Cyber crime

Email Security Tech: No Guarantee of Protection from BEC

photo of niek dekker
Niek Dekker
4 Min

Business Email Compromise (BEC) attacks are now the fastest growing cyber-threat facing Australian organisations.

In this blog, we will explore how technology is being used to try and stop email-based attacks, and why these technologies are yet to offer the level of protection needed to put an end to BEC. Ultimately, these technologies do not yet have the capacity to protect organisations and more needs to be done to avoid potentially devastating financial losses resulting from email-based attacks.

The Australian Cyber Security Centre (ACSC) reports in its Annual Cyber Threat Report 2020-2021, that BEC rates are increasing faster than any other type of cyber-attack.

Last financial year saw over 4,600 BEC incidents reported to the agency, with total losses exceeding $81.5 million. Concerningly, this is a 15% increase on the previous year. Of even greater concern is the average amount lost in a successful BEC attack, which rose a whopping 54% to $50,600 over the previous year.

With the threat of BEC looming large over Australian organisations, email security has never been more important.

That’s why organisations are rushing to implement email security technologies, such as DMARC, SPF and DKIM.

How does DMARC work?

Domain Message Authentication Reporting & Conformance (DMARC) is an email authentication protocol. It allows an organisation to ensure that unauthenticated emails sent out in its name are flagged as potentially illegitimate. Such emails may be blocked or sent to spam folders. This can help the organisation ensure that only genuine emails it sends out are delivered to third parties’ inboxes.

There are two main ways DMARC works to authenticate emails:

1.      SPF – Sender Policy Framework

The SPF is a list of all the IP addresses associated with your organisation’s domain. This list is published in your organisation’s DNS record. Only those IP addresses listed in the SPF are authorised to send emails on behalf of your organisation. It allows an Internet Service Provider (ISP), or those receiving your emails that have DMARC set up, to identify which emails purporting to be from your organisation were sent from a legitimate IP address and are therefore authentic.

2.      DKIM – Domain Keys Identified Mail

DKIM is a type of encrypted digital signature that is added to the headers of your organisation’s outgoing emails. It uses ‘private key’ and ‘public key’ cryptography to ensure illegitimate emails are not sent to third parties in your name. The digital signature is secured using a ‘private key’ that is only known to your organisation. To unlock the contents of the email, the receiver must obtain a ‘public key’ that is available in your DNS record. If a malicious actor sends spoofed emails in your name, the emails won’t include your organisation’s secret ‘private key.’ Therefore, when the recipient tries to use the ‘public key’ to access the email, it will be flagged as illegitimate.

In a world of increasingly sophisticated email-based attacks, where cyber-criminals use tactics such as email spoofing and phishing, having the ability to flag unauthenticated emails can significantly curtail the risk of BEC.

Circumventing DMARC Security

An Australian security researcher, Sebastian Salla, recently took it upon himself to see whether it would be possible to circumvent DMARC security. Specifically, Salla was attempting to:

  1. Access unused IP addresses in SPF lists.
  2. Send fake emails purporting to be from legitimate organisations using those unused IP addresses.
  3. Have these emails bypass DMARC security controls and land in recipients’ email inboxes.


He began by identifying and scanning 1.8 million domains belonging to Australian organisations in order to identify IP addresses that were listed in SPF records which overlapped with the public IP ranges offered by Amazon Web Services (AWS).

This allowed him to identify and take over unused IP addresses.

Armed with this information, Salla proceeded to successfully send emails from these IP addresses to 264 Australian organisations, many of them large corporations and public institutions.

What Salla demonstrated was that, irrespective of whether they had DMARC set up, each of these organisations remained exposed to potential email-based attacks such as BEC.

Among the organisations at risk include:

  • (Queensland Treasury Corporation)
  • com (Mirvac – ASX200 Listed Company)
  • (Charter Hall – ASX200 Listed Company)
  • gov (Australian Parliament House)
  • (University of Sydney)


Email Security is Not Foolproof

What this research clearly demonstrates is that current email security protocols cannot guarantee that an organisation will be protected from email-based attacks, such as BEC.

Sophisticated cyber-criminals are always on the hunt for new ways to circumvent security layers. Even with the latest DMARC security protocols set up, your organisation may still be vulnerable to an attacker who manages to find a way to circumvent such systems.

All it takes is one cleverly-designed fake email to deceive your Accounts Payable staff into transferring funds to cyber-criminals, resulting in potentially devastating financial losses.

How can eftsure help?

With eftsure sitting on top of your accounting processes, even if a cyber-attacker manages to circumvent email security systems, your organisation remains protected.

Our unique platform cross-checks payment data against information sourced from over 2 million Australian organisations. This occurs in real-time, immediately prior to processing a payment.

In the event that cyber-attackers circumvent DMARC security systems, and are attempting to initiate a BEC attack against your organisation, eftsure ensures that any suspicious outgoing payments will be flagged, giving your AP team the opportunity to pause and investigate further.

Don’t rely exclusively on email security technologies such as DMARC – Contact eftsure today to learn how we can provide your organisation with an indispensable layer of defence against financial losses stemming from email-based attacks.

Related articles

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.