Apple will add another obstacle against successful phishing attacks in iOS 16, iPadOS 16, and macOS Ventura, which will show a company’s official logo to help recipients recognize genuine from fake emails.
Brand Indicators for Message Identification
Apple’s forthcoming operating systems will support Brand Indicators for Message Identification (BIMI). This is a specification to enable the use of brand-controlled logos within emails and will be a way to tell recipients that an email genuinely comes from the company concerned. Google has supported BIMI since 2021.
BIMI requires that companies authenticate their email using DMARC. Described by the IETF in more detail in a March 2015 document, DMARC helps mail administrators prevent hackers and other attackers from spoofing their organization and domain.
The feature won’t provide complete peace of mind.
- Not every company will be certified (though if you wish to begin using the system at your company, the BIMI website is a good place to start).
- Many smaller companies probably will never get certified, and it’s possible the system itself may be abused over time — those who construct these attacks are ever inventive.
- The feature also requires support from the email client, which won’t appear until Apple ships the next iterations of its operating systems.
What BIMI provides
But what BIMI does provide is a visual way to assess trust when receiving a message, helping protect us against phishing and ransomware exploits by making it far more challenging for criminals to impersonate brand names in emails.
That’s important in the pluralistic sense — we’ve all experienced attempts at malware infection buried in emails that purport to come from big brands.
It may also help protect enterprise communications by making it more challenging to successfully launch phishing and targeted attempts against companies or supply chain partners.
This is particularly important given that ransomware attackers are currently targeting smaller firms as larger entities put better protection in place — and that manufacturing firms often rely on outmoded security practices. That is why the relatively recent US Cybersecurity & Infrastructure Security Agency has designated manufacturing as one of the critical US sectors that need better security protection.
The main use is B2C marketing, of course. Marketers will make extensive use of BIMI as they attempt to persuade customers to open email marketing campaigns.
The magic marketing sauce of combining a trusted brand with relevant content will remain essential to success. It is worth taking note of a recent study that suggests consumers are more likely to open emails that display a logo beside the email, and that this kind of branding also improves brand recognition over time.
How it works
BIMI lets brands verify the authenticity of emails they send. Once verified, the system can show the company logo in a relevant position within a supporting email client. BIMI is a text file that is kept on the sender’s server, which ISPs handling end-user traffic can then check to verify authenticity.
That integration between BIMI, DMARC, and the email client makes it challenging for spammers to figure out how to show their spoof logo in the same spot. The effect is that customers can see if an email is genuine and can delete those that aren’t without ever opening the offending message, further reducing the risk of accidentally running malicious code.
Securing the internet
Apple’s decision to support BIMI in Mail echoes industry acceptance of the standard. Google, Yahoo! Mail, AOL, Verizon, and Microsoft all support it. Apple’s addition means the standard has achieved critical mass.
This isn’t the only attempt to lock down the internet experience taking place across Apple’s platforms in its next OS updates. Its decision to standardize an alternative to CAPTCHA will reduce friction online (and help protect user IP addresses). Its support for next generation authentication in the form of passkeys will be seen as a major step toward replacing password protection with more effective biometric account/service security. Apple continues to invest in privacy, with better protection against cross-site scripting on the way and improvements in endpoint security also on the horizon as declarative device management comes to the Mac.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.