How to Create a BIMI Record

 

Brand Indicators for Message Identification (BIMI) is a standardized way for companies to use their logo as a visible indicator to help email recipients recognize and avoid fraudulent messages. BIMI builds on the DMARC email authentication protocol to develop trust with current and potential customers. For a closer look at the new BIMI standard, please click here.

Creating a BIMI Record

The following steps outline how to create a BIMI record for your domain:

1. Create Image in SVG Format

First, you’ll need to obtain a copy of your logo and convert it to SVG format. For those steps, please click here.

2. Visit DNS Hosting Provider and Select Create Record

Now that you’re ready to create a BIMI record for your domain, visit your DNS hosting provider. After logging in, locate the prompt to create a new record.

3. Add Host Value

In this field, you’ll likely input the value _bimi and the hosting provider will append the domain/subdomain following that provided value. (ex: default._bimi.example.com)

 

4. Select TXT DNS Record Type

Based on provider, you’ll likely see a dropdown list of DNS record types. Because a BIMI record is a kind of TXT DNS record, be sure to select the “TXT” option.

 

5. Add “Value” Information

There are two required tag-value pairs that MUST be present on every BIMI record: v and l.

  • The only tag-value pair for v (version) is v=BIMI1
  • Confirm l (location) tag is present and followed by a full URL of your logo using HTTPS (l is lowercase L)
 

6. Publish BIMI Record

Click “Save Record Set” button to generate your new BIMI record.

 

7. Test BIMI Record for Errors

The last step you will want to perform is to Run a BIMI Record Check to verify the record you just created has the correct values and syntax. This tool will also render how your logo will appear in email clients.

Note: Creating your BIMI record and publishing it to the DNS per the above steps doesn’t automatically display your logo in all customer inboxes. Currently, several Oath brands (Yahoo!, AOL, etc.) are testing the BIMI standard in beta with their mailbox users, and the inbox providers that participated in developing the protocol and are likely to add BIMI support soon. Gmail will also be rolling out their own beta test of the BIMI standard in 2020. By having your BIMI record and associated logo published in the DNS, your brand will easily be recognized and trusted by current and future customers. For details on all BIMI technical specifications, please click here.

Summation

Creating a BIMI record for your company’s logo to be visible in customers’ inboxes is a simple way to enhance your brand. Not only are current and prospective clients confident that your emails are legitimate, they also gain a level of trust by seeing your approved logo in their inbox. Each time a customer receives a message from your domain using the BIMI standard, at least three potential unique brand impressions are made—message list, email address in message, and within message itself. The quicker your business decides to adopt BIMI (when available via your outbound email provider), the more recognized your brand will be.

With the number of malicious online attacks increasing daily, the importance of protecting your employees from succumbing to email scams can’t be overstated. Because email is so integral to your company’s financial success, having the best defense against phishing and spoofing efforts not only improves your brand reputation, it also reinforces customers’ trust in your business. After all, nobody wants to receive illegitimate messages, thus tarnishing perceptions of their preferred brands. One of the more damaging kinds of phishing attacks is whaling. The term “whaling” was coined because of the magnitude of the targets and attacks relative to those of typical phishing ploys.

What Is Whaling Phishing?

A whaling attack, also referred to as whaling phishing, is a specific form of phishing attack that explicitly targets high-profile employees—CEOs, CFOs, or other executives (known as whales)—in order to steal sensitive information from a company. Whales are carefully chosen due to their overall authority and access to secure company information. The goal of a whaling attack is to con an executive into revealing personal or corporate data through spoofed email. In most whaling attacks, the perpetrator’s goal is to manipulate the victim into authorizing lucrative wire transfers to the attacker.

How Do Whaling Attacks Work?

As mentioned, the aim of whaling phishing attacks is to trick an individual into disclosing personal or corporate information through social engineering, email spoofing, and content spoofing efforts. For example, the fraudster might send the unsuspecting victim an email that appears to be from a trusted source, enticing the whale to provide classified data. In addition, some whaling campaigns include a customized malicious website created especially for the target.

Whaling attack emails and websites are highly customized and personalized, and they often incorporate the target’s name, job title, or other relevant information collected from a variety of sources. Due to this level of personalization and their highly targeted nature, whaling attacks are usually more difficult to detect than standard phishing attacks.

Whaling phishing attacks often rely on social engineering methods, as attackers will send hyperlinks or attachments to infect their victims with malware or to solicit sensitive information. By targeting high-value victims, fraudsters might also persuade them to approve fraudulent wire transfers using business email compromise techniques. In some cases, the attacker impersonates the CEO or other corporate officers to convince employees to carry out damaging financial transfers.

Examples of Whaling Attacks

Perhaps the most notable whaling phishing attack occurred in 2016 when a high-ranking Snapchat employee received an email from a fraudster impersonating the company’s CEO. The employee was duped into giving the attacker confidential employee payroll information. The FBI subsequently investigated the attack.1

Another newsworthy whaling scam from 2016 involved a Seagate employee who unknowingly emailed the income tax data of several current and former company employees to an unauthorized third party. After reporting the phishing scam to the IRS and FBI, it was announced that thousands of peoples’ personal data was exposed in that whaling attack.2

MxToolbox’s Delivery Center

Although information security awareness training for all employees and executives is recommended, it’s far from a foolproof plan. In fact, even highly educated users fall to malicious email scams, with their aggregate click-through rate granting an attacker a 10% chance of success per trained employee.3 To that point, MxToolbox advises all businesses immediately adopt DMARC and select stringent quarantine/reject enforcement. Our Delivery Center product and expert team can help your company implement DMARC and publish aggressive enforcement, along with monitoring email spoofing traffic before a dangerous whaling attacker impersonates your respected domain.

1 https://money.cnn.com/2016/02/29/technology/snapchat-phishing-scam/index.html

2 https://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/

3 https://info.microsoft.com/ww-landing-Security-Intelligence-Report-Vol-23-Landing-Page-eBook.html

burritos@banana-pancakes.com braunstrowman@banana-pancakes.com finnbalor@banana-pancakes.com ricflair@banana-pancakes.com randysavage@banana-pancakes.com