Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-impersonation-protection-settings

Impersonation protection

You can detect messages that pretend to be from well-known brands, very important people (VIPs) in your organization, or your vendor, customer, or partner organizations. You can manage your VIP list in VIP management. See Impersonation protection and VIP management.

VIP Impersonation

When you turn on VIP Impersonation, it detects emails attempting to impersonate high-profile individuals within your organization (internal VIPs) or trusted external contacts, such as vendors, customers, or partners (external VIPs).

"VIP Impersonation" setting.

VIP Impersonation can detect emails without an exact name match.

If you encounter a false positive, you can send sample emails to SophosLabs for review. For more information, see Send samples of phishing, spam, or false-positive emails to SophosLabs.

By default, detection uses a combination of VIP name matching, machine learning, and anti-phishing heuristics. As a result, some emails may be considered clean and delivered even if the name matches with one of the VIPs. If you turn on Aggressive Mode, emails will be detected solely based on VIP name matches, including fuzzy name variations, without relying on machine learning or heuristics.

You can configure actions for this setting. By default, we add a banner to the email. See Actions.

Brand Impersonation

When you turn on Brand Impersonation, it detects emails attempting to spoof frequently targeted brands or domains. This setting helps prevent impersonation of well-known organizations.

"Brand Impersonation" setting.

You can configure actions for this setting. By default, we add a banner to the email. See Actions.

General Impersonation

When you turn on General Impersonation, it detects emails that don't match VIP names or frequently targeted brands but are still considered impersonation attempts based on machine learning and anti-phishing heuristics.

"General Impersonation" setting.

You can configure actions for this setting. By default, we add a banner to the email. See Actions.

Actions

You can select the actions to take when we detect these messages as follows:

  • Deliver: The message is delivered to the user.

    This action is available only for the General Impersonation setting.

  • Add banner: Add a smart banner to the message to help your users decide what action to take with the message. See Add smart banner.

  • Quarantine: The message is held in quarantine. You can release quarantined messages when you're sure they're safe. See Quarantined Messages.
  • Tag subject line: The message is tagged and delivered to the user. The tag appears at the start of the subject line in the message. You can customize the tag, using up to 65 characters.
  • Delete: The message is deleted immediately.

Add smart banner

If you choose to add a smart banner to suspect messages, you can select the actions the users see in the smart banner. Select from the following options:

  • Block sender: If this setting is turned on, users see Block Sender in the smart banner. When they click Block Sender, a new page appears allowing them to add the sender's email address to their block list. Optionally, users can report the message to SophosLabs.
  • Report messages to Sophos: If this setting is turned on, users see Report in the smart banner. When they click Report, a new page appears allowing them to report messages to SophosLabs. This helps us improve our impersonation detection.

Example impersonation smart banner.

Note

For plain text messages, the smart banner shows as text at the beginning of the email body, using the same content you've set.

End User Quarantine

If you choose to put some messages in end-user quarantine, your users can check, release, or delete them. See End User Quarantine.