Most executive impersonation starts with a domain registration. An attacker registers a variant of the CEO’s name, configures MX records, sends a wire-fraud email to finance, and the only artifact security has is the email itself. By then the money is on its way.
We watch for executive name plus brand permutations on a daily schedule, surface them within hours, and route them into enforcement before the wire-fraud email lands. The same scoring pipeline that runs on brand domains runs here, calibrated for social-engineering patterns.
What we watch
- Executive name plus brand permutations across .com and major gTLDs
- Personal-name lookalikes including phonetic and homoglyph variants of the executive’s name
- VIP and board member coverage for clients with active executive protection programs
- Certificate transparency hits for newly issued certs on executive-relevant subdomains
How we deliver
Same-day flagging on high-risk hits routes directly to your executive protection program or security team. The evidence packet is ready for takedown or for the FBI Internet Crime Complaint Center filing if the campaign has already moved beyond detection.
Buyer pain we address
- Generic monitoring misses executive-name lookalikes that do not contain the corporate brand
- Wire-fraud incidents start with a domain that was 24 hours old when the email landed
- Executive protection teams lack the domain signal that connects the impersonation infrastructure to the campaign