BIMI

BIMI as an anti-phishing shield

Natalia Zacholska, 9 February 2022

bimi-antiphishing

With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing their distribution channels, thus moving all (or a large part) of their business online which has resulted in phishing becoming one of the most common forms of cybercrime.

Today it is not only fake websites – although we mainly hear about them in the context of recent attempts to impersonate the biggest Polish banks. Phishing is also the fraudulent sending of Emails under the guise of recognizable and reputable brands to persuade recipients to share personal information, such as user passwords or bank details – e.g. credit card numbers. The simplest example of an attempted scam is the well-known messages asking for an urgent transfer as a necessary payment to receive an inheritance from a foreign prince. Most of us will probably smile politely and say that we would never fall for this type of Email.  However, it is important to be aware that current forms of phishing are far better prepared and more difficult to detect – many times imitating 1:1 communication of real brands, which makes it so easy to fall victim. These are no longer the days when it was enough to look at the content of a message to recognize at first glance a fraud attempt due to a poorly prepared Email with “scattered” HTML elements.

Where does Email phishing start?

An Email address is one of the easiest pieces of information to find out about another person. Everyone has used it many times to subscribe to a newsletter, create an account on a website, complete an online purchase or send a resume. Along with the coming into force of the GDPR, we have acquired many rights to know how someone came into possession of our data and how it is processed, giving us more control over its use. However, not everyone is aware that due to various hacking attacks, databases can be stolen and, once leaked, illegally sold. The Darknet is full of offers concerning the sale of confidential information that comes from hacks into IT systems. It is a good idea to check from time to time whether your Email address was involved in the security incident and the disclosure of data – you can do this for example via the Have I Been Pwned website.

Check the Email you have received

What should you do if you have already received a suspicious Email? There are several ways to check if the message you have received is a fraudulent attempt:

  • Sender: check if the Email address is reliable and linked to the organization which is sending the message and that the sender name itself looks genuine
  • Recipient: check how personalized the message is – is your name used, is the Email instead addressed to a “Friend”, “Valued colleague”, etc.
  • Content: check whether it is grammatically correct (or perhaps sounds like it has been auto-translated?), if there are no typos and whether specific characters for the language are missing. Also, fake Emails often contain phrases encouraging a quick action e.g. “urgently change your password”, “click here immediately” and directing to suspicious links

phishing_victom

A more advanced method of verifying the credibility of a received Email is to check its headers, which allow to confirm the real sender of the message and to assess whether it is properly authenticated via SPF, DKIM, and DMARC.

Mailboxes often automatically move messages that fail validation of the above protocols to the SPAM folder, but many still end up in other tabs due to their less restrictive policy settings. It should be remembered that until now DMARC was the highest level of domain security – the only one that (thanks to the reports) allowed us to verify who else was sending messages via our domain, thus alerting us to fraud attempts. However, nowadays very similar domain names are often used to impersonate the sender – a change of letters or replacement of one of them with another sign makes it difficult to distinguish them.

Many brands have set their sights on helping the ” average” recipient differentiate real emails from fake ones. Very interesting articles, podcasts, or webinars are created for this purpose. Unfortunately, despite the energy and involvement in educational campaigns, information about phishing reaches only a narrow group of recipients.

The e-commerce industry has been wondering for a long time about a solution that would allow recognizing at first glance a trusted, verified sender who has properly secured his domain – not every recipient reads the detailed information contained in the header. The answer to this need is BIMI.

What exactly is BIMI?

BIMI is an acronym for Brand Indicators for Message Identification, which describes a new security standard that allows sender logos to be displayed in Emails. To implement BIMI, you first need to ensure that the sending domain is properly authenticated with SPF, DKIM, and DMARC. Speaking of DMARC – it is necessary to set a restrictive policy (quarantine or reject), which defines what to do in case an Email fails both SPF and DKIM checks. Many senders still use a none policy, which provides zero enforcement of DMARC, or does not set it at all.

At the moment, BIMI is only supported by Gmail (which requires an additional VMC certificate), Fastmail, and Yahoo! Several other providers have expressed their willingness to join the program, so it can be assumed that in a short time more providers will join the program, and looking at the predictions of marketers and trends described by them for 2022 – it has a chance to become an extremely popular standard.

It is worth noting that BIMI ensures control over the use of our registered trademark and the appearance of the logo in a place where we did not quite have control before – in the mailbox, directly next to the name of the sender. Admittedly, there are other ways to add a logo – such as our native Boost from Interia , the logo in Google Workspace (formerly G Suite), the Avatar in the Postmaster Mail.ru tool, Bing for Microsoft. However, these are solutions that can be changed or withdrawn at any time and, above all, they do not provide any confirmation of the implementation of security and possession of relevant rights (like Trademark) to a given logo.

The most important advantage of implementing this new standard is foremost to give recipients an easy way to identify which Emails in their mailbox are fully protected. And speaking of recognition – initial research in foreign markets indicates that recipients are much more likely to open those messages that have the sender’s logo highlighted, as they are more likely to trust them.

Summary

Considering how easy it is for fraudsters to find and exploit Email addresses, appropriate precautions should be taken so customers will feel safe opening our messages – which are, after all, such an important and effective way to maintain an ongoing relationship with them. By choosing to implement BIMI, you are signaling that you care about the safety of your recipients by providing the highest standard of security and making it easy to identify the safe sender. There is no need to further educate customers on this issue – instead of podcasts, webinars or articles that don’t always reach the “average” recipient, simply point out that the Email is real because it has a verified logo. Notably, such practices can effectively “discourage” potential fraudsters from trying to impersonate your brand, as it will be easy to distinguish Emails that are fully protected with a displayed logo from fraudulent messages – without BIMI. There’s also the added benefit of a higher Open Rate, so you can count on increased conversions.

EmailLabs specialists will be happy to assist you in its implementation so the whole process is quick and efficient.

Do you have any questions? Please contact our Support Team.

Most popular