Keelings Case Study - Irish Fresh Produce Leader Stops CEO Impersonation Attacks

Irish fresh produce leader deploys IRONSCALES alongside Mimecast to stop CEO impersonation attacks and gain 224% more threat visibility in 90 days.

Company Intro

Keelings is a 100% Irish-owned, third-generation family business that has been growing, sourcing, and distributing fresh produce since 1926. Headquartered in Dublin, Ireland, the company farms over 3,000 hectares across Ireland, Costa Rica, and Brazil, sources from 46 countries, and supplies more than 1,000 customers across 30 countries worldwide. Keelings employs over 2,700 people from 58 nationalities across seven countries, with operations spanning fresh fruit, vegetables, flowers, and ERP software solutions.

The Problem

Keelings’ IT security stack relied on Mimecast as a gateway filter, and it did that job well, catching bulk spam and known threats before they reached employee inboxes. But a different class of attack was getting through, and those were the ones that mattered most.

CEO impersonation emails were reaching employee inboxes. On at least four separate occasions, well-crafted messages impersonating the chief executive led to gift voucher purchases. The emails were sophisticated enough to bypass gateway filters and convincing enough that even security-aware staff were caught off guard.

The incident response process highlighted the gap. When a suspicious email was reported, the team had to manually search gateway logs, identify every recipient, send individual warnings, and hope people actually deleted the message. The process was largely manual and rule-based, with limited intelligence behind it.

The rise of AI-generated phishing made the problem worse. The old giveaway signs (bad grammar, awkward phrasing) were disappearing. Keelings needed something that could learn and adapt, not just match patterns.

It’s about as close to ‘set it and forget it’ as you can get, especially compared to the daily management a traditional gateway requires with all its rules and policies.
Warwick Botwright

The Evaluation

Warwick Botwright, Group Head of IT Infrastructure, Security and Operations at Keelings, evaluated four vendors with his team alongside Mimecast’s own advanced offering. Abnormal Security impressed them in a demo, but the price put it out of reach. PhishTitan (from TitanHQ) was too new to the market. Mimecast’s own inline add-on was similarly immature. That narrowed the field to IRONSCALES and Checkpoint (Harmony).

Checkpoint’s architecture raised concerns. Rather than a true API integration, it used a journal-based approach, essentially moving copies of email traffic rather than analyzing mailboxes directly. “I didn’t want another hop for mail to go through and potentially a point of failure,” Warwick says. “It’s a mirroring of mail, rather than delving into somebody’s mailbox and analyzing it.”

IRONSCALES went through a full proof of concept. The platform connected via API in minutes and immediately began analyzing mailbox history going back 90 days. During the read-only POC period, a live CEO impersonation email arrived. IRONSCALES flagged it. The team couldn’t take action yet (read-only mode), but they could see exactly what would have been caught. That single moment validated the investment.

The sales experience reinforced the decision. “Charlie was bang on it,” Warwick says. “Very easy to work with, very accommodating, knowledgeable, pulling the right people in at the right time.” The experience with other vendors lacked that same connection. “You want to be able to have a relationship and feel comfortable on a call with somebody,” Warwick explains. “And it just clicked.” For a security purchase that requires trust and ongoing partnership, that personal rapport carried real weight.

The Solution

IRONSCALES went active in January 2026, deployed alongside Mimecast with no changes to mail flow. The API-based integration connected directly to Microsoft 365, giving the platform visibility into every mailbox without adding routing complexity or creating a new point of failure. From the moment of connection, the platform began building behavioral profiles for every mailbox user, learning who they communicate with, the patterns and frequency of those communications, and the typical tone and style of legitimate messages. These baselines allowed IRONSCALES to start distinguishing normal activity from anomalous behavior within days of deployment.

When we activated it, nobody noticed across the business. We activated banners, sent communications. Nobody talked about it. And that’s quite refreshing, because generally when we make a change across the business, there’s a bunch of people who chirp up.
Warwick Botwright

The team ran IRONSCALES in read-only mode during the POC, then transitioned to active remediation. “Let’s tread carefully with this,” Warwick recalls of the cautious rollout. When they flipped the switch, not a single employee noticed. No complaints, no disruption, no pushback. The daily quarantine digest replaced what had been a manual process of chasing down recipients one by one.

Warwick noticed how many emails the daily digest was pulling from mailboxes across the business. Messages that users used to open, evaluate, and delete manually (roughly 30 to 35 per day in some cases) were now handled automatically. What used to take 20 minutes of someone’s day now takes 15 seconds scanning a single summary email.

On February 5, the team enabled IRONSCALES adaptive spam filtering. The impact was immediate: spam detection volume jumped from near-zero to over 7,500 emails per week as the platform began surfacing unwanted mail that had previously gone undetected or uncategorized by the SEG. The volume stabilized within weeks as the models tuned to Keelings’ specific mail patterns.

The team also deployed the IRONSCALES report phishing button across all Outlook installations, replacing the native Microsoft button. Adoption was immediate: 65 employee reports submitted organically in the first 90 days, with no formal training or awareness campaign driving it.

Outcomes

In its first 90 days, IRONSCALES inspected and monitored 3.5 million emails and automatically remediated 584 email attacks. This represented a 224% increase in threat visibility compared to the previous 90-day period before full deployment.

The threat breakdown told a clear story. General phishing accounted for 262 detections. Vendor scams followed at 188. Credential theft added another 91. The remaining threats included image-based attacks, advance-fee scams, vishing, and invoice phishing. Twenty employees flagged as VIP targets were actively attacked with 114 dedicated BEC and phishing attempts.

The mailbox anomaly detection proved especially valuable. IRONSCALES identified 1,235 mailbox anomalies, including 742 exact display name impersonation attempts. This is the same attack technique that had previously resulted in multiple gift voucher fraud incidents. The difference: now those emails are caught and removed before anyone can act on them.

Compared to their segment peers, Keelings faces 37% more phishing attempts, which validates the decision to add dedicated AI protection beyond the SEG. The platform’s agentic SOC engine handles the heavy lifting, resolving the majority of incidents automatically and escalating only what requires human judgment.

The operational impact matched the detection results. “We don’t need to tweak it,” Warwick says. No rule tuning. No policy updates. No constant feeding and watering.

One incident captured the product’s flexibility perfectly. Shortly after Keelings deployed the UKG Ready HR platform, a legitimate system notification was mistakenly reported as phishing. IRONSCALES immediately removed 1,500 copies of that email from mailboxes across the organization. Warwick spotted the error, reclassified the email as safe, and every copy dropped back into the correct inboxes instantly.

Nobody notices because it just drops straight back into people’s mailboxes. It’s so reversible on any mistake you make.
Warwick Botwright
90-Day Metrics
3.5M
Emails Monitored
584
Phishing Emails Remediated
742
Impersonation Attempts Caught
+224%
Threat Visibility Increase

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.