Fortinet, Inc.
DETECTING EMAIL SENDER IMPERSONATION

Abstract:

Systems and methods for detecting email messages in which the sender is attempting to impersonate an email user of the target domain are provided. According to one embodiment, an email is received by a network security device protecting a private network. A value of at least one header field of the received email is parsed to extract a display name and an email address. A determination is made regarding whether the received email is associated with an external domain. When it is determined that the received email is associated with an external domain, then a further determination is made regarding whether the received email potentially involves sender impersonation based on a comparison of the display name with display names associated with users of the private network meeting a predetermined or configurable similarity threshold.