Tag Archive for: DMARC

Avoiding a Cybersecurity Upset: How One Business Lost Big During Tax Season

March Madness isn’t just for basketball—it’s also the perfect metaphor for cybersecurity. In the world of college hoops, you can’t rely on last year’s strategies to win this year’s championship. Your competitors are constantly improving, analyzing past plays, and adjusting their tactics. The same applies to cybersecurity—especially for businesses handling sensitive financial data.

Unfortunately, one accounting firm learned this lesson the hard way last tax season. Before working with us, they believed their existing security measures were enough to protect them, but cybercriminals were playing a much more advanced game. Their lack of email security and data hygiene left them vulnerable, and when tax season rolled around, they suffered a devastating loss.

The Play-by-Play: A Costly Mistake

Everything seemed normal in early March. The firm’s accountants were busy filing returns and managing financial documents for their clients. Then, it happened—one of their employees received an urgent email that appeared to be from a longtime client requesting a tax return update. The email was well-crafted, used the client’s real name, and contained no obvious red flags. Without second-guessing, the employee responded, attaching sensitive financial documents.

A few days later, the real client called, confused. They hadn’t sent that email. It was a business email compromise (BEC) attack, and now, the cybercriminal had access to highly confidential tax documents, Social Security numbers, and financial records. By the time the firm realized what had happened, thousands of dollars were stolen in fraudulent tax refunds, and their reputation was on the line.

What Went Wrong?

Just like trying to rely on the same roster year after year in basketball, the firm was relying on outdated security strategies. Here’s where they fell short:

  • No DMARC Policy – Their email domain lacked proper authentication protections, allowing cybercriminals to spoof their email addresses and trick employees.
  • No Multi-Factor Authentication (MFA) – A hacker had previously compromised an employee’s email account, and without MFA, it was easy to use that access to gather more intelligence.
  • No Secure File Transfer Policy – Employees were sharing sensitive tax documents over email instead of using encrypted portals.
  • Lack of Employee Awareness – The firm had no regular cybersecurity training, so employees weren’t trained to spot sophisticated phishing scams.

Adjusting the Game Plan: How They Recovered

After the breach, they reached out to Go West IT for help, and we immediately stepped in to strengthen their cybersecurity, ensuring they never faced an upset like this again. We implemented:

DMARC, DKIM, and SPF Policies – To prevent email spoofing and ensure only legitimate emails were sent from their domain.

Multi-Factor Authentication (MFA) – Adding an extra layer of security for email logins and financial platforms.

Encrypted File Sharing – Transitioning the firm to a secure document-sharing platform rather than using email attachments.

Phishing Awareness Training – Conducting simulated phishing campaigns to test and train employees to recognize scams.

24/7 Email Monitoring – Installing advanced email security solutions to detect and block suspicious activity before it reaches employees.

Tax Season & Cybersecurity: Don’t Leave Your Business Vulnerable

Tax season is already stressful enough—don’t make it harder by leaving your business exposed to cyber threats. Cybercriminals are constantly evolving, just like the competition in March Madness. If your security strategy hasn’t been updated recently, you’re taking a gamble on your business.

Instead of guessing who might attack next, fortify your defenses. Let Go West IT help you develop a winning cybersecurity game plan that protects your business from tax fraud, email compromise, and financial theft.

Are your cybersecurity defenses ready for the next big game? Contact Go West IT today to ensure you’re prepared for whatever threats come your way.

Why Businesses Need to Act on DMARC Reject Policies Now

Email security is undergoing a major shift, and if your business relies on email communication (as most do), it’s time to pay attention. You may start hearing more about DMARC (Domain-based Message Authentication, Reporting, and Conformance) and its impact on email deliverability. Large email providers like Google and Yahoo are now enforcing stricter DMARC policies, requiring organizations to adopt better authentication measures—or risk having their emails rejected outright.

Ignoring these changes could mean disrupted communication with clients, vendors, and partners, increased susceptibility to email fraud, and damage to your business’s reputation. Here’s what you need to know and how to ensure your organization stays protected.

What is DMARC and Why Does It Matter?

DMARC is an email authentication protocol designed to prevent email spoofing and phishing attacks. It works in conjunction with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to verify that the sender of an email is authorized to use a given domain.

With stricter DMARC enforcement policies now in place, emails that fail authentication may be rejected entirely or flagged as spam—significantly impacting your email communication and business operations.

How to Tell if an Email is DMARC Approved or Rejected

Understanding how DMARC policies impact email security is crucial. When an email is sent, email servers verify whether it passes authentication checks before allowing it into an inbox. If these checks fail, the email is either marked as spam or rejected altogether.

Here’s a quick comparison of what a DMARC-approved email looks like versus one that fails authentication:

DMARC Approved (Passes SPF, DKIM, and DMARC Checks)DMARC Failed (Rejected or Marked as Spam)
✅ From: support@yourcompany.com❌ From: support@yourc0mpany.com
✅ Sent via: yourcompany.com❌ Sent via: unknownserver.com
✅ SPF Alignment: Verified❌ SPF Alignment: Failed
✅ DKIM Signature: Valid❌ DKIM Signature: Missing or Mismatched
✅ DMARC Policy: Pass❌ DMARC Policy: None or Reject
✅ Lands in Inbox❌ Marked as Spam or Rejected

If your legitimate business emails are being marked as spam or failing to reach recipients, it may be time to review and implement a strong DMARC policy. Without it, your business could face email spoofing risks, phishing attacks impersonating your domain, and a loss of trust from customers.

