CEO fraud emails

We are getting more and more email claiming to be from the CEO or President.  On the local GW client we can easily see that the email address and the display name do not match while on mobile devices it is not apparent.

Has anyone written a rule that checks the display name against the email address?  Or is there a better way of handling this?

  • Now that would be cool, but I'm not sure if there is a way to do it.  I need to look into that.  In the meantime, a helpful rule I have in SMG is a Header Filter rule that looks in the message header for the following: 

    FROM:*@my_domain.com

     

  • Looked into this a bit.  SMG does not have a filter that can validate "FROM" names against emails in your system.  For that you should create an enhancement request at /cyberres/smg/i/SMG_Ideas

    However, if your CEO or President has a name that is not too common, you could just create a Message Text filter that looks for that name.  Check the option for message header and add the search criteria of "FROM: *first_name last_name*" without the quotes.  You might need to put a few variations in there just in case.  Obviously you run the risk of blocking legitimate email the more common their name is, but it might be worth a shot.  If you do have someone with the same name that gets blocked by this rule, you could add an exception for their email address.

    We have run into this complaint also.  Smart phone makers in my opinion hide too much info for the sake of looks/design/screen real estate.  Until they wake up to the security issues they are causing and change things, the best thing to do is educate users.  I highly recommend regular phishing training and testing.  We use KnowBe4, but there are others out there also.  I have seen a definite increase in awareness since we implemented a training/testing policy.  Well worth it.

    Hope that helps!