Skip to content

Impersonation protection

You can detect messages that pretend to be from well-known brands or very important people (VIPs) in your organization. You can add email addresses for VIPs in VIP management. See Impersonation protection and VIP management.

Impersonation protection can flag emails as VIP impersonation, even without a specific VIP name match. If you encounter a false positive, you can send sample emails to SophosLabs for review. For more information, see Send samples of phishing, spam, or false-positive emails to SophosLabs.

Set up Impersonation protection

In Impersonation protection, you can choose from the following actions to take when we detect these messages.

  • Add banner: Add a banner to the message to help your users decide what action to take with the message. See Add banner.
  • Quarantine: The message is held in quarantine. You can release quarantined messages when you're sure they're safe.
  • Tag subject line: The message is tagged and delivered to the user. The tag appears at the start of the subject line in the message. You can customize the tag, using up to 30 characters.
  • Delete: The message is deleted immediately.

Add banner

If you choose to add a banner to suspect messages, you can select the actions the users see in the banner.

Choose from the following options:

  • Block sender: The sender's email address is added to a block list.
  • Report messages to Sophos: Users can report suspicious messages to SophosLabs. This helps us improve our impersonation detection.

Example impersonation banner.

If you turn on Report messages to Sophos, when users click Block sender in a message, they see an option to report the message to SophosLabs. This helps us improve our detection methods and learn about new threats.


For plain text messages, the banner is in text-only form, using the same content you set, and is shown at the beginning of the email body.