The threat
When the user opens the Email, if they don't pay attention to the Email address (some mail clients hide the Email address and only show the "friendly name" part, you need to hover over the name to get the Email), they will often fall for the scheme.
Example:
Lets say your CEO is named "Peter Parker" (not to be confused with a certain arachnid-like person)
From: Peter Parker <[email protected]>
Subject: Need you to do a wire transfer
You'll notice the "friendly name" part is our CEO (Peter Parker) but the return address is a throwaway mailbox on Gmail.
So how do you fight this?
How to block these threats
Easiest way is with a filter rule.
You want to block anything in the header that has From: Peter Parker or From: "Peter Parker" coming from the outside world.
You don't need to check if the sender ISN'T LOCAL to your organisation because in most cases, those emails stay on the mail server. If the real Peter Parker emails someone else in the organization, the email won't transit through proofpoint. So you could simply block any appearance of the friendly name in the header from.
So the rule should be:
if email header contains
From "Peter Parker, From: Peter Parker
Then Quarantine
And Required administrator to release
You'll notice that From: "Peter parker <-- doesn't have a closing double-quote. That's because spammers have gotten in the habit of putting trailing spaces after the name in case you do an exact match of "Peter Parker" .... in our example, if they put "Peter Parker " with a bunch of spaces between Parker and the closing double-quote, it doesn't matter.
Now this rule has one issue. Lets say our hypothetical Peter Parker has a gmail address and he forwards himself regularly emails from his personal address to his work address. They would get blocked by this rule.
THEN you would add an exception:
if email header contains
From "Peter Parker, From: Peter Parker
AND
Sender IS NOT [email protected]
Then Quarantine
And Required administrator to release
Finally, one trick spammers use is UTF-8 encoding on the subject so the Friendly Name is in base 64. So it's a good idea to add the base64encoded value of the person's name as a third string to check.
You cans use base64encode.org to encode "Peter Parker" into base64 which yields this string: UGV0ZXIgUGFya2Vy
And then add it to the rule:
if email header contains
From "Peter Parker, From: Peter Parker, UGV0ZXIgUGFya2Vy
AND
Sender IS NOT [email protected]
Then Quarantine
And Required administrator to release
The final form of our rule is this:
OKAY, this sounds complicated, can you do it for me?
Yes, yes we can - we have bots that can scour your user list (as long as the firstname and lastname are present) to bulk-create these rules for you You can supply us with a list of email address of the C-Levels you have that you want this rule done for and we can do it for you, free of charge.
Just contact us!