Email is arguably the most critical means of business communications today. For many, it’s the backbone of customer connections and building brand trust. However, with spoofing, phishing and other email scams on the rise, we’re often reminded that email is not inherently secure, nor trustworthy. Luckily, there are innovative security measures continuously emerging to help businesses secure email by building stronger sender authentication and leveraging customer confidence.
Unfortunately, email security threats are an everyday reality
Email has been the communicative linchpin upholding our everyday interactions for a couple decades now. Considering its importance and prevalence in both our day-to-day personal and business lives, it’s no wonder attackers have turned their interest towards email. For hackers, an inbox is essentially Pandora’s Box of cyber threats, with spam, spoofing, phishing, business email compromise (BEC), identity theft and ransomware as just some of the potential threats to be unleashed.
Spoofing and phishing have been of particular concern for businesses using email to communicate with their customers, especially within the past 18 months. Over the 2020 – 2021 period, attacker favourites seemed to be government impersonation, online shopping scams and health/medical emails.
It’s clear that with email carrying the bulk of B2B (business-to-business) and B2C (business-to-consumer) interactions over the pandemic and beyond, hackers have recognised the value of brand trust and thus, how to manipulate it in order to deceive unwitting recipients.
“So far in 2021, Australians have lost approximately $3.5 million to phishing attacks, with 54 545 phishing scams reported at the time of writing.”
Brand trust is key to successful phishing scams
When receiving a seemingly legitimate email from what, for the most part, looks like a trusted source, recipients are likely to let their guard down. This is especially true if they’re anticipating communication from your business and if they’ve placed trust in your brand. For instance, just this year we’ve seen scams targeting customers of two of Australia’s most well-known brands – Australia Post and Bunnings.
Established organisations like Australia Post are victim to these kinds of scams more often than we think, however, this is not exclusive to large enterprises. If you’re sending and receiving emails from customers in confidence, there’s still a risk that your brand name and customer trust could be tainted with spoofing.
Email security largely hinges on trust and sender authentication
BIMI enables you to leverage your brand trust for more secure email communication
BIMI is an emerging email specification that’s innovating the way brands leverage their own brand identities, logos and measures of customer confidence. Unlike some of the other protocols, BIMI is pretty self-explanatory. In supported inboxes, it allows businesses to showcase their brand logo alongside their emails as a means of verifying their sender status.
To elaborate, BIMI is an umbrella of email security measures that puts your brand and its logo front-and-centre. Rather than a generic symbol or letter, it places your trademarked logo right next to the subject line of your authenticated emails. In addition to providing a more immersive email experience for customers, this helps prevent fraudsters impersonating your brand and ensures your verified emails stand out in crowded inboxes.
BIMI can be considered a 'conditioning' email security measure
In time, this is sure to condition us to better recognise and distinguish safe, genuine emails from spoofing and phishing attacks. This is especially important for businesses in financial services and retailers, but equally impactful for schools, healthcare organisations and other industries looking for strong sender authentication.
For example, in the case of the Bunnings’ loyalty program scam from July this year, BIMI could’ve prevented some users from even opening the message. The attackers used Bunnings imagery and an enticing lure in the body of the email in an attempt to feign authenticity. However, with BIMI in place, recipients are able to distinguish real from fake before they stray from their inbox.
Scamwatch has received reports of an email impersonating Bunnings, saying you have been chosen to participate in a free loyalty program. This is an attempt to steal your personal information. Do not click on the links in these emails and delete them immediately. pic.twitter.com/dEIVCa5AJQ— Scamwatch_gov_au (@Scamwatch_gov) June 30, 2021
Entrust: Getting you started with the BIMI framework
Before you set up BIMI, there are a few prerequisites you need to meet. First, you’ll need to create a small SVG file for your trademarked logo and get it registered with the IP Australia Office. From a design standpoint, it’s important to ensure your logo is centred, square and clear, thus rendering it instantly recognisable in inboxes. Second, you’ll need to enforce DMARC policy with ‘quarantine’ or ‘reject’ set to 100% to prevent unauthorised emails from being sent.
Once DMARC is set up and your trademarked logo is ready, you’ll need to get a VMC or Verified Mark Certificate. A VMC is a digital certificate type that contains cryptographically-verifiable brand information, such as your registered logo. Ultimately, this is all part of the high assurance validation process that verifies your business as a trusted sender.
Since BIMI is based on Mark Verifying Authorities, you’ll need to get your VMC through a Certificate Authority (CA). Luckily, our partners over at Entrust support BIMI as CA’s and are able to readily provide VMCs. As global leaders in issuing identities and certificates, Entrust has played an active role in defining industry standards and best practices. In fact, Entrust has been one of the key players that helped develop and bring this core BIMI element to market, with their first VMC issued back in September 2019.
Going the extra mile with your email security
With around 30% of breaches caused by phishing alone and the cost of phishing attacks rising to around $6.4 million AUD, it’s clear that businesses need to adopt new ways to protect their consumers and themselves. Yes, doing the basics of email security, e.g. setting up SPF, DKIM and DMARC will help to safeguard your domains against spoofing and phishing. However, if you’re looking to go the extra mile and build foundational trust in recipient inboxes, consider the BIMI framework. Above all, it enables your enterprise to send emails to consumers, partners and stakeholders with improved confidence and peace-of-mind.