“The best way to stop these [BECs] is to switch on DMARC with the strongest policy (“p=reject”) as default.”
– Phil Muncaster (Infosecurity-Magazine)
Phil Muncaster shares this advice – which could help protect against a Business Email Compromise (BEC) scam – in his article on the uncovering of information that an infamous BEC gang has built up a new targeting database of 8500 financial executives from around the world that they could use for carrying out BEC attacks.
What is DMARC?
DMARC, or Domain-based Message Authentication, Reporting & Conformance, is a protocol that’s used to detect if an email is legitimately from the sender and to prevent it from getting delivered to the recipient. Using this protocol gets the email senders and the recipients to work in a coordinated way to determine if the sender email is legitimate or not.
“Setting a DMARC policy of ‘reject’ provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery. Additionally, reports provide a mechanism for an agency to become aware of the source an apparent forgery, information that they would not normally receive otherwise.”
Or, watch this video for a general overview:
A word of caution
Though DMARC has most promise to help organizations defend against BEC attacks, it’s still a weak protection against spoofed emails. As per Cofence, it doesn’t protect against the dangerous Man-in-the-Inbox phishing attacks either.
To be exact, DMARC protocol protects by validating exact domains only, and thus doesn’t give us much leverage against other popular forms of BEC attacks, such as display name spoofing and domain impersonation.
And again, all communications with clients who do not adhere to DMARC would remain vulnerable to phishing attacks. But, if your organization is depending only upon secure email gateways (SEGs) to stop malicious emails, you should probably look into DMARC too.
User education remains the most reliable defense against advanced phishing attacks. Only alert and trained users can spot and flag spoofed email addresses and deal with phishing attacks that generate from a compromised email addresses.