According to the Boston Herald, The Massachusetts Clean Energy Center fell victim to a business email compromise scam (BEC scam), which is a type of phishing attack also called spear phishing.

Spear phishing?

In spear phishing scenarios, the attacker sends an email to a particular individual, the victim, claiming to be another individual, the target. Typically the target is someone that the victim knows and trusts. The attackers request money, access, information, or anything else of value that the victim might willingly give to the target. CEO Scams or “whaling” are forms of spear phishing in which the target is a high executive, usually the CEO of a large corporation. These types of attacks have an extremely high success rate. In fact, According to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing.


That’s Bad! The good news is that businesses can protect themselves from spear phishing attacks by implementing DMARC on all of their domains. DMARC protects a business’s brand and reputation by protecting its outbox. It can’t completely eradicate phishing attempts against a brand, but it makes it substantially easier for victims to identify phishing emails because, once fully implemented, it completely blocks spoofed messages. For information on how DMARC can and can’t protect a brand, see our post, What DMARC Can and Can’t Do for Domains.

Back to MassCEC

Who’s at fault in the MassCEC phishing incident? It’s hard to tell for sure since the Boston Herald didn’t publish the phishing email. However, based on an email security check, MassCEC ( is not using DMARC and has several errors in its SPF record, including an overly permissive All Term. This makes it extremely vulnerable to email spoofing. Spoofed emails are particularly convincing because the “from address” matches the domain exactly.

How to Avoid a Spear Phishing Attack

Because spoofed messages are indistinguishable from a business’s legitimate email, the only 2 reliable ways to know that a message is from the “sender” are 1. use of a DMARC reject policy, or 2. The recipient calls the sender to confirm. Given the scale of emails sent daily, using DMARC seems more practical. What do you think?

Fraudmarc can help

Fraudmarc is all about securing domains against phishing using DMARC, offering a variety of plans and tools to help every domain achieve a DMARC Reject policy. Fraudmarc’s intuitive tools, including SPF Compression℠, score checkers, and policy editors along with DMARC reports, help users manage and monitor as many authorized senders and DKIM selectors as required for their businesses. Fraudmarc also has some advice on how to implement a Reject policy. In addition, Fraudmarc CE provides a completely open source version of its DMARC reports.

No more excuses; #GetToReject!