Phishing attacks that pose as major brands have increasingly caused headaches for users and raised questions over who should foot the bill for securing e-mail.

The eventual victim—consumers and business users—typically have few security options aside from turning up the knob on their message-security software in hopes of blocking most attacks. Meanwhile, the major brands—think banks, healthcare, and government agencies—had little incentive to spend money on fighting the use of their logos and brands or for implementing technical security measures, such as Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Now an initiative among e-mail providers and security firms, Brand Indicators for Message Identification (BIMI), aims to convince companies that using trusted messages for marketing will pay dividends.

BIMI is not a security measure in and of itself, but an application that requires fundamental e-mail security, says Seth Blank, chief product officer at message-security firm Valimail and chair of the working group developing BIMI.

"The answer [to untrusted messages] was, 'Great, let's give people the logos that they want. Let's do this in a standard way, so it is consistent across the entire ecosystem, and then let's make the requirement to use it DMARC enforcement,'" he says. "Basically, this gets the brand to do the thing that they think is hard to get benefits that keep on giving."

This month, Google is rolling out BIMI to its Gmail users, which allows organizations to display authenticated logos as the icon for the message. Gmail joins Verizon Media—including Yahoo! and AOL—and Fastmail in supporting the evolving standard.

The current process calls for companies to adopt e-mail security using Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC), or DomainKeys Identified Mail (DKIM) and DMARC. Once adopted, they can use BIMI by including a record in their DNS that points to the location of a logo image. Most mail providers also require a Verified Mark Certificate, currently sold by two registrars.

Mail providers will then display the image next to the e-mail, Google stated in a blog post earlier this month.

"Once these authenticated emails pass our other anti-abuse checks, Gmail will start displaying the logo in the existing avatar slot," the company stated, adding: "For Gmail users, no action is required."

Verified Logos

In the past, logos have been inconsistently displayed by companies, and indicated a savvy phishing attempt as much as a legitimate e-mail. While companies see great potential for logos to increase open rates and establish brand awareness, non-BIMI logos have no security controls, could have embedded scripts, and can be used by anyone. Moreover, companies who send messages with embedded logos have no control over whether the images will be displayed.

While only three e-mail providers have adopted BIMI to date, they are major messaging hubs representing two billion inboxes. Marketers who have piloted the technology have seen an increase in engagement rates of about 10%, according to a May 2020 video published by BIMI and Yahoo!, which conducted the pilot.

"Marketers will pay for increases of one, two, three percent, so a 10% open rate is major," says Valimail's Blank.

Phishing attacks are typically used to steal credentials that are later used to hack into bank accounts or gain access to corporate systems. In addition, phishing is a common way to conduct business e-mail compromise (BEC) attacks, which are, year after year, the most expensive cybercrime, costing companies and profiting cybercriminals billions.

While company logos can already be displayed in some e-mail clients, Blank believes that the situation will change as adoption of BIMI spreads. Most mail service providers, as a security measure may block the display of non-verified logos to improve the trustworthiness of e-mail and make phishing less effective.

Yet, BIMI is a feature that is enabled by other e-mail security technologies, Blank stressed. BIMI can act a visual cue to establish that an email is from a trusted source and should be safe to open.

"DMARC is a vaccine and everyone needs it, because that is what will give us herd immunity," he says. "If you have an inbox and you have lots and lots of e-mail coming at you from, what appears to be, legitimate sources, then you are going to get phished. But if you know that the e-mail that's getting to you is from reliable sources... that's where DMARC helps everyone."