Impersonation protection and VIP management
You can detect messages that pretend to be from well-known brands, very important people (VIPs) in your organization, or your vendor, customer, or partner organizations.
The following behaviors are related to Impersonation protection and VIP management.
-
Quarantined messages
- Only administrators can release quarantined messages.
- By default, quarantined messages aren't visible to users in the Self Service Portal (SSP) or quarantine summary.
-
VIP management list
- The VIP management list can contain up to 1000 email addresses.
- The VIP management list is shared among domains protected in Sophos Central or within the same Sophos Central account. External VIPs may have domains of the organizations you do business with.
-
Default Impersonation protection scanning
- Impersonation protection is enabled by default and scans emails for the most abused brands.
- Even if your VIP management list is empty, it still scans the sender's display name or email address domain for the most abused brands.
-
Smart banners
Smart banners are applied to both HTML and plain text messages.
-
Reporting suspicious messages
Users can report suspicious messages to SophosLabs using the Report link in the smart banner.
Impersonation protection
Impersonation protection looks for two types of impersonation:
- Imitation of a well-known brand, often a financial organization or online shopping site.
- Use of the names of important people in phishing emails. You can add names in VIP management, both internal and external.
Impersonation protection can flag emails as impersonation, even without a specific VIP name match. This type of impersonation is categorized as "General Impersonation". If you encounter a false positive, you can send sample emails to SophosLabs for review. For more information, see Send samples of phishing, spam, or false-positive emails to SophosLabs.
The feature is turned on by default and controlled by Email Security policy settings. See Email Security policy.
VIP management
The VIP management page allows you to manage your internal and external VIP lists:
- Internal VIPs: VIPs within your organization who are most likely to be impersonated.
- External VIPs: Individuals from your vendor, customer, or partner organizations who may be impersonated by attackers to target your organization. You can add any external persons or contacts from other organizations as VIPs.
Sophos Central specifically looks for external senders impersonating your internal and external VIPs. You can add up to 1000 VIPs to your list. To add internal and external VIPs, use the Add VIP feature. See Add VIPs.
When you've added the VIPs, go to your Email Security policy settings to define what happens to impersonation emails. See Email Security policy.
You can also delete VIPs from the VIP management list. See Delete VIPs.