DMARC 2.0. For those new to BIMI, BIMI is a new authentication standard that will allow domain owners to display their company logos inside of email platforms like Gmail, Yahoo! Mail, and potentially Outlook.com/Office 365 inboxes.

The intention of BIMI is to add an additional trust layer to the validity of email senders to help thwart email phishing attacks, as domains who are DMARC and BIMI authenticated will have their logos displayed front and center in those inboxes. Beyond the boost to the fight against email phishing, domain owners should be excited by BIMI, as this will allow them to get their logos directly in email inboxes; a long sought after real estate for marketers.

What Is BIMI?

BIMI is an industry-wide standards effort to use brand logos as indicators to help email recipients recognize and avoid fraudulent messages. Essentially, it allows email inboxes like Google’s Gmail to securely display approved logos beside DMARC authenticated messages, signaling to users that the received emails are legitimate and safe to open.

The BIMI standard also allows domain owners control over which logos email recipients see. For example, an insurance company could use BIMI to display its logo next to authenticated messages sent from its domain or an alternative logo at its choosing. This gives the insurance company complete control over which images are displayed, providing brand exposure, as well as protection against spoofing.

Using BIMI requires DMARC authentication is to be implemented on the respective domain. In fact, the BIMI standard is considered an extension of the DMARC protocol, i.e. DMARC 2.0 to some. At the current time, BIMI is still in draft stage and is being beta tested in Verizon Media (Yahoo! Mail, AOL, etc.) and will be in beta in Gmail in the near future.  However, MxToolbox is here to help you get ahead with our own BIMI Lookup tool.  

For further reading about BIMI please click here

What Is the BIMI Working Group?

The AuthIndicators Working Group is responsible for developing the BIMI standards. Currently, the Working Group’s public members include Agari, Comcast, LinkedIn, Return Path, Valimail, Verizon Media, and now Google. With a shared goal of reducing email fraud, the Working Group committee of companies is aiming to help create a safer inbox experience for all email users. 

The Future of Email Delivery

With the DMARC protocol slowly becoming such a vital aspect of email delivery over the years, BIMI in combination with DMARC will only improve on the DMARC standard. Improving protection in the fight against email phishing and opening up a new and exciting avenue for brand advertising/awareness for domain owners, brands, and marketers may finally be boost needed to spark rapid DMARC adoption. With BIMI still in beta, this is a great opportunity to adopt DMARC if you haven’t yet or have been too afraid to. 

Learn more about BIMI here

Get started with DMARC here

MxToolbox BIMI Lookup

 

What is Business Email Compromise (BEC)?

 

Email fraud targeting companies is a rampant and global problem.  According to the Federal Bureau of Investigation (FBI), cybercriminals stole $12.5 billion worldwide from businesses between October 2013 and May 2018 by compromising their official email accounts and using them to initiate fraudulent wire transfers.1 The Internet Crime Complaint Center (IC3) and the FBI are asking individuals to be aware of scams targeting businesses that work with foreign suppliers.

What Is Business Email Compromise?

The FBI officially defines business email compromise (BEC) as “a sophisticated scam targeting businesses working with foreign suppliers and businesses that regularly perform wire transfer payments.” Formerly known as the man-in-the-email scams, these schemes compromise official business email accounts to conduct unauthorized fund transfers.  And, there has been a significant increase of computer intrusions linked to BEC scams in recent years.

How Do BEC Attacks Work?

The most common cons involve fraudsters impersonating high level executives, sending phishing emails from seemingly legitimate sources, and requesting wire transfers to alternate, fraudulent accounts.  BEC scams often begin with an online fraudster compromising a business executive’s email account or any publicly listed email they can get their hands on. This is usually done using keylogger malware or phishing methods—where attackers create a domain similar to the target company—or spoofing email that tricks the target victim into providing account details. Upon monitoring the compromised email account, the cybercriminal will try to determine who initiates wires and who requests them. The scammers often perform a fair amount of research, looking for a company that has had a change in leadership in the C-suite of the finance function, companies where executives are traveling, or by leading an investor conference call. The perpetrators recognize and use these as opportunities to execute the scheme.

