Mail arrives as 'Jan Janssen <random@gmail.com>' looking like the boss
Display-name spoofing sits outside SPF/DKIM/DMARC because the from-domain is another legitimate domain (gmail.com, outlook.com). The attacker sets display-name 'Jan Janssen, CEO' and the mail looks credible. Countermeasure: anti-impersonation rules on the mail gateway, plus training.
Try this first
- 1Microsoft Defender → Anti-phishing policies → Impersonation. Add internal key people (CEO, CFO, finance). Defender flags inbound from external domains using their display name.
- 2Add an anti-spoofing transport rule: if display-name resembles an internal CEO name, prepend a warning or send to quarantine.
- 3Train staff: always look at the full email between <>, not just the display name. One page, one example.
- 4Enable external-sender warning banner in Outlook (caution: external sender). Helps in edge cases.
- 5On confirmed attempts: report to the sender host (gmail.com abuse), not just block locally.
When to bring us in
Repeated BEC attempts on finance? A conversation with your bank about payout checks (callback on IBAN change) is needed alongside technical controls.
See also
- Our emails land in spam for some recipientsAlmost always an SPF, DKIM, or DMARC setting that is wrong or missing, or a sender name that mimics a well-known brand.
- Someone reports receiving phishing emails "from us"Read: spoofing. Someone is abusing your sender name, not necessarily your actual mailbox.
- An email bounces (NDR): delivery failedThe NDR text usually states the exact reason. Reading it is step one.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.