BIMI – IT security and brand protection in one.

Let’s first take a close look at how an attack can be launched off the back of a phishing e-mail. You open your inbox and see a seemingly harmless e-mail from a business contact, supplier or customer you regularly communicate with. At first glance, everything seems fine. You open the e-mail and read it, and everything still seems legit. Cyber criminals often put in a lot of effort to get their hands on their victims’ data, which is why it should come as no surprise that the form of address and content are very similar to actual business relationships or are very good at expressing a desire to establish one. What all phishing e-mails have in common is the need to take some kind of action such as opening an attachment or clicking on a link, and doing so is what usually sets the ball rolling.

Recipients often fall into this trap because the attacker makes it clear that their action is needed as a matter of urgency by using language in such a way as to trigger fear. This starts in the subject line with things like “Warning! Your account has been hacked. Immediate action required!” But it doesn’t end there Generally speaking, these e-mails are written in such a way as to increase the chances of the recipient downloading something or clicking a link that leads to a fraudulent website.

Keep an eye on your identity.

Such an attack is as successful as the e-mail is believable. The more realistic the sender and content appear, the more likely the e-mail will have the desired result, so it’s no wonder that hackers invest a lot of time and effort into ensuring e-mails, invoices, signatures and even domains look like the real deal. Their success speaks for itself. www.beispiel.de and www.beispieI.de look similar, but lead to totally different domains and potentially dangerous content. Imagine the damage that could be caused to your company if e-mails were sent out in your name. In Germany alone, the BSI estimates that economic damage could reach a figure in the tens of millions, but that’s only part of the story as the effect on reputation can have a palpable effect years after the event. It requires a Herculean effort to win back the trust of customers, suppliers and the public, so much so that many businesses eventually give up trying. Protecting and strengthening your company’s reputation is, therefore, a central task as it also stops your customers from being taken in by malicious fraudsters.

BIMI – Delivering your logo to inboxes.

BIMI stands for Brand Indicators for Message Identification.  It’s a new standard developed by the BIMI Initiative to which well-known names such as Microsoft, Google, Oath, Comcast, PayPal, LinkedIn and many more have already signed up to. The Initiative’s aim is to ensure that e-mail messages are verified and authenticated with the company’s logo clearly displayed, meaning that the recipient can clearly see if the e-mail is fake or not before even opening it.

So, if cyber criminals try and use your brand to trick information out of customers, they will be able to see very quickly that the e-mail isn’t actually from you. There are a multitude of reasons why criminals try to build contact with your customers in this way and your reputation is certainly one of them, with your activities and products not far behind.

What’s it all about?

To ensure authentication is secure, BIMI relies on established and watertight standards in addition to their own entries in the Domain Name System (DNS). BIMI is based on Domain-based Message Authentication, Reporting and Conformance, DMARC for short, as well as the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), which are all well-established standards that serve to stem the flow of e-mails from spammers and criminals. In short, DMARC makes sure that what you see in your inbox, the header and signature all match

by leveraging DMARC policies which see the recipient being informed that the message is protected by SPF and DKIM. At the same time, the recipient also receives guidelines on how to handle unauthorised e-mails, so that they can be treated in accordance with specific rules and either rejected, quarantined, reported to the sender or deleted. Ideally, these e-mails don’t ever make it as far as the recipient’s inbox, but are filtered out by the mail server.

To make sure your and your customers’ servers can do just that, DMARC uses the DNS TXT entries, in much the same way as SPF and DKIM. Other resource records (RR) provide information on which process is used meaning an RR entry includes the previously mentioned instructions on how to deal with unauthorised e-mails, the e-mail address to which the reports are the be sent, and the percentage of a sender’s e-mails that have already been filtered.

BIMI builds on DMARC, leveraging its foundations, which means you need to have the policy in place at your company before being able to use BIMI. Other pre-requisites include:

• The DMARC policy for using unauthorised messages must be set to reject or quarantine.
• Your logo must be available as a square SVG file without text and be available online from a public source.
• A DNS TXT entry must be created for your address.

What are the pros and cons of BIMI?

As BIMI is not a standalone security solution, it doesn’t mean that you and your customers don’t have the task of training employees how to handle threatening e-mails. On the contrary, being able to identify spam and phishing attempts remains a top priority. BIMI does however give you to opportunity to reassure your customers that the e-mails they are receiving are authentic and also enables them to distinguish legitimate correspondence from fakes. Do you remember what I wrote before about how e-mails appear in inboxes? For those people who do not have any particular technical experience, it is nigh on impossible to check that, the header and the signature. BIMI means you can see this information directly in your inbox even before you’ve opened the e-mail.

The return channel integrated into the system supports your IT department by detecting phishing attempts before they become an issue with any rejected e-mails being reported directly to you. As BIMI is based on established security standards, its introduction along with DMARC and SPF/DKIM means your e-mails are more secure. The positive effect of having your logo visible in the inboxes of your customers, suppliers and service providers should not be underestimated either, as it shows you to be a safe and reliable partner.

Raise employee awareness.

Of course, as with every system, BIMI and DMARC cannot 100% guarantee that no fraudulent e-mails will get through, which is why it’s important that your employees know what to look out for and that any security strategy also includes help for your colleagues to detect malicious communication.

An example could be to provide rules on how to handle communication and should also cover best practices for using social networks, mobile phones, e-mail and web browsers. This also covers communicating enterprise and personal data, the latter of which should most certainly never leave the company, no matter the channel through which the request is made. It’s also important that everyone understands their responsibilities. An employee should be able to approach someone for support if they suddenly receive an e-mail about a transaction from a person they don’t know.

Bechtle has the ideal training solution for your employees, in the shape of the E-Sensecurity—an affordable e-learning tool, customised for your organisation that helps you educate your staff on how to handle sensitive company information. At the same time, you make sure you are meeting the requirements set out by IT security and privacy legislation.