There are five distinct versions of BEC scams:

  • Bogus Invoice Scheme/Supplier Swindle: Cybercriminal compromises employee email ► Compromised account used to send notifications to customers ► Payments transferred to cybercriminal’s account ► Cybercriminal receives money
  • CEO Fraud: Cybercriminal poses as company executive and emails finance employee ► Finance sends funds to cybercriminal’s account ► Cybercriminal receives money
  • Account Compromise: Compromised employee account used to request money ► Recipients transfer payments to cybercriminal’s account ► Cybercriminal receives money
  • Attorney Impersonation: Cybercriminal poses as lawyer and emails finance employee ► Finance sends funds to cybercriminal’s account ► Cybercriminal receives money
  • Data Theft: Cybercriminal compromises employee email ► Compromised account used to request PII of other employees/executives ► PII sent to cybercriminal’s account ► Cybercriminal receives PII, uses it for further compromise attacks

DMARC – Defending Against BEC Scams

To combat BEC scams from affecting your business, DMARC is your friend. Your inbound email servers should be configured to filter email that fails DMARC compliance, especially when it comes to email that purports to being from your own domain.

The DMARC protocol was designed to improve email quality: What should happen to messages that fail authentication and compliance test (SPF and DKIM)?  Should you Quarantine, reject, or approve?  How do you tell the purported sender that their email is failing compliance checks?  With DMARC implemented and correctly configured on your inbound servers, your company will have an advantage in reducing BEC attacks. Even with malware filtering, blacklist filtering and enhanced training/policies, DMARC reduces the threat of BEC attacks to your teams.

But what about your Customers, Suppliers and Partners?

DMARC really shines when it is configured correctly for outbound email as well as used to filter inbound email.  Outbound email leveraging DMARC, DKIM and SPF protocols protects your brand from being used in spam, phishing and malware attacks.  The key is to work with your internal and external email senders to properly configure SPF and DKIM.  Once your legitimate sent email is DMARC compliant, you can instruct recipient organizations to automatically reject non-compliant email.  Inbox Providers love DMARC because they can more easily screen for spam, malware and scam emails.  Senders love it because Inbox Providers are more likely to prioritize DMARC compliant email.

Aside from achieving DMARC compliance, businesses are advised to stay vigilant and educate staff on how to prevent being victimized by BEC scams and other similar attacks. Cybercriminals don’t discriminate on company size.  In fact, it is often easier to scam more small-to-medium companies than a single large organization. Additionally, online fraudsters don’t need to be highly technical as they have access to tools and services that cater to all levels of technical expertise in the cybercriminal underground. Because email is such a vital aspect of business communications, a single compromised account is all it takes to financially damage your company. Here are some tips on how to stay protected and secure:

  • Carefully scrutinize all emails. Be wary of irregular emails that are sent from C-suite executives, as they are used to trick employees into acting with urgency. Review emails that request transfer of funds to determine if the requests are irregular.
  • Educate and train staff. While employees are a company’s biggest asset, they’re also usually its weakest link when it comes to security. Commit to training them according to the company’s best practices. Remind all that adhering to company policies is one thing, but developing good security habits is another.
  • Confirm any changes in vendor payment location by using a secondary sign-off by company personnel.
  • Stay updated on your customers’ habits, including the details and reasons behind payments.
  • Verify requests for transfer of funds when using phone verification as part of two-factor authentication (use known numbers).
  • If you suspect that you have been targeted by a BEC email, immediately report the incident to law enforcement or file a complaint with the IC3.

Conclusion

Unfortunately, cybercriminals are a major threat to your business email. By devising malicious social engineering and computer intrusion schemes to fool employees into wiring money, cybercriminals create a serious risk for business whether large or small. This emerging global risk of business email compromise (BEC) has victimized thousands of companies around the world.

Fortunately, there are technologies, like DMARC, that help secure your company’s email  and fight against BEC and other phishing scams. By implementing DMARC and educating employees, the prevalence of online fraudsters and their BEC cons will be minimized. At MxToolbox, our knowledgeable team has over a dozen years helping companies improve their email delivery and protecting companies from email-based threats.  Our latest product, MxToolbox Delivery Center, leverages DMARC to protect your brand from fraud and phishing and improve your email deliverability.

