Get started
Tools / Phishing Email Checker / Use Cases / Detect Executive Impersonation Attempts / Claude

How to Detect Executive Impersonation with Claude

Detect Executive Impersonation Attempts with Claude and ToolRouter. Identify BEC attacks where fraudsters impersonate executives to request wire transfers or sensitive data.

Tool
Phishing Email Checker icon
Phishing Email Checker

Use Claude with Phishing Email Checker to investigate an email that claims to be from an executive and get a clear verdict on whether it is genuine. Claude is particularly useful here for explaining the technical header signals in plain terms and for reasoning about whether the request pattern fits known BEC attack templates.

Connect ToolRouter to Claude

1Open connector settings Open Settings
2Add a custom connector with these details
Name
ToolRouter
URL
https://api.toolrouter.com/mcp
3Let Claude set you up Open Claude
No API key needed.All platforms →

Steps

Once connected (see setup above), use the Phishing Email Checker tool:

  1. Forward or paste the suspicious executive email with full headers into the conversation.
  2. Ask Claude to run `check_email` via `phishing-email-checker` with a note that this is a potential executive impersonation.
  3. Ask Claude to check specifically for display name spoofing, reply-to mismatches, and sender authentication failures.
  4. Ask whether the request pattern — urgency, secrecy, unusual channel — matches known BEC attack templates.

Example Prompt

Try this with Claude using the Phishing Email Checker tool
Use phishing-email-checker to check this email that appears to be from our CEO asking for an urgent wire transfer: [paste full email with headers]. Check specifically for header spoofing, reply-to mismatches, and sender authentication failures. Tell me if this looks like a BEC attack and what the strongest evidence is.

Tips

  • Always check the reply-to address against the display name — BEC attacks rely on you hitting Reply without noticing the mismatch.
  • Ask Claude to compare the request pattern against BEC attack templates: urgency, secrecy, unusual payment channel are the three classic signals.
  • Verify with the executive via a separate channel before acting on any financial request, regardless of the check verdict.

More Claude Guides

How to Triage Suspicious Emails with ClaudeHow to Audit Email Links Before Forwarding with Claude

Related Workflows

Vendor Security VettingScreen vendor compliance, scan domain security, check email authentication, and compile a risk-rated vetting report.Phishing Campaign TriageAnalyze a reported phishing email, scan embedded URLs, research campaign context, and document findings in a triage report.