BEC, or Business Email Compromise, is the name given to a kind of spear phishing email attack aimed at specific targets inside a company or other organization that is designed to fool them into transferring money to an account controlled by the online criminal.

A BEC attack primarily impersonates the identity of a known and trusted colleague who in reality has the authority to request the funds transfer the phisher seeks. This impersonation typically relies on spoofing the From field to match the email address of the colleague it impersonates.

A Fast Growing Attack Vector

The FBI reported in June 2016 that losses from BEC attacks have increased 1300% since January 2015. In that time period spear phishers stole an estimated $3.1 billion from 22,000 organizations.

The reason these attacks are so effective is that there is no reliable way for an employee to tell the difference between a spear phishing message and a legitimate request from the real person who is being impersonated.

Using DMARC to Combat BEC Scams

That is where authenticated email comes in. Email authentication makes it possible for the owner of a domain to monitor and control who is trying to send email using that domain name.

Only approved senders are able to get their messages through to mailboxes. Those from unauthorized senders automatically fall into spam folders or simply remain undelivered, at the domain owner’s option. Phishers therefore can be prevented from sending impersonation emails using any domain name that takes advantage of email authentication.

This feat is accomplished using the open standard DMARC (Domain-based Message Authentication, Reporting & Conformity), which is honored by all major email service providers (ESPs), accounting for 2.7 billion mailboxes worldwide. Unfortunately DMARC is a complex and error-prone protocol to implement, and as your business evolves, your DMARC records need to stay current or critical business email may not get to its destination.

Introducing Email Authentication as a Service

ValiMail addresses this problem through Email Authentication as a Service™. The ValMail cloud service automatically configures and monitors DMARC records for your domains, along with the SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records it builds on.

The intuitive ValiMail console gives you visibility on the volume and nature of mail sent using your domain names, including phishing email, and lets you control approved senders, cryptographic keys, and other settings with point-and-click ease. It provides correctly configured, error-free, current email authentication for as many domain names as you like, protecting your employees and business partners from Business Email Compromise.