The vast majority of online scams are carried out through email, as the medium is easily accessible and easy to abuse. A new form of message authentication known as BIMI should help you understand which messages are genuine and which are trying to trick you.
What is BIM?
BIMI stands for Mark Indicator for Message Identification, a vendor-independent email specification developed by a body called the AuthIndicators Working Group. BIMI is designed to make email more reliable.
Once successfully implemented, BIMI allows brands to display a logo alongside email messages in supported services and email clients. This logo verifies that an email is genuine and provides an easy visual indicator that the message is not spam or fraud.
BIMI is still classified as an emerging specification, which means that some brands, email providers, and software platforms do not yet support it.
Why is BIMI necessary?
A Deloitte report published in 2020 stated that 91% of all cyber attacks start with a phishing email. The email inbox makes it easy for scammers to cast a wide net, sending as many messages as it takes to catch a single victim. These scams often target payment processors like PayPal or modern peer-to-peer services like Zelle that use email as their preferred method of communication.
While much of the working world has slowly moved away from email with services like Slack and Microsoft Teams, most people still rely heavily on the service. Your password reset notifications are sent via email, more retailers than ever are going paperless with emailed receipts and invoices, and even your bank sends you emails to let you know when your statement is ready.
Email hasn’t changed much since it was first introduced. While there are smarter ways to check your inbox, a renewed focus on healthier email habits, and even better privacy and spam controls, the mechanisms behind email remain largely the same.
BIMI is a step forward to make email a more reliable platform. If you can verify that an email is genuine at a glance, you can also identify those that are not. The standard is still a few years away from that stage, but brands, email providers, and other technology companies are laying the groundwork now.
How does BIM work?
The good news is that BIMI does not require any work from the recipient of an email to work. The technology relies heavily on domain-based message authentication, reporting, and conformance, or DMARC. This email authentication protocol was designed to help prevent unauthorized use of domain names.
For BIMI to work, a brand must authenticate emails using Sender Policy Framework (SPF), which effectively whitelists mail servers that can send email from specific domains. Additionally, technology known as DomainKeys Identified Mail adds digital signatures to each message to authenticate outgoing emails.
The final step is for DMARC to confirm these records and point to the .SVG file that will appear alongside the email. In addition to this, a Verified Mark Certificate (VMC) acts as a form of digital registration to further protect the logo used, although this is not required by BIMI at launch.
Once again, only brands need to worry about this infrastructure and incorporate these steps.
What services support BIMI?
Since BIMI is still in the process of being rolled out, support is far from universal at this stage. Fortunately, some of the biggest services have already implemented support for BIMI, including Gmail, Yahoo! Mail, AOL, Fastmail, and Apple Mail on iOS 16 and macOS Ventura.
Whether you’ll see evidence of BIMI in your inbox is another matter entirely. Many brands are not yet on board, although the influence of companies like Google and Apple in accelerating adoption and introducing consumers to the technology cannot be underestimated.
Much of the buzz surrounding BIMI (so far) has been directed at brands, marketers, and IT professionals involved in implementing the standard. Google has produced an explanation of how the BIMI implementation in Gmail works within Google Workspace.
Although support is initially limited to Google Workspace, the release provides a good indication of what BIMI looks like in Gmail in terms of both desktop and mobile deployment.
Google has used Bank of America as an example, with a view showing how brand logos are automatically displayed in both the inbox and message view. Note that Google allows senders to display images along with their emails as part of their profile, but this is not the same as BIMI.
Although Apple also apparently released BIMI with the release of iOS 16, iPadOS 16, and macOS 13 Ventura, we couldn’t see BIMI-verified brand logos in Apple Mail (even from Apple when using an iCloud Mail account).
yahoo! Mail is also jumping on the BIMI bandwagon as it has had support for the standard since 2018. In November 2022, the company announced that it is strengthening its implementation with checkmarks “next to the shipping address and logo to indicate that Yahoo has verified that the email was sent by the brand that owns the logo displayed.”
More ways to stay safe online
There are too many email scams for anyone to keep up with. Whether Amazon is looking to “confirm” an order or Netflix is threatening to suspend your account, be on the lookout for anything suspicious (especially when money is involved).
More sophisticated scams may involve spear phishing or whaling, a form of social engineering.
As email scams have become more prevalent, scammers are turning to phone, text, and instant messaging platforms. Be on the lookout for calls from numbers that look suspiciously like yours, text message scammers or “smishing” and so-called close relatives asking you to pay a bill or borrow money.