Technology Advisor Blog

Last week, I didn’t even see a suspicious voicemail notification in my inbox - and that’s the point! Our email security blocked it before it ever got to me. At first glance, the message looked pretty legitimate.  It  was well-formatted, had a sense of urgency - “Your voicemail system has received a new message.  Review it promptly to stay updated”, and looked like something that could easily trick someone into clicking.

But here’s the truth: it was a total scam.

The message didn’t actually come from our phone system at all. Instead, it was a spoofed email - designed to trick me into clicking a link. Fortunately, our email security caught it, flagged it, and blocked it before it ever reached my inbox. Why? Because we have DMARC in place, set to block anything that doesn’t pass the test.  Look at the red banner across the top of the message.  This message never went to my inbox and didn't wind up in "quarantine" - it was BLOCKED.

And that’s the lesson for today: DMARC matters.

What is DMARC (in Plain English)?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication standard that helps prevent cybercriminals from impersonating your business email domain.

In simple terms: it tells receiving email systems, “This is how to tell if an email from our domain is real or fake.” If a spoofed message doesn’t pass the test, it gets rejected, instead of landing in your inbox.

DMARC doesn't just protect your own inbox - it also protects your reputation.  By stopping emails that appear to come "from" your domain, DMARC keeps scam messages like fake voicemails, or fake invoices from reaching your clients as well.  Imagine how upset someone would be if they received a malicious email "from" me?

As the The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) explains:

“DMARC allows domain owners to protect their domains from unauthorized use, commonly known as email spoofing. By implementing DMARC, organizations can help prevent malicious actors from using their domains to conduct phishing and other email-based fraud.”
— CISA

Without DMARC set up, that scam voicemail notification could have slid right through to me, and I might have clicked on it. That’s how easy it can happen.

Why Security Awareness Training Matters

Technology plays a huge role in protecting your business, but so does awareness. In this case, I knew right away it wasn’t real because I’m familiar with the way voicemail notifications from our actual VoIP phone system look. They come from a different address, have a different layout, and a different style.

If you know what’s “normal” for your business systems, you’re far less likely to fall for something that’s not. That’s exactly why cybersecurity awareness training for your team is so important. Everyone should know what to expect, and what to question.

CISA emphasizes that:

“Organizations that do not implement security protocols like DMARC are at greater risk of email spoofing, phishing, and business email compromise. Adopting email authentication helps protect employees, partners, and customers.”
- CISA Insights

The Forwarding Trap

Here’s another angle that many people don’t think about: what if I had simply forwarded that voicemail notification to someone on my team with a note like, “Can you check this?”

Now that spoofed message would appear to come from me, a trusted source inside the organization. If my colleague was on a smartphone and quickly clicked before looking closely, the scam could have spread further.

This is why layered security matters. DMARC blocked the message and that's a good thing! If I didn't have that protection in place, Security Awareness training would have helped me recognize it. And clear communication processes within a team can prevent accidental forwarding of risky messages.

The Bigger Picture: Business Email Compromise

Scams like these aren’t just annoying  they’re costly. According to the FBI:

“Business Email Compromise (BEC) is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional.”
- FBI

And phishing schemes, including spoofed emails, remain the number one reported cybercrime. The FBI’s Internet Crime Complaint Center reported billions of dollars in losses in 2024 alone.

“Phishing schemes, including spoofed emails, remain the top reported cybercrime. In 2024, the FBI’s Internet Crime Complaint Center received hundreds of thousands of phishing-related complaints, with reported losses in the billions.”
- FBI Internet Crime Report

Key Takeaways for Small Businesses

1. Set up DMARC. It’s one of the most effective ways to stop spoofed emails from ever reaching your inbox.

2. Train your team. Familiarity with your business systems reduces the likelihood of someone falling for a scam.

3. Think beyond the inbox. Scams often spread when messages are forwarded internally, especially on mobile devices where it’s harder to see details.

Here's the Bottom Line

Scams like these are everywhere, and they’re getting harder to spot.   Years ago, these type of scam messages would have included misspellings, improper grammar, and terrible graphics.  Easy to spot by todays standards!  The good news is, there are straightforward, proven steps you can take to protect your business.

At Ekaru, we believe security shouldn’t feel intimidating or out of reach. If you’re not sure whether your business has DMARC properly set up - or if your team could benefit from a refresher on cybersecurity awareness - let’s have a conversation. We'll run a complimentary scan for you.  No pressure, no jargon, just practical advice to help keep your business safe.  

About the author: