Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-impersonation-protection

Impersonation protection and VIP management

With the Impersonation protection and VIP management features, you can detect phishing emails that pretend to come from well-known brands or important people within your organization.

The following behaviors are related to Impersonation protection and VIP management.

  • Quarantined messages

    • Only administrators can release quarantined messages.
    • Quarantined messages aren't visible to users in the Self Service Portal (SSP) or quarantine summary.

  • VIP management list

    • The VIP management list can contain up to 500 email addresses.
    • The VIP management list is shared among domains protected in Sophos Central or within the same Sophos Central account.

  • Default Impersonation protection scanning

    • Impersonation protection is enabled by default and scans emails for the most abused brands.
    • Even if your VIP management list is empty, it still scans the sender's display name or email address domain for the most abused brands.

  • Smart banners

    Smart banners are applied to both HTML and plain text messages.

  • Reporting suspicious messages

    Users can report suspicious messages to SophosLabs using the Report link in the smart banner.

Impersonation protection

Impersonation protection looks for two types of impersonation:

  • Imitation of a well-known brand, often a financial organization or online shopping site.
  • Use of the names of important people in phishing emails. You can add names in VIP management.

Impersonation protection can flag emails as VIP impersonation, even without a specific VIP name match. If you encounter a false positive, you can send sample emails to SophosLabs for review. For more information, see Send samples of phishing, spam, or false-positive emails to SophosLabs.

The feature is turned on by default and controlled by Email Security policy settings. See Email Security policy.

This video provides an overview of Impersonation protection, including its function, its configuration, where to view detections, and more.

VIP management

You can enter up to 500 email addresses of very important people (VIPs) in your organization on the VIP management page. Emails are monitored for signs of impersonation of these addresses.

Go to My Products > General Settings > VIP management.

You can manually add email addresses with the Add VIP function.

The Help me find VIPs function searches a connected Active Directory (AD) service for high-risk users. The more information you’ve added to your AD entries (for example job titles), the better the results are. You then select users from the search results.