Understanding Check Point Smart Banners
Check Point Harmony Email & Collaboration · IT Services Knowledge Base
ℹ️ What are Smart Banners?
Smart Banners are informational notices that Check Point automatically adds to the top of certain incoming emails. They are only added to emails that have been scanned and confirmed as clean — they are not a warning that an email is malicious, but rather a prompt to make you aware of something noteworthy about the email, such as who sent it or what it contains.
Smart Banners serve two key purposes:
- Cyber awareness — drawing your attention to suspicious characteristics that, combined with your own judgement, may indicate a risky email
- Policy reminders — alerting you to follow company policy for certain types of email, such as those containing invoices or requests to update payment details
🎨 Banner Severity Colours
Each banner is colour-coded to indicate its severity level. When you see a banner on an email, check the colour to understand how carefully you should review it.
| Colour |
Severity |
What it means |
| Red |
High |
Exercise significant caution — this email has characteristics commonly associated with fraud or impersonation |
| Orange |
Medium |
Review carefully before taking action — the email has some characteristics that warrant extra attention |
| Yellow |
Low |
Be aware — the email has a minor characteristic worth noting, such as coming from an external sender |
| Blue |
Informational |
For information only — no specific concern, just a helpful contextual note |
📋 Active Smart Banners — Full Reference
All of the following Smart Banners are currently enabled on our mail platform. Use this table to understand why a banner may appear on an email you receive.
Business Email Compromise
| Banner |
What it means |
Severity |
| Request to update payment details |
This email resembles a request from a vendor to change their payment details. Do not action any payment changes without verifying through a known contact. |
High |
| Sender resembles a real contact |
The sender's name or address is similar to, but not the same as, someone you have previously corresponded with. Check the sender's address carefully. |
High |
| Invoice from a new vendor |
This invoice has come from a vendor you have not previously had contact with. Verify legitimacy before processing. |
Medium |
| Payroll information update request |
An external sender is requesting an update to payroll information. Always verify such requests through official HR channels before taking action. |
Low |
Financial Transaction Requests
| Banner |
What it means |
Severity |
| Payment request via payment service |
This email contains a payment request received via an external payment service account. Verify the request is expected before proceeding. |
Low |
| Emails with Invoices / POs |
This email contains an invoice or purchase order requesting payment. Ensure it is expected and matches your records before approving. |
Low |
Avoiding Inspection
| Banner |
What it means |
Severity |
| Emails with links to restricted resources |
This email contains links to resources with restricted access which may be an attempt to bypass security inspection. Do not click links unless you are certain of the source. |
Low |
| Emails appear to be from an e-sign service |
This email appears to reference an electronic signature and may contain links that cannot be fully inspected. Verify its authenticity before clicking any links or taking action. |
Low |
Fundamentals
| Banner |
What it means |
Severity |
| Reply-to domain recently created and its address is different than the sender's |
The reply-to address is different from the sender's address, and the reply-to domain was only recently created. Replying to this email may send your response to an unintended recipient. |
High |
| Sender name different than address |
The sender's display name is significantly different from their actual email address, which may indicate an impersonation attempt. Check the full email address carefully. |
High |
| Sender SPF failed |
This email failed Sender Policy Framework (SPF) authentication checks, meaning it could not be verified as genuinely sent from the stated domain. Treat with caution. |
Medium |
| Sender domain created recently |
The domain this email was sent from was only recently created (within the last 100 days). Newly created domains are often associated with fraudulent activity. |
Medium |
| Incoming emails from external senders |
This email has been sent from outside the organisation. This is for awareness only and does not indicate anything suspicious. |
Info |
Impersonation
| Banner |
What it means |
Severity |
| First-time sender |
This is the first time you have received an email from this sender. This does not mean the email is unsafe, but exercise normal caution with links and attachments. |
Low |
| Sender resembles a person within the organisation |
This email is from a first-time sender whose display name matches that of someone within the organisation. Verify the sender's actual email address before responding or taking action. |
Medium |
⚠️ What should I do when I see a banner?
- Read the banner — it will tell you exactly what Check Point has identified about the email
- Do not click links or open attachments on any email with a red (High) banner without first verifying the sender through a separate channel
- Never action financial requests (payment detail changes, invoice approvals, payroll updates) based solely on an email — always verify independently
- If in doubt, report it — use the Check Point Outlook Add-In to report the email to IT Security
- A banner does not mean the email is definitely malicious — it is a prompt to apply extra caution
🆘 Need help?
If you receive an email with a banner and are unsure whether it is safe, please contact the IT Service Desk and reference "Check Point Smart Banner". Do not action the email until you have received guidance.