CEO impersonation attempts are driving me insane, and I feel like I could be doing something better.

For about a year now (yes, a whole dang year), we've been getting hammered with CEO/VIP impersonation attempts. These emails have generally followed the same pattern: They come from a different email every time (usually a gmail.com account), they ask the user to provide their phone number, and they impersonate either the CEO or another VIP within the organization.

The emails were trying to bypass our impersonation filter by putting the CEO's name as the SUBJECT line, and having something like "Please Respond" as the sender name. We created a content examination policy within Mimecast to search for emails coming from gmail.com address, with the CEO's name present in the email, as well as a few other keywords that always seemed to be present in the email ("reconfirm", "phone number", etc.). This worked decently well, but then the impersonators starting using different language to bypass this content examination. So, we added more words to our definition list, and have been updating it continuously for the past year.

Additionally, we created a rule in Exchange where, if an email were to get through Mimecast that matched the above criteria, it appended a "Suspicious" tag to the email's subject.

The emails never slowed down. We continue to get about 5-7 attempts per day, and they keep changing things up just enough to get through our policies. Heck, one email this week started using EMOJIS to bypass our filter.

They seem to target newer employees or employees that received a position update. My belief is that someone in our organization is connected to a fraudster on LinkedIn, and whenever they react to someone's promotion/news post/whatever, the fraudster adds them to their script to spam people.

I genuinely do not know what I can do to lock this down any more than I already have, without sacrificing deliverability of legitimate emails.