1Information Security Media Group, Corp. https://www.bankinfosecurity.com/fbi-alert-reported-ceo-fraud-losses-hit-125-billion-a-11206

Delivery Center Events

At MxToolbox we strive to create features that improve your insight and control over email deliverability. Today, we are pleased to announce a new Events warning system in all versions of MxToolbox Delivery Center.  The new Events tab and associated emails provide ongoing updates regarding specific delivery activity.  Emails will alert Delivery Center customers to any current email delivery problems. Think of Events as an early warning system that helps your business avoid serious issues with email deliverability and online reputation.

Events will alert you to the following potential issues:

  • Large Outbound email volume changes (increase or decrease)
  • Email delivery DNS record issues (SPF/DKIM/DMARC)
  • Email authentication problems
  • Potential phishing campaigns posing as your business

Delivery Center provides keen insight into your company’s overall email delivery status and performance.  Any activity that has negative email delivery consequences will be detected by Delivery Center and you will be immediately alerted, allowing you to act quickly before issues become major problems.

Alerts can be configured to alert only within the Delivery Center application, and/or via email . This helps you receive vital intelligence, no matter where you are, which could save you from a business email nightmare down the road.

Currently, there are three alert types:

  • DMARC Record Configuration Problem – A critical alert that means you are missing DMARC delivery information.
  • Verified Volume Changed – Large changes in email volume can indicate a new campaign, issue with a sender or phishing/fraud being committed using your domain name.
  • Adaptive Blacklist Alert – Warning that your sending IP addresses have been  Blacklisted.
events1

Example 1 – one Active Event (Verified Volume Changed) and two Inactive Events (Adaptive Blacklist—Last 7 Days, DMARC Record) are noted, with a “Critical” designation for DMARC. 

events2

Example 2 – Message categories provides a helpful summary of each event’s current standing.

events3

Example 3 – The Date field indicates when the situation was last reported.

events4

Example 4 – There are two option: select either the “Notify in Delivery Center” option or the “Notify by Email” choice.

MxToolbox Delivery Center continuously scans for delivery issues and updates you when your email delivery might be compromised. With Delivery Center, your company stays ahead of bigger issues.

If you are an existing Delivery Center user, be sure to try this new feature!

If you’re not already a Delivery Center subscriber, you can learn more about how Delivery Center will help your business email deliverability.

Stay tuned! More events are coming!

What is Whale Phishing?

The number and type of malicious online attacks seems to be increasing daily.  Whaling/Whale Phishing is another in a long line of scams, this time leveraging and targeting senior executives.  The term “whaling” was coined because of the magnitude of the targets and attacks relative to those of typical phishing ploys.

What Is Whaling Phishing?

A whaling attack, also referred to as whaling phishing, is a specific form of phishing attack that explicitly targets high-profile employees—CEOs, CFOs, or other executives (known as whales)—in order to steal sensitive information from a company.  Executives/Whales can be either the target recipient or the spoofed origin of the phishing emails.  Whales are carefully chosen due to their overall authority and access to secure company information. The goal of a whaling attack is to con the executive or employee into exposing corporate credentials, customer information or sending money via wire transfer.

How Do Whaling Attacks Work?

Whaling attacks work on the trust of executives and employees.  When spammers impersonate an executive, an employee is unlikely to look deeper into the origin of the email and simply comply with the request.  When spammers target an executive as the victim, the goal is to get access to the power of that executive: credentials, authorization of funds, even confidential information that only the executive can access.

Whaling attack emails and websites are highly customized and personalized, and they often incorporate the target’s name, job title, or other relevant information collected from a variety of sources.  Due to this level of personalization and their highly targeted nature, whaling attacks are usually more difficult to detect than standard phishing attacks. Whaling phishing attacks rely on the same social engineering methods that traditional phishing uses, but in this highly targeted approach.  Attackers will send hyperlinks or attachments to infect their victims with malware or to solicit sensitive information. By targeting high-value victims, fraudsters might also persuade them to approve fraudulent wire transfers using business email compromise techniques. In some cases, the attacker impersonates the CEO or other corporate officers to convince employees to carry out damaging financial transfers.

Examples of Whaling Attacks

Perhaps the most notable whaling phishing attack occurred in 2016 when a high-ranking Snapchat employee received an email from a fraudster impersonating the company’s CEO. The employee was duped into giving the attacker confidential employee payroll information. The FBI subsequently investigated the attack.1

Another newsworthy whaling scam from 2016 involved a Seagate employee who unknowingly emailed the income tax data of several current and former company employees to an unauthorized third party. After reporting the phishing scam to the IRS and FBI, it was announced that thousands of peoples’ personal data was exposed in that whaling attack.2

How do you protect yourself?

