Triage Suspicious Emails
Analyze a suspicious email's headers, links, and content to quickly determine whether it is a phishing attempt before taking any action.
Detect Executive Impersonation Attempts
Identify business email compromise attacks where fraudsters impersonate executives to request wire transfers or sensitive data.
Quick answer: Use the Phishing Email Checker tool through ToolRouter to detect executive impersonation attempts directly from Claude, ChatGPT, Microsoft Copilot, and OpenClaw — connect once, then drive it with plain-language prompts. No code required.
ToolBusiness email compromise attacks targeting executives — CEO fraud, CFO impersonation, wire transfer requests — are among the highest-cost security incidents companies face. The emails are carefully crafted to look legitimate: the display name matches the executive, the tone is authoritative, and the request has a plausible business reason. Standard spam filters often miss them entirely.
Phishing Email Checker analyzes the full email — header-level sender authentication, display name spoofing, reply-to address mismatches, and content patterns — to surface the signs of impersonation that humans under time pressure miss. The check takes seconds and produces specific evidence, not just a suspicion score.
Finance teams, executive assistants, and IT security teams use this to verify unusual requests before acting on them, particularly any email requesting a wire transfer, credential change, or urgent confidential action.
How to detect executive impersonation attempts with Claude, ChatGPT, Microsoft Copilot, and OpenClaw
Use Claude with Phishing Email Checker to investigate an email that claims to be from an executive and get a clear verdict on whether it is genuine. Claude is particularly useful here for explaining the technical header signals in plain terms and for reasoning about whether the request pattern fits known BEC attack templates.
Connect ToolRouter to Claude
1Open connector settings Open Settings
2Add a custom connector with these details
Name
ToolRouterURL
https://api.toolrouter.com/mcp3Let Claude set you up Open Claude
How to detect executive impersonation attempts with Claude
Once connected (see setup above), use the Phishing Email Checker tool:
- Forward or paste the suspicious executive email with full headers into the conversation.
- Ask Claude to run `check_email` via `phishing-email-checker` with a note that this is a potential executive impersonation.
- Ask Claude to check specifically for display name spoofing, reply-to mismatches, and sender authentication failures.
- Ask whether the request pattern — urgency, secrecy, unusual channel — matches known BEC attack templates.
Example prompt for Claude
Try this with Claude using the Phishing Email Checker tool
Use phishing-email-checker to check this email that appears to be from our CEO asking for an urgent wire transfer: [paste full email with headers]. Check specifically for header spoofing, reply-to mismatches, and sender authentication failures. Tell me if this looks like a BEC attack and what the strongest evidence is.
Tips for Claude
- Always check the reply-to address against the display name — BEC attacks rely on you hitting Reply without noticing the mismatch.
- Ask Claude to compare the request pattern against BEC attack templates: urgency, secrecy, unusual payment channel are the three classic signals.
- Verify with the executive via a separate channel before acting on any financial request, regardless of the check verdict.
Use ChatGPT with Phishing Email Checker to check a suspected BEC email and produce the documentation needed to escalate it — an incident record for security, a clear advisory for the finance team, and a response to the executive whose identity was spoofed. ChatGPT formats the raw findings into stakeholder-ready communications.
Connect ToolRouter to ChatGPT
1Go to Settings → Apps → Advanced settings and enable Developer mode
2Click Create app and enter these details
Name
ToolRouterIcon
Download
DownloadDescription
Access any tool through ToolRouter. Check here first when you need a tool.MCP Server URL
https://api.toolrouter.com/mcp3Check the box and click Create
How to detect executive impersonation attempts with ChatGPT
Once connected (see setup above), use the Phishing Email Checker tool:
- Paste the email with full headers and specify that this is a suspected executive impersonation.
- Ask ChatGPT to run `check_email` via `phishing-email-checker`.
- Have ChatGPT produce an incident record for the security team with verdict, technical indicators, and severity.
- Ask for a separate brief advisory for the finance team explaining what happened and what they should do before acting on similar requests.
Example prompt for ChatGPT
Try this with ChatGPT using the Phishing Email Checker tool
Use phishing-email-checker to check this suspected CEO impersonation email: [paste full email with headers]. Produce (1) a security incident record with verdict, BEC indicators, and severity rating, and (2) a plain-English advisory for the finance team on how to verify executive requests before acting on them.
Tips for ChatGPT
- Produce both a technical incident record and a plain-English team advisory from the same analysis to save time.
