Protection Against Executive Spoofing
Executive spoofing is a scam in which cybercriminals impersonate the names and emails of company executives to try and fool an internal employee into disclosing sensitive information or executing a payment.
SmartPhish has a setting that allows Avanan administrators to automatically block such spoofing attempts.
Avanan administrators can trigger their “Phishing” or “Suspicious” workflows when SmartPhish detects a nickname impersonation.
- Navigate to Configuration → Security App Store → SmartPhish → Configure
- Select the scope of users:
- Important/key people
- Note: By default, SmartPhish will reference the job title of the user to determine are senior. Examples of senior titles are CEO, CFO, etc. Alternatively, you can define your own senior users by creating a security group (in Office 365 or Google) for senior-level users, and typing the exact name of the security group in the designated field. This field is case sensitive.
- All internal users
- Important/key people
- Select the “Phishing” or “Suspicious” workflow for detections.
- It is best to start small. You can protect a small group of senior-level people and/or use the “Suspicious” workflow.
- If you wish to extend nickname impersonation workflows for all internal users, it is best to use the “Suspicious” workflow to avoid false positive detections (more below).
- Protected users must be informed to not use their personal email addresses, as these will be detected as impersonations.
Note that regardless of your settings, SmartPhish will always look for nickname impersonations for all users. The configuration described here will ensure that, for the scope of users selected, at least the “Suspicious” workflow is triggered.
Handling False Positives
Many commonly used services like Salesforce or ServiceNow send legitimate emails on behalf of other users. To SmartPhish, these will be detected as nickname impersonations. Therefore, it’s important to ensure that this configuration is not generating false positive phishing/suspicious detections.
To monitor detections, create a Custom Query that filters only for detections containing nickname impersonations. You can find the fields embedded under Security Stack → SmartPhish.
Since Impersonation detection takes priority, Sometimes an Allow listed rule will be overridden due to an SPF failure. If you need to ensure that an email is not overridden by an SPF failure/ Suspected impersonation, please edit the Allow list rule to "Ignore SPF check".
Ensure to whitelist legitimate services that appear in the query by navigating to Configuration → Antiphishing Whitelist
If you have any questions or would like assistance configuring, please reach out to firstname.lastname@example.org.