Sometimes we may receive emails in which the sender claims to be a person from the company, but the email address does not belong to that person. These emails are considered spoofing emails, which try to gain the trust of the recipient of the message in order to obtain information or economic benefit.
Spoofed email example:
From: Hank Scorpio <firstname.lastname@example.org>
To: Steve Harris <email@example.com>
Good morning Steve,
Please transfer as son as possible 25.000€ to this bank account:
Let me know once done, it's quite urgent.
- - - - - - - - - - - -
This could be blocked thanks to the CEO Fraud Filter, which is part of our Targeted Fraud Forensics Filter (TFFF).
The filter will check if the name indicated in the display name, and the email address from which the email is sent are the same as the one configured in the filter. If the email address is not the same as the one configured in the filter, the email will be quarantined.
For example if we're protecting the address firstname.lastname@example.org, and it's name and surname is "Hank Scorpio" in the mailboxe's basic data, we'd block emails coming from addresses other than email@example.com where the display name equals "Hank Scorpio":
This filter may prevent cases where a user could be reading "Hank Scorpio" when starting to read the "From" field of an email, and assume it's the real Hank, without paying attention to the address information next to it.
Enabling the filter:
In order to enable TFFF, access our Control Panel and then Security settings > Advanced Threat Protection > Activate Targeted Fraud Forensics Filter
Configuring the filter:
Once enabled, please create a group containing all the sensitive mailboxes, like the CEO, administrator, accountants, etc.
For it, please go to Customer Settings > Groups
Then click on +Add, assign a name and a description for the group, and select the mailboxes you want to add to the group:
Once the group is created, go back to Security Settings > Advanced Threat Protection, and click on +Add to include the previously created group to the TFFF filter:
Important: For the filter to work properly, please ensure that:
- The inbound SPF check is enabled
- The group member's First Name and Last Name fields are correct under Cusomer Settings > Mailboxes > Basic Data
Tip: We recommend to protect with this filter only the accounts that are sensible to be spoofed, and which impersonations could cause a big impact to the company if the recipient doesn't detect the fraud. This is because each time you add a new mailbox to the filter, this user's name and surname will be considered "exclusive" for the related mailbox address.
Therefore, the more users being added to the list, the bigger chance for these coincidences to happen. Because of it, we recommend to choose which accounts to protect by this filter, instead of adding the entire company to this group.
For example, if the company's CEO is called "John Smith", TFFF will quarantine all emails coming from other email addresses that also state "John Smith" in the display name section of the header.from field,
This could lead to certain false positive classifications, as there could actually be other legit John Smith around the world, or that "our" John Smith sends emails to the domain from his personal email account in Yahoo, Hotmail or Gmail, which could also state "John Smith" in the display name field.
In case this conflict happens, from Support we'll be able to assist you configuring exceptions for certain valid senders who should also be able to use the name and surnames of accounts protected by TFFF.