Protection Against Executive Spoofing
Executive spoofing is a scam in which cybercriminals impersonate the names and emails of company executives to try and fool an internal employee into disclosing sensitive information or executing a payment.
Smart-Phish has a setting that allows Avanan administrators to automatically block such spoofing attempts.
Avanan administrators can trigger their “Phishing” or “Suspected Phishing” workflows when Smart-Phish detects a nickname impersonation.
- Navigate to Configuration > Security Engines.
- Click Configure for Smart-Phish.
- Select the scope of users:
- Important/key people
- Note: By default, Smart-Phish will reference the job title of the user to determine are senior. Examples of senior titles are CEO, CFO, etc. Alternatively, you can define your own senior users by creating a security group (in Office 365 or Google) for senior-level users, and typing the exact name of the security group in the designated field. This field is case sensitive.
- All internal users
- Important/key people
- Select the “Phishing” or “Suspected Phishing” workflow for detections.
- It is best to start small. You can protect a small group of senior-level people and/or use the “Suspected Phishing” workflow.
- If you wish to extend nickname impersonation workflows for all internal users, it is best to use the “Suspected Phishing” workflow to avoid false positive detections (more below).
- Protected users must be informed to not use their personal email addresses, as these will be detected as impersonations.
Note: Regardless of the settings, Smart-Phish will always look for nickname impersonations for all users. The configuration described here will ensure that, for the scope of users selected, at least the Suspected Phishing workflow is triggered.
Handling False Positives
Many commonly used services like Salesforce or ServiceNow send legitimate emails on behalf of other users. To Smart-Phish, these will be detected as nickname impersonations. Therefore, it’s important to ensure this configuration is not generating false positive phishing/suspected phishing detections.
To monitor detections, create a Custom Query that filters only for detections containing nickname impersonations. You can find the fields embedded under Security Engines > Smart-Phish.
Since Impersonation detection takes priority, Sometimes an Allow listed rule will be overridden due to an SPF failure. If you need to ensure that an email is not overridden by an SPF failure/ Suspected impersonation, you must edit the Allow list rule to "Ignore SPF check".
Ensure to whitelist legitimate services that appear in the query by navigating to Configuration > Anti-Phishing Allow-List.
If you have any questions or would like assistance configuring, please reach out to email@example.com.