Whitelisting Won’t Protect You From BEC… Here’s Why

#1 DMARC Can Only Do So Much

Whitelisting is typically accomplished by augmenting secure email gateways (SEGs) with a database of legitimate domains derived from Domain-based Message Authentication, Reporting, and Conformance (DMARC), which is an important email authentication protocol that enables sending and receiving infrastructure to exchange information in order to ferret out emails sent from spoofed or look-alike domains.

#2 You Can’t Just Black Out the Cloud

Cybercriminals are increasingly leveraging Gmail, Yahoo, Microsoft Office 365, and other cloud-based email platforms in order to bypass security models based on trust. After all, it’s not as if organizations can simply blacklist gmail.com or outlook.com, since they also send massive amounts of legitimate email.

#3 Low-Tech Strategy Needs High-Tech Defenses

While most BEC scams are relatively low tech and involve only one or two personalized sentences designed to trick the target, a high-tech approach is needed to combat them. Since BEC scams masquerade as regular emails, cybercriminals can quickly and easily change tactics as they find new ways to trick their victims.

#4 Compromised Accounts Could Crush You

According to data captured in our latest trends report, phishing and BEC scams launched from the compromised accounts of trusted individuals and brands are now used in 16% of all advanced email attacks.

It’s Not the Domain, It’s the Identity

As BEC, phishing, and other threats grow more prevalent, it’s clear that approaches based on whitelisting (or blacklisting) are predicated on a failed security paradigm that attempts to block known “bad” signals — in this case, untrusted domains.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.