Whitelisting Won’t Protect You From BEC… Here’s Why

5 min readSep 18, 2019


Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By Armen Najarian

The 250% increase in business email compromise (BEC) scams over the past year should concern every organization, as should estimates of $26 billion in losses over the last five years from these attacks. While some organizations consider whitelisting their email lists to provide protection, occasionally encouraged by their email security provider, this strategy simply will not work with the ever-evolving email landscape.

Executive spoofing, spear phishing, and other advanced email threats have emerged as a critical issue for businesses everywhere, despite being relatively new to the scene. Ninety-two percent of organizations report being hit, with 23% suffering direct financial damage. According to the recent Verizon Data Breach Investigations report, 94 percent of all successful cyberattacks start with email sent to a well-targeted victim — resulting in average losses of $1.6 million. When an attack leads to a data breach, that figure climbs to an average $7 million per incident.

With all of this as a backdrop, it’s easy to see why a security model designed to only allow emails from trusted domains and IP addresses to reach employee inboxes would be tempting. Unfortunately, such whitelisting-based solutions are wishful thinking at best, and actually harmful in many circumstances. Here are just three of the reasons this approach could leave organizations wide open to attack.

#1 DMARC Can Only Do So Much

Whitelisting is typically accomplished by augmenting secure email gateways (SEGs) with a database of legitimate domains derived from Domain-based Message Authentication, Reporting, and Conformance (DMARC), which is an important email authentication protocol that enables sending and receiving infrastructure to exchange information in order to ferret out emails sent from spoofed or look-alike domains.

While DMARC has significant benefits, organizations using this approach must register every last possible permutation of each domain they own. Otherwise, there is nothing to stop fraudsters from registering those domains first, and even setting them up with legitimate DMARC records. Their emails would then be sent from trusted domains, despite being controlled by the fraudsters. It’s not as hard as you may think.

And given that only 17% of the Fortune 500 have a DMARC record that would block illegitimate email from reaching the inbox, whitelisting based strictly on DMARC authentication results would block legitimate mail from the vast majority of established businesses that have yet to implement a DMARC record.

#2 You Can’t Just Black Out the Cloud

Cybercriminals are increasingly leveraging Gmail, Yahoo, Microsoft Office 365, and other cloud-based email platforms in order to bypass security models based on trust. After all, it’s not as if organizations can simply blacklist gmail.com or outlook.com, since they also send massive amounts of legitimate email.

In these schemes, fraudsters set up free accounts and simply insert the name of a trusted individual or brand into the “From” field. Since their point of origin is an established and widely used hosted email service, these identity-deception based attacks would fly past whitelisting -based security controls.

What’s more, by exploiting a Gmail feature that enables them to create countless variations of an email address with the same account, cybercrime groups are able to scale their attacks with ease. One international BEC ring we’ve been tracking, for instance, used this approach to register for 14 trial accounts with a commercial sales leads service to collect data for launching new attacks, and to submit 48 credit card applications for at least $65,000 in credit.

What’s more, despite the security controls built into hosted email platforms, businesses that have migrated email to the cloud increasing rank among the hardest hit by BEC. Whitelisting-based approaches could leave businesses wide open to this kind of attack.

#3 Low-Tech Strategy Needs High-Tech Defenses

While most BEC scams are relatively low tech and involve only one or two personalized sentences designed to trick the target, a high-tech approach is needed to combat them. Since BEC scams masquerade as regular emails, cybercriminals can quickly and easily change tactics as they find new ways to trick their victims.

A whitelist approach is static and would require constant updating in order to combat against this, populated by information that is only available once an attack hits the organization. And putting in measures to combat an attack after it has already happened is akin to stopping a leak once the house has flooded… great for prevention, but unable to fix the current mess.

#4 Compromised Accounts Could Crush You

According to data captured in our latest trends report, phishing and BEC scams launched from the compromised accounts of trusted individuals and brands are now used in 16% of all advanced email attacks.

A key driver for these attacks is the growing availability of stolen email login credentials on the Dark Web. Once a corporate email account has been taken over, cybercriminals have access to all of its owner’s contacts, ongoing email conversations, and historical email archives. In most cases, fraudsters use these compromised email accounts to launch phishing campaigns. Other times, the goal is to fool corporate employees into forking over their own login credentials, which can then be sold online.

In the most sophisticated cons, however, an intruder infiltrates a corporate email account and then lays low, surveilling email messages in order to launch highly personalized attacks on the businesses’ customers, partners, or employees, at just the right moment. In fact, that was the case with at least some of the nine publicly-traded companies that recently lost $100 million through BEC scams.

It’s Not the Domain, It’s the Identity

As BEC, phishing, and other threats grow more prevalent, it’s clear that approaches based on whitelisting (or blacklisting) are predicated on a failed security paradigm that attempts to block known “bad” signals — in this case, untrusted domains.

But attackers know how to evade these protections, which is why some take a more modern approach. Agari Advanced Threat Protection, for instance, leverages data science and real-time, anonymized intelligence from 2 trillion emails annually to map email communications across individuals, organizations, and infrastructures in order to model the trusted, authenticated behaviors that define each individual sender’s “good.” When email activity deviates from these established patterns due to impersonated or compromised accounts, businesses are able to detect and protect against these attacks in real-time. No whitelisting required.

To learn more, check out a special report from Agari and Osterman Research entitled, Best Practices for Protecting Against, Phishing, Ransomware, and BEC Attacks




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.