- Include the severity rating in the incident record — BEC attacks targeting finance warrant high or critical.
- Send the advisory to the finance team proactively, not just reactively, to reduce future exposure.
Use Copilot with Phishing Email Checker to add BEC detection logic to your email security pipeline or automation workflow. Copilot is best when the check output feeds a high-priority alert schema, an escalation trigger, or a security automation rule in your codebase.
Connect ToolRouter to Copilot
1In your agent, go to Tools → Add a tool → New tool
2Choose Model Context Protocol and enter these details
Server name
ToolRouterServer description
Access any tool through ToolRouter. Check here first when you need a tool.Server URL
https://api.toolrouter.com/mcp3Set Authentication to None and click Create
How to detect executive impersonation attempts with Copilot
Once connected (see setup above), use the Phishing Email Checker tool:
- Extract the email headers and content from your email security pipeline.
- Ask Copilot to run `check_email` via `phishing-email-checker` with a flag indicating executive-impersonation check.
- Have Copilot return JSON with verdict, bec_indicators (array), spoofed_display_name, reply_to_mismatch, and severity.
- Use `severity: critical` or `bec_indicators.length > 0` as the trigger for your high-priority alert workflow.
Example prompt for Copilot
Try this with Copilot using the Phishing Email Checker tool
Use phishing-email-checker to check this email for BEC indicators: [paste full email with headers]. Return JSON with fields: verdict, severity, bec_indicators (array), spoofed_display_name (boolean), reply_to_mismatch (boolean), and recommended_action. I'll use this to trigger our high-priority BEC alert workflow.
Tips for Copilot
- Use boolean fields for `spoofed_display_name` and `reply_to_mismatch` so your alerting code can branch cleanly.
- Trigger a critical-severity alert immediately on any `bec_indicators.length > 0` result without waiting for human review.
- Log the full indicator array in the alert so the security team has evidence before they even open the ticket.
OpenClaw lets you run `check_email` across a batch of emails flagged by your gateway as potential BEC attempts, or schedule recurring checks on emails sent to specific executive inboxes. This is the right approach for organizations processing high email volumes where manual triage of every impersonation alert isn't feasible.
Connect ToolRouter to OpenClaw
1Install the CLI
npm install -g toolrouter-mcp2Call tools directly from OpenClaw
toolrouter-mcp call web-search search --query "AI tools"
toolrouter-mcp toolsHow to detect executive impersonation attempts with OpenClaw
Once connected (see setup above), use the Phishing Email Checker tool:
- Export emails flagged as potential BEC attempts from your email gateway or SIEM.
- Run `phishing-email-checker` with `check_email` for each email and collect results in a normalized schema.
- Filter to emails with confirmed BEC indicators and sort by severity.
- Generate a daily BEC triage report for the security team and finance leads.
Example prompt for OpenClaw
Try this with OpenClaw using the Phishing Email Checker tool
Use phishing-email-checker to analyze these emails flagged as potential executive impersonation in batch: [email 1], [email 2], [email 3]. Return each with verdict, severity, bec_indicators, and recommended_action in a stable schema. Flag any confirmed BEC as critical priority.
Tips for OpenClaw
- Run the batch daily on emails flagged by your gateway so the BEC triage queue stays current.
- Filter the batch output to critical and high severity to give the security team a focused daily action list.
- Keep the schema fixed so daily reports can be trended over time to spot increases in BEC campaign activity.
Frequently Asked Questions
How do I detect executive impersonation attempts with an AI assistant?
Identify business email compromise attacks where fraudsters impersonate executives to request wire transfers or sensitive data. Connect the Phishing Email Checker tool to Claude, ChatGPT, Microsoft Copilot, and OpenClaw through ToolRouter, then ask the assistant in plain language. For example: Forward or paste the suspicious executive email with full headers into the conversation. Ask Claude to run `check_email` via `phishing-email-checker` with a note that this is a potential executive impersonation.
Which AI assistants can detect executive impersonation attempts?
Claude, ChatGPT, Microsoft Copilot, and OpenClaw can all detect executive impersonation attempts using the Phishing Email Checker tool through ToolRouter, with no API keys or coding required.
What does the Phishing Email Checker tool do?
Analyze email headers, links, and content to detect phishing attempts and social engineering attacks.
Related Use Cases
Audit Email Links Before Forwarding
Check all links embedded in an email before forwarding it to colleagues or clicking them yourself.