Nickname Impersonation Guide

Protection Against Executive Spoofing

Executive spoofing is a scam in which cybercriminals impersonate the names and emails of company executives to try and fool an internal employee into disclosing sensitive information or executing a payment.

SmartPhish has a setting that allows Avanan administrators to automatically block such spoofing attempts.

 

Configuration

Avanan administrators can trigger their “Phishing” or “Suspicious” workflows when SmartPhish detects a nickname impersonation.

  1. Navigate to Configuration → Security App Store → SmartPhish → Configure
  2. Select the scope of users:
    • Important/key people
      • Note: By default, SmartPhish will reference the job title of the user to determine are senior. Examples of senior titles are CEO, CFO, etc. Alternatively, you can define your own senior users by creating a security group (in Office 365 or Google) for senior-level users, and typing the exact name of the security group in the designated field.
    • All internal users
  3. Select the “Phishing” or “Suspicious” workflow for detections.



Best Practices
  • It is best to start small. You can protect a small group of senior-level people and/or use the “Suspicious” workflow.
  • If you wish to extend nickname impersonation workflows for all internal users, it is best to use the “Suspicious” workflow to avoid false positive detections (more below).
  • Protected users must be informed to not use their personal email addresses, as these will be detected as impersonations.

Note that regardless of your settings, SmartPhish will always look for nickname impersonations for all users. The configuration described here will ensure that, for the scope of users selected, at least the “Suspicious” workflow is triggered.

Handling False Positives

Many commonly used services like Salesforce or ServiceNow send legitimate emails on behalf of other users. To SmartPhish, these will be detected as nickname impersonations. Therefore, it’s important to ensure that this configuration is not generating false positive phishing/suspicious detections.

To monitor detections, create a Custom Query that filters only for detections containing nickname impersonations. You can find the fields embedded under Security Stack → SmartPhish.

Example Output:

example-output-blur

Ensure to whitelist legitimate services that appear in the query by navigating to Configuration → Antiphishing Whitelist

If you have any questions or would like assistance configuring, please reach out to support@avanan.com.