Spotting the Impostor: Protecting Your Company from Executive Email Scams

Today we dive into recognizing Business Email Compromise, especially the red flags in executive impersonation: urgent payment instructions, subtle look‑alike domains, mismatched tone, and sneaky reply‑to tricks. You’ll get practical checklists, relatable stories, and technical steps for prevention, so finance, assistants, and security can stop fraudulent transfers together, confidently verifying requests before money moves and strengthening trust across the organization. Share your close calls or questions, and subscribe for new checklists, case studies, and verification scripts your team can use tomorrow.

How the Con Unfolds: From Reconnaissance to the Ask

Recon on Your Leadership and Finance Teams

Attackers mine LinkedIn, company press releases, conference agendas, and social posts to learn who approves payments, who covers during travel, and which vendors are in cycle. OOO messages leak dates, assistants’ names, and urgency windows, enabling precisely timed emails that feel eerily legitimate.

Seeding Trust Before the Big Request

Some adversaries send harmless updates first, reply within existing threads, or mirror internal shorthand to normalize their presence. Conversation hijacking from a compromised vendor mailbox adds attachments, prior approvals, and quoted signatures, making the later payment instruction appear like a routine step, not a trap.

The Pivotal Message: Urgency, Secrecy, and the Wire

The decisive email leans on urgency and discretion, citing closing deadlines, regulator holds, or sensitive acquisitions. It may request a new beneficiary, split transfers across accounts, or insist on bypassing finance protocols “just this once,” exploiting authority, time pressure, and fear of slowing the business.

Language Clues That Don’t Sound Quite Right

Words carry fingerprints. Impersonators often misuse corporate idioms, over-punctuate, or adopt odd politeness like “kindly process” that your executives never use. Small inconsistencies across greetings, capitalization, emoji, or sign-offs accumulate into a clear signal. Training attention to these linguistic tells helps nontechnical teams stop fraud even when headers seem clean.

Tone Mismatches and Uncharacteristic Politeness or Abrasiveness

Compare suspected messages with known habits: concise versus verbose, bullets versus paragraphs, warmth versus brevity. Impersonators often swing too polite, too curt, or strangely formal. Phrases like “do the needful,” “as per,” or “revert back” can flag external origins, especially when paired with unusual pressure or secrecy.

Formatting, Signatures, and Time Habits

Notice spacing, dash styles, the order of titles and phone numbers, and whether direct dial extensions match your directory. Check sending times against normal patterns and travel calendars. A midnight request from someone who never emails late should trigger verification before any approval flows forward.

Context Misses and Odd Attachments

Requests referencing nonexistent projects, outdated vendors, or the wrong subsidiary often betray outsiders. Attachments may be password-protected archives, image-only invoices, or cleverly named PDFs that never match your usual file conventions. If the context feels off, pause the process and verify through trusted channels immediately.

Technical Telltales in Headers and Domains

Even slick social engineering leaves technical crumbs. Look for display-name spoofing, look‑alike domains, reply‑to mismatches, and failing SPF, DKIM, or DMARC. Message paths, Return‑Path alignment, and geo anomalies can betray the forgery. Pair these checks with automated controls, but also keep manual spot-inspection skills sharp across finance and executive assistants.

01

The Domain Doppelgänger and Display Name Deception

Attackers register near-twins like examp1e.com, add sneaky subdomains, or simply set the display name to your CEO while using a free mailbox. Expand the header, reveal the true sender, and compare against allowed domains, refusing to rely on friendly names alone.

02

Reply-To, Return-Path, and Authentication Results

Check whether Reply‑To differs from From, whether Return‑Path aligns with the visible domain, and how SPF, DKIM, and DMARC evaluated the message. “PASS” without alignment can still be risky through indirect mail paths. Quarantine or banner warnings help nonexperts pause before acting.

03

Mailbox Rules, OAuth Apps, and Impossible Travel

Compromise often surfaces through silent forwarding, auto-deletes on replies, suspicious OAuth grants to “productivity” apps, or logins from impossible locations. Audit mailbox rules, review app consents, enforce MFA, and alert on unusual sessions to ensure attackers cannot lurk and manipulate conversations undetected.

Process Red Flags Around Money Movement

Fraudulent transfers ride on process gaps, not just clever words. Watch for last‑minute beneficiary changes, requests to skip approvals, altered invoice numbers, unusual currencies, or splitting payments across unfamiliar accounts. When policies are bypassed, risk skyrockets. Strong verification rituals transform hesitation into an accepted, celebrated guardrail that protects growth.

Last-Minute Bank Detail Changes and New Beneficiaries

Treat any account change as high risk, especially when coupled with urgency or a vendor claiming their bank is under audit. Require independent confirmation using known contacts, and delay disbursement until treasury validates ownership. Document the check and share outcomes to normalize protective friction.

Urgent End-of-Day or Pre-Holiday Requests

Attackers love cutoff times, holiday staffing gaps, and quarter‑end chaos. They press for wires before banks close or urge gift card purchases for “surprise recognition.” Build cooling‑off windows, after‑hours verification rules, and escalation paths that give employees permission to slow down despite pressure.

Verify Before You Transfer: Human-in-the-Loop Defenses

Verification is a skill and a culture, not an inconvenience. Clear out‑of‑band steps, known phone numbers, and dual approvals stop losses without paralyzing work. Equip teams with scripts, challenge phrases, and comfortable ways to push back, turning awkward moments into confident, repeatable safeguards that executives publicly endorse.

Out-of-Band Call-Backs That Actually Work

Always call using directory numbers or previously verified contacts, never those supplied in the email. Ask for mutually known details, or a pre‑agreed phrase, and confirm amounts, beneficiaries, and invoice numbers aloud. Record outcomes in your payment log to strengthen institutional memory and audits.

Dual Authorization and Positive Pay

Require two approvers for wires and high‑value ACH, and enroll in bank controls like positive pay and callbacks. Separation of duties limits single points of failure. When in doubt, hold the payment and escalate gracefully; no legitimate project collapses because of prudent verification.

Incident Response When You Suspect a Scam

If a request feels wrong, stop the transaction, alert treasury, and contact the bank for recall immediately. Preserve headers, pull audit logs, reset passwords, and revoke suspicious OAuth tokens. Notify legal and insurers early, then brief leadership with clear facts and next best actions.

Harden the System: Tools, Training, and Culture

Technology reduces exposure, but people create resilience. Combine DMARC enforcement, VIP impersonation detection, and conditional access with story‑driven education and a reporting culture. Reward early flags, publish near‑misses, and run tabletop exercises so everyone practices calm verification under pressure before real money is on the line.

All Rights Reserved.