Blog category

BEC Fraud & DMARC

BEC (Business Email Compromise) is a targeted email fraud with a potentially high financial assurance. Last year, as per the IC3 Report, Cybercrime led to $3.5 billion losses in the US alone, with BEC fraud accounting for almost half of that. This year has also seen a surge in this particular type of fraud.

The implementation of the DMARC framework is critical to prevent losses from BEC frauds. It starts with a fraudulent email that usually impersonates an executive or high-level staff member of an organization sent to an employee. The email would then state payment or transfer of funds, which could potentially lead to millions in losses.

To prevent such frauds from impacting your organization, we must consider the following two points:  

  1. DMARC Implementation: DMARC framework needs to be effectively implemented with the policy progressed from ‘None’ to ‘Reject’ by analyzing aggregate reports; This would entail identifying and authorizing all of the legitimate email sending sources.

 

  1. Inbound DMARC Check: Enabling the DMARC check for your incoming emails is a simple step, done through the admin access of your email gateway. Simply check the box for the option to enable DMARC on incoming email traffic.

With these two processes implemented, BEC fraud would be successfully prevented. Your employees will be safeguarded from receiving scam email impersonating your organizational domain.

Best Practices on email security/ email protection

The email gateway is the primary communication channel through the cloud between organizations; therefore, it plays an essential role in every business. Scammers may exploit this critical aspect by utilizing phishing emails to compromise your organization’s email infrastructure. Hence, choosing the right email gateway for your company directly impacts your security infrastructure.

According to cybersecurity experts, the widely distributed email security gateways available via the cloud are preferable. These gateways get their reports from large enterprises, addressing more malicious IP Addresses and domains, resulting in an extensive database of daily identified attacks. However, if cloud-based is not available, you may want to look for an email gateway which includes these main elements: 

 

 

 

  • DKIM signature support, which enables your legitimate emails to be digitally signed and verified by the receivers.
  • The Sandboxing feature to allow email attachments and content to be safely scanned against malware and viruses.
  • Advanced up-to-date Threat Intelligence to automatically blacklist or whitelist domains and senders according to the email reputation.
  • Auto-pull functionality to automatically pull emails identified as threats from your organization’s employees’ mailboxes.

In addition to the above, you should also place emphasis on the following configurations:

  • Anti-spoofing and anti-spamming rules.
  • A Rewrite policy for hyperlinks, allowing you to trace the clicks on a URL included within an email, in addition to monitoring the gateway logs daily. 
  • Enabling the authentication checks (SPF, DKIM, DMARC) for your email gateway’s inbound traffic to verify the sender’s of the email, thus building the authenticity of the received email. 

These basic guidelines will make your email gateway more efficient in dealing with forged emails and protecting your organization from receiving such malicious emails.

DMARC Policies

DMARC has 3 policies, None, Quarantine and Reject. The purpose of these is to ensure appropriate DMARC implementation with limited impact on your genuine emails.

None Policy

This stage is the monitoring mode where you enhance your SPF and DKIM records. This policy lets you monitor the results of your SPF and DKIM without any impact on your emails which allows you to identify and authorize your genuine email sending points.

When all legitimate sources are identified and authorized, you can move onto the quarantine policy. 

Quarantine Policy

In this stage the receiver marks your emails as spam if they fail SPF AND DKIM authentication checks. This enables you to monitor the effect of DMARC on your outgoing emails and make sure your legitimate emails are not being marked as spam.

Reject Policy

Once it is verified that none of your genuine emails are being “quarantined”, can you move onto the Reject Policy. This tells the receiver that if SPF AND DKIM authentication fail, Do NOT accept the email at all.

To ensure appropriate DMARC implementation, signup for FREE now!

DMARC in 2020

DMARC is a relatively new framework first published in early 2012, with its primary purpose being to protect you from being impersonated over email communication. This gives a new paradigm to 'email security' where, unlike most people's perception, this secures your outbound emails by authorizing your legitimate email sending sources rather than your inbound. The new paradigm shift may lead many corporations to become aware of the importance of implementing the DMARC framework. 

In early 2020, the COVID-19 pandemic was taking the headline and while people were busy in this chaos, hackers utilized this opportunity to take advantage of the situation. Fake email scams began to surge, impersonating large industries; 61% of Airlines have no published DMARC record, victimizing them of these attacks. These fraud emails are usually aiming to make a profit by stealing the clients' banking information.

 

 

These emails would seem genuine as they were being sent from the exact domain of the organization. An example of that would be the case of WHO (World Health Organization), where the domain "@who.int" was spoofed, and hackers sent emails impersonating the organization, asking for donations and money transactions. The same scenario was repeated with various schools and organizations, all either shut down or working remotely.

The hardest hit was beared by Banks and Airlines, where they were held liable for not securing their domain and, as a result, lost their reputation along with monetary losses. 

The year 2020 has shown us the importance of DMARC implementation on our domains appropriately from the 'none' policy all the way to 'reject' policy. Not only does this protect our companies/organizations, but also the people that interact with them as well.

How to setup DMARC in 3 easy steps

  • Identify your domains

 The first step is identifying all domains that are owned by your organization. The DMARC framework can be deployed on all your domains, even if they are dormant and not used for anything. Those domains still belong to you and can be impersonated by an attacker infringing upon your brand.

  • Enable DMARC monitoring for all

 The optimal way is to configure the DMARC record for all your domains with the none policy as this will have no impact on your email flow. This will enable you to analyze DMARC aggregate reports and identify all your email sending sources. This also helps to realize the services that various departments of your organization have subscribed to. For example, the HR team might be using a recruitment platform that is sending job emails which contain your organizational domain as the from email domain (e.g. recruitment@yourdomain.com), or the marketing team using a bulk email service to send out promotional emails which also have your domain in the from email domain (e.g. promotions@yourdomain.com). In the midst of this. you may also realize that a domain you thought to be dormant is actually being used for email communications. 

 Following is the DMARC record you may use to view your reports on our platform:

 

  • Reject mode for dormant domains and active domains analysis 

Upon analysing your DMARC aggregate reports, You would have identified your domains that are not being used to send emails. You can directly move to the DMARC reject policy along with an SPF record with NO IPs authorized to send emails. This will protect your dormant domains from being impersonated by anyone.

 

You will notice an added email address on the DMARC record above. That is for receiving forensic reports when the dormant domain is impersonated. These reports will include the content of the email and the header to analyze it further and take action if necessary. 

As for your active domains, constant analysis and identification of your legitimate email sources is required at this point. This will enable you to authorize all your legitimate email outgoing sources effectively blocking impersonated emails when you eventually move to DMARC reject policy on the active domains.

article-bottom-section