Whaling phishing uses the same entry methods as traditional phishing methods: email, malware infected links and attachments, believable email addresses and well-replicated branding and logos.  To protect yourself from whaling, you need to be vigilant with every email and mindful of the financial or privacy implications of any response, even to your CEO.  We recommend improving both your information security awareness training and internal policies regarding financial and privacy data handling.  For example, add a corporate policy to require verbal authorizations in addition to the original email for financial or privacy transactions.   Many companies operate at break-neck speed, to protect your business, you often need to slow down and think through the implications of acting upon every emails.

As a corporate inbox provider, keeping up your incoming spam and malware filtering will help reduce the flow of potentially dangerous email, but it cannot prevent it.  Setting up your inbound email services so that they provide DMARC reports on email received to the original senders.  This information is invaluable to combating incoming spam and phishing attempts.  Also, ensure your that your inbound email services support senders restrictive DMARC policies (Quarantine or Reject) and process non-DMARC compliant email appropriately.  Rejecting email that is not DMARC compliant will greatly reduce the amount of spam and phishing attempts that arrive in your inboxes.

How do you protect your brand from being used in Whaling?

The trust your partners, vendors, and customers place in your email is directly related to the value of your email and the amount of spam, malware and phishing attacks that appear to come from your domain.  You cannot prevent fraudsters from creating spam and impersonating your domain, but, you can stop the spam and phishing from affecting your reputation.  To shutdown phishing that appears to come from your domain, you need to adopt DMARC for your outbound email and manage your DMARC compliance rate for outbound email.  Once your legitimate email is compatible, you can start instructing inbox providers to quarantine or reject non-compliant email.  At that point, the majority of non-compliant email should be spam and phishing attempts using your brand.  Managing your email is not a set it and forget it strategy, but an on-going process that requires regular monitoring and update.

MxToolbox’s Delivery Center

MxToolbox Delivery Center provides you with everything you need to setup, monitor and manage your DMARC compliance.  Email deliverability requires constant monitoring and tuning and MxToolbox has over 10 years experience working with companies large and small to improve email delivery.  Delivery Center gives you insight into Who is sending email on behalf of your domain, How Much of your email is DMARC compliant, Where email threats are coming from, How to improve your email configuration and When to make your DMARC policies more restrictive to prevent phishing using your domain.

https://www.scmagazineuk.com/snapchat-whaled-employee-payroll-released/article/1478171

2 https://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/

Why DMARC is Not Set It and Forget It

Email DNS (Domain Name Service) records have become the linchpin for improved email delivery. Without the four major components (discussed below), your company’s outbound messages are at high risk of being rejected by inbox providers.  Worse, without proper Email DNS configurations, your brand is at risk of falling victim to phishing or spoofing scams.

To get email delivery to it’s highest levels, you need:

  • MX (Mail Exchanger): Resource record specifying mail server responsible for accepting email on behalf of a domain.  Without an MX record, no email is coming to your domain and most, if not all, recipients will check for an MX record before accepting email from a domain.
  • SPF (Sender Policy Framework): Email authentication method designed to detect spoofing via authorized domain list.  With SPF, you designate what IP addresses and domains can and cannot send on behalf of your domain.  Recipient systems check this list and may reject email from unlisted sources.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Email validation system designed to enable inbox providers to provide feedback on email that is sent from your domain.  DMARC enables senders to detect and prevent email spoofing (forged sender addresses used in phishing and spam efforts).
  • DKIM (DomainKeys Identified Mail): Email authentication method designed to enable senders to sign their emails so that inbox providers can easily detect spoofing via digital signature.

DMARC works best when senders have adopted both SPF and DKIM and achieving DMARC compliance using SPF and DKIM is a vital step in ensuring your emails are delivered.

How do you become DMARC Compliant?

The importance of reaching DMARC compliance can’t be overstated.  Essentially, your company’s email reputation, and email deliverability, relies on this protocol.

Once DMARC has been implemented, it allows you to:

  • Monitor, detect, and fix real-world problems with your email delivery
  • See the email volumes you’re delivering to inbox providers (including which providers)
  • Identify threat emails purporting to come from your domain (i.e., spoofing/phishing using your domain)
  • Defend your reputation against spoofing attacks using your domain.

Essentially, DMARC gives you the information and tools necessary to improve your email deliverability, defend your brand from spoofing, and even reduce the amount of spam on the Internet.  Without DMARC, inbox providers will begin to see your email as riskier than your DMARC-compliant competitors and more of your email will end up being classified as Bulk, Junk or even denied.  What you need is a way to decipher all of the information that DMARC reports provide.  Tools like MxToolbox Delivery Center give you that.

Set It and Forget It?

It is fair to assume that once you configure DMARC correctly, you’re done with the process and email will flow freely and without incident.   Unfortunately, this is not the case.  Your business will change and so will your email configuration.  If you want your company’s email delivery rates to stay consistently high, then you must routinely monitor and adjust your DNS records as your business evolves. There are several routine scenarios that can cause issues if you ignore your settings.

Adding a Sender

Your company’s Marketing Department adds a new email vendor, Sales adopts a new CRM or Support trials a new online support tool.  Now, you must add each of these providers to your SPF records, verify them, and setup DKIM with them otherwise emails from these systems will be rejected.  Next comes a breaking in period where you need to monitor delivery rates of email sent from these platforms.  You might have to temporarily lower your DMARC policy to Quarantine or None to ensure that email from these sources is accepted.  You need a tool to continually monitor your DMARC compliance and email deliverability to ensure that your email is reaching your customers and business partners.

A Trusted Sender is Blacklisted

The primary safe guard for email delivery is still blacklisting IP addresses and domains that are frequently used in spam, phishing and malware attacks.  An inbox provider doesn’t even process email from a blacklisted IP.  Blacklisted email is typically not delivered, even to junk.  If you or one of your email providers is sending from a blacklisted IP address, your email delivery is in jeopardy.  Inbox providers that utilize DMARC for feedback will only report on SPF, DKIM and DMARC compliance of emails sent, they do not report on blacklisted IPs!  You need to monitor your sending IP addresses for blacklisting to ensure your email deliverability.

Providers get Compromised

Hacks are a regular problem for every business and your email service providers could be a target as a legitimate source of email.  In fact, MxToolbox has seen individual inboxes compromised at major inbox providers several times in the last years.  If a provider is hacked, then any email sent via that provider will automatically pass SPF, DKIM and DMARC checks.  How would you know if this happens?  Only by monitoring your email deliverability and examining the forensic reports sent back by the recipients via DMARC reporting.

Fraudulent Email Volumes Dwarf Legitimate Email

With low outbound email volumes or with valuable brands, the fraudulent email volume could greatly exceed the legitimate volume of email.  In cases like this, monitoring DMARC reporting is invaluable so that your team can see the spike in message volume and change your email posture.  Even when using a Reject policy, some providers might report your domain to blacklists because of the overwhelming spam signal.  You need to monitor your domain as well as sending IP addresses for blacklisting.

Exceeding SPF Includes

As your organization grows, you will add new providers: CRMs. Market Automation, Support, Inbox, etc.  Each provider you add will need to be entered into you SPF record and each of these providers will have a range or ranges of IP addresses in their own SPF records.  The RFC on SPF allows for at maximum 10 includes in the tree, after which no other includes are read.  You might add a provider and exceed the limit of SPF includes or a provider might add a new range to their SPF and exceed the limit.  Without monitoring your email delivery and email configuration, you would never know until email fails to reach your customers.

How do I monitor email deliverability?

To monitor and manage email deliverability, you need a tool that constantly analyzes and reports upon:

  • SPF, DKIM and DMARC Compliance
  • Blacklisted Sending IP addresses and Domains
  • SPF, DKIM and DMARC Configuration
  • Known Senders, Forwarders and Email Threats like Fraud and Phishing
  • DMARC Forensic Information*

Only MxToolbox Delivery Center provides you with all the information you need to properly manage your email deliverability, from setting up email best practices to managing email delivery for the longterm.  Delivery Center Plus* even includes Foresnic information for detailed threat research.

MxToolbox has everything you need to improve email delivery with DMARC and only MxToolbox provides the Experts capable of managing your email delivery posture.  MxToolbox Managed Services can get you up and running quickly and manage your email delivery in the longterm.