Menu

Is Someone Sending Emails as Your Business? The $2.9 Billion Silent Threat

Meta Description: Email spoofing and Business Email Compromise (BEC) cost companies billions. Learn how to protect your Des Moines or Overland Park business through better email governance and vCISO oversight.

URL Slug: email-security-mistakes-bec-fraud-des-moines-overland-park

Someone is sending emails pretending to be your business right now, and you likely have no idea it is happening.

This isn’t a plot from a spy movie; it is a fundamental flaw in how global email was built. For most business owners in Des Moines and Overland Park, the realization only hits when a long-term client calls to ask why your “accounting department” requested a wire transfer to a new bank account, or when your marketing emails suddenly start landing in every customer’s spam folder.

Business Email Compromise (BEC) has evolved from a nuisance into a multi-billion dollar crisis. In 2023, the FBI documented $2.9 billion in losses from this single category of crime. By 2025, that number remained staggering, with the average loss per incident climbing to over $137,000. These aren’t just “big city” problems or Fortune 500 issues. These are attacks targeting mid-sized logistics firms in Iowa and professional service providers in Kansas.

The Digital Return Address Loophole

To understand the risk, you have to understand the analogy of the “digital return address.”

Think of a standard paper envelope. You can write any name and address you want in the top-left corner. You could write “The White House” or “Microsoft Headquarters,” and the post office will still deliver it. The recipient sees the return address and assumes it is legitimate because that is what the envelope says.

Standard email works the same way. Without specific security protocols in place, any bad actor can send an email and put your domain (yourname@yourbusiness.com) in the “From” field. They don’t need your password. They don’t need to “hack” your server. They simply exploit the fact that you haven’t told the world’s email systems how to verify your identity.

Digital business envelope showing a security flaw in email domain authentication for Des Moines businesses.

Why the 2026 World Cup Changes the Stakes Locally

As we look toward the summer of 2026, the Kansas City and Overland Park regions are preparing for a massive influx of international attention due to the World Cup. For a local business, this is an incredible opportunity, but for a cybercriminal, it is the perfect smokescreen.

With thousands of new vendors, temporary contractors, and high-volume transactions moving through the region, the “noise” of business communication will be at an all-time high. Criminals use this noise to slip spoofed invoices and fake “urgent” requests past distracted employees. If your email domain isn’t locked down, your business identity can be hijacked to defraud your partners during the busiest period our region has seen in decades.

Mistake 1: You Have No “ID Card” for Your Domain

The first and most common mistake is operating without any email authentication. In the tech world, these are known as SPF, DKIM, and DMARC. Think of these as a multi-layered ID card for your business.

  1. SPF (Sender Policy Framework): This is a list of “approved senders.” It tells the world, “Only these specific servers are allowed to send mail for my company.”
  2. DKIM (DomainKeys Identified Mail): This is a digital signature. It proves the email wasn’t tampered with while it was traveling across the internet.
  3. DMARC (Domain-based Message Authentication, Reporting, and Conformance): This is the instruction manual. It tells other mail servers what to do if they receive an email that claims to be from you but fails the first two tests.

If you haven’t explicitly asked for these to be configured, there is a high probability they aren’t working. Many owners assume their email provider (like Microsoft 365 or Google Workspace) handles this automatically. They do not. They provide the tools, but you: or your IT partner: must set the rules.

Visual representation of layered email authentication protocols like DMARC and SPF for business security.

Mistake 2: The Settings Are “On” but Incorrectly Configured

Setting up these protocols is one thing; getting them right is another. A misconfigured security record is often worse than having none at all.

We frequently see businesses in Des Moines that have an SPF record that is too broad, essentially telling the internet, “Anyone can send on our behalf.” Or, conversely, the record is too restrictive, causing legitimate invoices sent from your QuickBooks or CRM platform to be blocked by your clients’ security filters.