The Business Risks of Ignoring DMARC Reject Policies

If your company’s domain lacks proper DMARC configurations, you could face:

  • Email Deliverability Issues: Emails sent from your domain may not reach clients, partners, or employees if they fail authentication checks.
  • Increased Cybersecurity Risks: Attackers frequently use domain spoofing to impersonate businesses in phishing scams. Without DMARC, your domain is vulnerable to misuse.
  • Regulatory and Compliance Challenges: Many industries, especially finance and legal sectors, are tightening email security requirements. Non-compliance could lead to fines or reputational damage.
  • Customer Trust Erosion: If fraudulent emails appear to come from your domain, your brand’s credibility takes a hit—leading to lost business and damaged relationships.

How Businesses Can Adapt and Secure Their Email Communication

The good news is that Go West IT has a solution. As a Managed IT and cybersecurity provider, we specialize in configuring and enforcing DMARC, SPF, and DKIM policies to secure business email communications. Here’s how we can help:

  • DMARC Policy Implementation: We assess your domain and establish an appropriate DMARC policy (Monitor, Quarantine, or Reject) to enhance security without disrupting legitimate emails.
  • Email Authentication Configuration: We properly configure SPF and DKIM records to align with your email-sending sources, ensuring all authorized emails pass authentication.
  • Ongoing Monitoring & Reporting: DMARC reports provide insights into who is sending emails on your behalf. We analyze these reports to detect unauthorized use and prevent future threats.
  • Strategic Rollout to Avoid Business Disruption: Enforcing DMARC too aggressively without monitoring can lead to unintended email rejections. We implement a phased approach, allowing you to monitor and adjust policies before moving to a full reject mode.

Stay Ahead of Email Security Threats

Email remains a primary attack vector for cybercriminals, and with the latest enforcement of DMARC policies by major providers, businesses must take action to protect their domains. Go West IT ensures your email security is up to modern standards—reducing your risk, maintaining email deliverability, and keeping your business communications secure.

Don’t wait until email failures or phishing attacks disrupt your business. Contact Go West IT today to ensure your email domain is secure and compliant with the latest DMARC policies.

15 Email Security Best Practices for 2024

Email is a critical tool in today’s business world, but it’s also a primary target for cybercriminals looking to break into corporate networks. By implementing strong email security practices, businesses can reduce risks and protect sensitive information. Here are 15 email security best practices to share with your employees to keep your organization secure.

  1. Train Employees on Email Security
    Regular training is the foundation of email security. Employees should be aware of potential threats like phishing and understand how to recognize suspicious emails. Security awareness programs are essential to staying updated on evolving threats.
  1. Use Strong, Unique Passwords
    Encourage employees to create long, unique passwords for their email accounts. Passphrases are a great option—easy to remember but hard to guess. A company-wide password policy should outline the importance of password strength.
  1. Don’t Reuse Passwords
    Password reuse across multiple accounts is a major security risk. Attackers can exploit one compromised account to gain access to others. Using unique passwords for each account is crucial for minimizing this risk.
  1. Implement Multi-Factor Authentication (MFA)
    MFA adds an extra layer of protection by requiring more than just a password to access email accounts. Even if an attacker steals a password, they’ll be unable to access the account without the additional authentication factor.
  1. Take Phishing Seriously
    Phishing attacks remain a major threat. Train employees to recognize phishing attempts and avoid clicking on suspicious links or downloading attachments from unknown senders. Include phishing awareness in regular security training.
  1. Be Wary of Attachments
    Attachments can contain malicious code, even from trusted sources. Make sure your email security posture includes safe sandbox detonation and scanning of email born links and attachments to prevent malware from infiltrating your organization through email.
  2. Don’t Click Email Links
    Links in emails can be deceptive, leading to malicious websites. Teach employees to hover over links and scrutinize URLs before clicking. 
  3. Don’t Use Business Email for Personal Use
    Mixing personal and business email usage increases the risk of security breaches. Employees should only use corporate email for work-related purposes and avoid logging into personal accounts using work devices.
  4. Use Corporate Email on Approved Devices Only
    Ensure that employees only access corporate email on company-approved devices with the necessary security controls in place. Unapproved devices might not have sufficient protection, making them a vulnerability.
  5. Encrypt Emails and Attachments
    Email encryption protects the content of emails from unauthorized access. Make sure employees understand how to use encryption tools to safeguard sensitive communications and attachments.
  6. Avoid Public Wi-Fi for Email
    Public Wi-Fi networks are notoriously insecure. Employees should avoid accessing corporate email while connected to public Wi-Fi unless they are using a secure VPN to encrypt their connection.
  7. Use Email Security Protocols
    Protocols like DKIM, SPF, and DMARC help prevent email spoofing and ensure that only legitimate messages reach employees’ inboxes. Businesses should ensure these protocols are in place for all corporate email accounts.
  8. Use Email Security Tools
    Implement email security tools such as spam filters, antivirus software, and email security gateways to protect against malware and phishing attacks. These tools provide an additional layer of defense.
  9. Log Out of Email When Not in Use
    Encourage employees to log out of their email accounts when they are not actively using them, especially on shared devices. Leaving accounts open increases the risk of unauthorized access.
  10. Regularly Monitor for Breaches
    Stay vigilant for any signs of data breaches that may affect email security. Tools like password managers can alert employees if their credentials are found in known data breaches, allowing them to take action quickly.

Stay Ahead of Email Security Threats with Go West IT

At Go West IT, we understand the importance of email security in protecting your organization from cyber threats. Our comprehensive managed services include tools and strategies to help you safeguard your business from email-related risks. Whether it’s deploying MFA, monitoring for breaches, or training employees on security best practices, we’ve got you covered.

Learn more about our managed services.