We’re excited to announce the ability to detect and block email impersonation phishing attacks with Sophos Email Advanced – now available as an early access program.
The Threat from Email Impersonation Phishing Attacks
A new study has revealed that 43% of SMEs have been targeted by impersonation phishing attacks in the past year. In these attacks, criminals often try to deceive employees, using the name of a trusted sender to encourage victims to reply, click a link, open and attachment, and so on.
Relying on users who scan email messages, these attacks use simple display name forgery, to change the visible part of the email address that we see in many common email clients. Changing the display name to use those of trusted brands, or senior executives within the organization – and it’s highly effective for attackers.
These attacks reign down from free email accounts, and in more targeted attacks, are known to use “look-a-like" domain names, like that of the corporate domain.
Release Highlights
This early access program for Sophos Email Advanced offers crucial protection against these impersonation phishing attacks and offers several great advancements:
- Compares the display name of inbound emails to the display name of commonly abused cloud service brand names, and to VIPs within the customers organization to check for matches. These could be the CEO, CFO, and HR Director etc.
- Provides a simple wizard to identify and add VIPs within the organization to your policy for analysis with all inbound messages.
- Analysis of the domain name of an email address in relation to the display name. Looking for free email services g. Kris Hagerman <whatever@gmail.com>
- Analysis of look-a-like domains to identify domain names like the corporate domain – when the attacker is impersonating an internal user e.g. Kris Hagerman
sopros.com> or Kris Hagerman ninja> - Alternatively, if an attacker is attempting to impersonate a trusted brand, Sophos Email will also identify domain names similar to well-known cloud services such as Microsoft, Amazon, and LinkedIn e.g. Amazon Support
amazon-email.com> - This new service then allows email administrators to act on potential attacks with policy controls to quarantine, tag the subject line, delete, or warn users - with a banner added to inbound emails.
Identifying VIPs
VIPs are employees in the organization who are most likely to be impersonated by phishing attackers. While all users will receive the same protection, the system will look for external senders impersonating your VIPs and customer may add up to 200 users.
Creating a VIP list in Sophos Central couldn’t be simpler. Either choose to “Add VIPs” by searching your user list for known individuals. Alternatively, if active directory synchronization has been enabled, select “Help me find VIPs” and Sophos Email will look for users with titles that are in line with job roles most likely to be impersonated:
- CEO
- President
- Chief Financial Officer
- CFO
- Finance Director
- Human Resources Director
- HR Director
Acting on the Threat
Once VIPs have been added, policy settings will define what happens to impersonated emails. Email administrators can then act on potential attacks by adding the following actions:
- Add a banner to inbound emails (also provides a direct link to the user-level block list)
Note: This banner is independent from the Sophos Email 'Smart Banners' feature. - Quarantine messages
- Tag message subject lines (default will read [caution: Possible Impostor!], but this can be modified)
- Delete messages
How to Take Part
To join the Email Impersonation Protection EAP simply log into Sophos Central > Select Early Access Programs > Select ‘Join’ > Accept the terms and get stated. Note: This EAP is only available to existing Sophos Email Advanced accounts.
Where to Send Your Feedback
Please provide all feedback about this early access program in our Sophos Email Community Forum.
Remarks
- Impersonation protection is available to Sophos Email Advanced license customers only.
- These features have been automatically added in Sophos Central, and will be ‘on’ by default, however, customers are required to define their own VIP list.
- The default policy action will be to ‘add banner’ to warn users to inbound messages where impersonation is detected.