This creates a “silent failure.” You think your emails are going out, but they are being diverted to junk folders or discarded entirely. From a leadership perspective, this isn’t just a tech headache; it is a breakdown in your visibility and control over how your brand is represented in the marketplace.

Mistake 3: The “Set and Forget” Mentality

Business changes. You might adopt a new marketing tool like Mailchimp, a new HR portal, or a specialized invoicing system for your construction or healthcare firm. Each of these tools sends email on your behalf.

If your email authentication records aren’t updated every time you add a new service, your security posture breaks. Most companies set their records once and never look at them again. Over time, “gaps” appear. These gaps are exactly what attackers look for. They find the services you used to use but haven’t secured, and they use those legacy “holes” to spoof your identity.

IT Team Collaboration

Moving from Technical Headaches to vCISO Governance

The solution to these mistakes isn’t just “better IT support.” It is governance. This is why more businesses are moving toward a vCISO (Virtual Chief Information Security Officer) model.

A vCISO doesn’t just look at the code; they look at the risk. They ensure that your email security isn’t just a “checked box” on an insurance form, but a functional shield that protects your revenue and reputation.

When you treat email security as a governance issue, you gain:

  1. Total Visibility: You know exactly who is sending mail using your name, whether it’s your marketing team or a hacker in another country.
  2. Brand Protection: You ensure that your legitimate emails: the ones that bring in revenue: actually reach your clients’ inboxes.
  3. Insurance Readiness: Cyber insurance providers in 2026 are becoming incredibly strict about DMARC and SPF. Having these configured correctly is often a requirement for coverage.
  4. Faster Detection: If someone does attempt to spoof your domain, your systems will alert you immediately, allowing you to warn your clients before they lose money.

Practical Steps for Leadership

As a CEO or Owner, you don’t need to know how to write code. You do need to ask the right questions of your team or your managed IT provider.

  • Ask for a DMARC Report: Do we have a DMARC policy in place, and is it set to “p=reject” (which actually blocks spoofed mail) or is it just in “monitoring mode”?
  • Audit Authorized Senders: Can we see a list of every third-party service (CRM, Payroll, Marketing) that is authorized to send email as our company?
  • Review Recent “Spoofing” Attempts: How many times in the last 90 days has our system blocked someone trying to impersonate us?

Implementing these checks leads to tangible outcomes: reduced manual effort in “putting out fires” when clients receive fake emails, improved visibility into your digital footprint, and a significant reduction in the risk of a multi-thousand dollar fraud event.

Professional oversight of a secure business network to detect and prevent email security risks.

Securing Your Reputation Before It’s Challenged

Your email domain is one of your most valuable business assets. It carries your reputation, your contracts, and your financial instructions. Leaving it unprotected is the equivalent of leaving your company checkbook on a park bench in downtown Des Moines.

At CMIT Solutions of Des Moines and Overland Park, we focus on moving businesses away from reactive “break-fix” mentalities and toward proactive risk management. Whether you are preparing for the growth of the 2026 World Cup or simply trying to ensure your daily operations remain secure, email governance is a foundational step.

This is worth addressing before a client calls you with a question you don’t want to answer. If you want to understand where your domain stands today, start with a conversation about your current security posture.

To learn more about how we protect local businesses, you can read about our team or contact us directly to schedule a strategy session.

Edgar Ortiz
CEO, CMIT Solutions of Des Moines and Overland Park
Contact Edgar

Back to Blog

Share:

Related Posts

How Des Moines Businesses Use AI & EOS to Scale Smarter | CMIT Solutions

The Des Moines Advantage: Local Businesses Leading the Change Des Moines business…

Read More

Why Everyone Is Talking About AI Governance (And You Should Too)Why Everyone Is Talking About AI Governance (And You Should Too)

Most business leaders think AI governance is something for tech companies to…

Read More

Is Your Business IT Services Company Actually Blocking Hackers? (The Truth Might Surprise You)

Most business owners in Ankeny, West Des Moines, and Urbandale assume their…

Read More