BEC with Email Authentication

Business Email Compromise BEC, prevent it by enabling DMARC/SPF/DKIM

Business Email Compromise (BEC) also known as CEO fraud is a type of scam targeting corporate houses and governments which conduct wire transfers to suppliers abroad. Email accounts of employees in the higher management are spoofed to do fraudulent transfers, often resulting in hundreds of thousands in losses. BEC attackers usually impersonate the CEO or CFO to do a wire transfer. Few of the sample email have subjects like ‘request’, ‘payment’, ‘urgent transfer’, etc. Instances of BEC have been increasing since the pandemic began and companies shifted to a remote working model with malicious email accounts being the primary reason in about 45% of all BEC attacks since 1st April 2020 (According to Barracuda Networks).

What is Email Authentication?

Email authentication is a collection of techniques to prevent phishing and spoofing attacks like BEC. Email authentication not only prevents email frauds but also improves email deliverability. By deploying DKIM and SPF records and authenticating your emails, you can protect your domain and ensure the deliverability of emails to the inbox.

Steps to implement DMARC for BEC

Step I: Implementation

The very first step to prevent phishing and spoofing attacks like BEC is to deploy DMARC to your domain. Domain-based Message authentication, reporting and conformance (DMARC) uses SPF (Sender policy framework) and DKIM (DomainKeys Identified Mail) authentication protocols to verify emails that are sent from your domain. It gives the domain the independence on how to respond to emails that fail either/both protocols.

To deploy DMARC, you should:

  • Make a repository of valid email sources authorized by your domain.
  • Publish SPF record in your domain name system (DNS) to implement to SPF.
  • Publish DKIM records in your DNS to implement DKIM.
  • Publish DMARC records in your DNS to implement DMARC to your domain.

Step II: Enforcement

Your DMARC policy can be set to:

  • p = none

wherein, DMARC is deployed at monitoring mode only and emails that fail authentication would still be delivered.

  • p = quarantine

wherein, DMARC is deployed at partial enforcement mode and emails that fail authentication would be quarantined.

  • p = reject

wherein, DMARC is deployed at full enforcement and messages which fail authentication would not be delivered.

It is recommended to domain owners to begin with deploying DMARC at monitoring mode to keep a tab on the email flow and delivery issues. However, with time you need to shift to full enforcement mode to protect our domain from BEC.

Step III: Monitoring and Reporting through DMARC reports.

Now that you have deployed DMARC at full enforcement, you can minimize the BEC attacks, but that isn’t enough.

DMARC reports contain information about the source of the emails sent from your domain, the sending IP address, the number of emails sent on a particular date and their authentication status. With help of these reports, the domain owner can monitor which emails are authenticating or failing authentication against DKIM and SPF. Hence, a cohesiveness of DMARC implementation, enforcement and reporting assist a domain user in reducing the chances of spoofing and BEC frauds.