How Shield Identifies Email Impersonation Threats

Description

This article explains what email impersonation is and how cybercriminals use it to entice recipients into taking harmful actions. It also details how Shield detects and protects against impersonation by analyzing email authentication protocols (SPF, DKIM, DMARC), name mismatches, and homographic spoofing. Shield assigns risk levels based on the confidence of impersonation indicators, helping organizations identify and block potentially dangerous emails.

What Is Impersonation?

Email impersonation occurs when a cybercriminal sends a fake email that looks like it’s from someone you know—like the CEO or a trusted company. The goal is to trick the recipient into doing something risky, such as sharing sensitive information, clicking a dangerous link, or transferring money. It’s a popular tactic in scams like phishing and business email compromise.

How Shield Protects Against Impersonation

Shield combines several pieces of information to determine if a message should be flagged as Impersonation. These include:

  • SPF: The sending email server is not listed in the domain's SPF record
  • DKIM: The DKIM signature cannot be verified against the sending domain.
  • DMARC: The DMARC authentication checks fail for any reason, and the policy is set to reject.

  • Name Matching and Homographic Spoofing: Shield checks whether the display name in the From address matches the name associated with that email in the Global Address List. This is an organizational heuristic used to detect potential impersonation.

    Shield also flags signs of homographic spoofing—a technique where visually similar characters from different alphabets (e.g., Cyrillic and Latin) are used to create deceptive email addresses. These characters can appear in the From, Reply-To, or display name fields, making the message look legitimate to the human eye while hiding its true origin. For example, the Cyrillic "А" in "Аdele@blueboxhq.com" looks identical to the Latin "A" in "Adele@blueboxhq.com".

The default risk level for Impersonation is set to High, as a match for Impersonation has a high confidence that the message is from someone other than the anticipated sender.

Shield’s Possible Impersonation Risk Level

Possible Impersonation indicates that the message contained characteristics sometimes used to impersonate senders. These characteristics are lower confidence, since some legitimate emails also include the same characteristics. By default, Possible Impersonation is set to low risk, but can be increased if desired.

Getting Help

If you need assistance with impersonation in Shield, please contact the Partner Success team.

Related to

Updated

Was this article helpful?

0 out of 0 found this helpful