Managing Nickname Impersonation

Nickname impersonation (also known as "executive spoofing") can occur when the names or email addresses of company executives are spoofed in an effort to get internal employees to disclose sensitive professional or personal information. By default, Cloud App Security automatically detects nickname impersonations for any internal user, disabled and deleted accounts, and self-impersonation. Settings can be customized based on the needs of your organization with administrator‑configured actions.

To configure Cloud App Security to detect and manage nickname impersonation attempts

1. Make certain that Anti-phishing is running and enabled. (Refer to Starting Security Applications for more information.)

2. Options to manage nickname impersonation are available when you create threat detection policies. (Refer to Creating Threat Detection Policy Rules for detailed information about all of the available policy rule options.)

   In the Advanced section, under Security Tools, click Configure Anti-Impersonation and Phishing Confidence-Level.

3. From the Detect nickname impersonation attempts from list, select one of these options:
   • Important/key-people only
   • Any internal user
4. In the Except when coming from domains field, enter any domains that you want to exempt from impersonation detections.
   • Domain names are not case-sensitive.
   • You can enter more than one domain name by separating them with a comma.

5. By default, the system determines who qualifies as important or key people by referencing the job titles as they are stored in the organization's G Suite directories.

   Administrators can also select specific people to protect from nickname impersonation by adding them to a security group. In the Important/key-people group field, enter the security group name of people to be specifically checked for nickname impersonation.

   Enter the security group name, not the email address. The group name is case-sensitive.

6. For When a nickname impersonation is detected, select one of these options:
   • Trigger "Phishing" workflow
   • Trigger "Suspicious" workflow

7. Select Detect impersonation attempts only from new/first-time sender to limit nickname impersonation detection only to never-seen-before email addresses.

   While limiting nickname impersonation protection, selecting this option greatly reduces false positive results.

8. Select Detect impersonation to disabled accounts to activate nickname impersonation detection for email accounts that are disabled.
9. Select Detect impersonation to deleted accounts to activate nickname impersonation detection for email accounts that are deleted.

10. By default impersonation detection algorithm ignores email messages that are sent from the same name as the receiver, as these email message are very unlikely to be real nickname impersonation.

    Select Include suspected self-impersonation in impersonation-detection algorithm to detect as nickname impersonation email messages that have the same email address for both the sender and the recipient.

    Enabling this option often results in increased false positives.

11. Click Ok.

To avoid false positive detections, it is recommended that you begin with a small group of senior-level people (Important/key-people only). If you want to configure nickname impersonation detection for all internal users (Any internal user), it is best to select Trigger "Suspicious" workflow.

Protected users should be advised to not use their personal email addresses, as these will be detected as impersonations.