Impersonation protection

You can detect messages that pretend to be from well-known brands or very important people (VIPs) in your organization. You can add email addresses for VIPs in VIP management. See Impersonation protection and VIP management.

Impersonation protection can flag emails as VIP impersonation, even without a specific VIP name match. If you encounter a false positive, you can send sample emails to SophosLabs for review. For more information, see Send samples of phishing, spam, or false-positive emails to SophosLabs.

Set up Impersonation protection

In Impersonation protection, you can choose from the following actions to take when we detect these messages.

• Add banner: Add a smart banner to the message to help your users decide what action to take with the message. See Add smart banner.
• Quarantine: The message is held in quarantine. You can release quarantined messages when you're sure they're safe.
• Tag subject line: The message is tagged and delivered to the user. The tag appears at the start of the subject line in the message. You can customize the tag, using up to 30 characters.
• Delete: The message is deleted immediately.

Add smart banner

If you choose to add a smart banner to suspect messages, you can select the actions the users see in the smart banner. Choose from the following options:

• Block sender: If this setting is turned on, users see Block Sender in the smart banner. When they click Block Sender, a new page appears allowing them to add the sender's email address to their block list. Optionally, users can report the message to SophosLabs.
• Report messages to Sophos: If this setting is turned on, users see Report in the smart banner. When they click Report, a new page appears allowing them to report messages to SophosLabs. This helps us improve our impersonation detection.