How can I tell if a CEO email was written by ChatGPT?

Six signals survive when the traditional ones (typos, broken English, generic greetings) don't. (1) Header chain mismatch — the From address may look right but Reply-To, Return-Path, or Authentication-Results show inconsistencies. (2) Domain typosquats — the visible sender uses a lookalike domain (rn instead of m, 0 instead of o, .co instead of .com). (3) Out-of-band urgency without normal channels — the CEO emails you directly bypassing your normal manager and asking for finance action without calling. (4) AI tonal evenness — real busy executives write tersely, sometimes typo-roughly; AI writes fluently and uniformly. (5) The request shape — wire transfers, gift cards, or 'confidential bonus payment' are universal BEC tells regardless of writing quality. (6) The verification gap — request explicitly says don't call, don't loop in others, handle by email only. No real executive demands that.

What is Business Email Compromise (BEC)?

BEC is a phishing variant targeting businesses — typically finance, HR, or executive assistants — by impersonating a senior executive (CEO, CFO) to authorise an unusual financial action. Common forms: 'urgent wire transfer to new supplier', 'I need you to buy iTunes gift cards for client gifts', 'process a confidential bonus payment to this account'. Per FBI IC3, BEC losses in 2024 exceeded $2.9 billion globally — the single highest-loss category of cybercrime by reported dollars. AI has not changed the targets or the requests; it has made the messages more convincing by removing the traditional 'broken English' tell.

What is the single best defence against BEC?

Out-of-band verification: any financial action requested by email must be confirmed through a separate channel that the requester didn't choose. Specifically: call the executive on a number you already have (not a number in the email), walk to their desk, or send a Slack/Teams DM to their established handle. The verification call must be initiated by you using contact details you already had, not contact details supplied in the suspicious email. Every legitimate executive will be supportive of this discipline; the only people who object are scammers running the BEC.

My organisation just lost money to a BEC. What now?

Move within 24 hours for the best chance of FBI Financial Fraud Kill Chain action. (1) Call your bank's wire fraud / SWIFT department immediately — same-day report has roughly 70% recovery chance per IC3 statistics, dropping sharply after that. (2) File at ic3.gov (US) — IC3 has direct relationships with foreign banks and the FBI's Recovery Asset Team. Equivalent in Australia: ReportCyber (cyber.gov.au). UK: Action Fraud. India: cybercrime.gov.in. (3) Engage your IT / security team to investigate whether the email account was compromised or just spoofed. (4) Communicate internally about the attempt so other staff don't fall for follow-up attempts. (5) Engage your cyber insurance carrier if you have one; many policies cover BEC. (6) Conduct a post-incident review on email authentication (SPF, DKIM, DMARC), out-of-band verification policy, and finance approval thresholds.

ChatGPT-Written CEO Impersonation Emails (BEC) in 2026: Detection Signals

Published: 31 May 2026• 10 min read• By ScanTotal Security Team

Last reviewed: 31 May 2026 by Kumari Rajapaksha — Founder, ScanTotal

The traditional Business Email Compromise email looked like this: "Hello, are you avaliable? I need to give you task urgently. Please reply for instructions. Regards, [CEO]". Broken English, generic greeting, vague urgency. Easy to spot.

The 2026 version looks like this: "Hi Sarah, hope your daughter’s recital went well on Sunday. Quick one: we’re finalising the Crestmount acquisition and I need a wire of $187,000 processed to their escrow account before COB today. Banking details below. Don’t loop Mark in — he’s in the off-site and we agreed I’d handle this directly. Will explain everything Monday. — David"

Perfect grammar. Conversational warmth. Specific context (your daughter’s recital). Plausible business detail (an acquisition you may genuinely have been peripherally aware of). Reasonable explanation for not following normal channels. AI did this. ChatGPT, Claude, or Gemini given access to your CEO’s public LinkedIn, your company’s press releases, and a basic finance vocabulary can produce hundreds of these per minute, each customised to a specific target by job title.

This guide walks through how AI-written BEC actually works, what real production examples look like, the six signals that still distinguish AI-written BEC from a real executive email, the verification discipline that beats all variants, and what to do if your organisation has already lost money.

Three redacted real examples

Reconstructed from real BEC submissions to ScanTotal’s Email Analyzer in April-May 2026, with all identifying details replaced and amounts adjusted.

From: David Reeves <david.reeves@crestm0unt-acq[.]com> To: Sarah Chen (Finance Manager) Subject: Urgent — wire ahead of COB Hi Sarah, Hope your daughter’s recital went well on Sunday. Quick one: we’re finalising the Crestmount acquisition and I need a wire of $187,000 processed to their escrow account before COB today. Banking details below. Don’t loop Mark in — he’s in the off-site and we agreed I’d handle this directly. Will explain everything Monday. Beneficiary: Crestmount Holdings LLC Bank: First Republic Routing: [redacted] Account: [redacted] Thanks David

The visible sender name says "David Reeves" but the actual From address is crestm0unt-acq[.]com — note the zero substituting for the “o” in "Crestmount". The real CEO’s email is at the company’s normal corporate domain.

From: Priya Iyer <ceo@helixtech.in.payments-confirm[.]com> To: Amit Sharma (CFO) Subject: Confidential — vendor advance Amit, I’ve been in back-to-back calls with the board today. We’ve decided to advance the Sundaram contract by ₹42 lakh to lock in the discount before quarter close. I need you to authorise the transfer to the account below before 5pm. The board has already approved. Keep this between us until Monday — we don’t want the news leaking before the public announcement. Account details attached. Confirm once processed. Priya

The domain looks like helixtech.in at a glance but is actually helixtech.in.payments-confirm[.]com — the company name is a subdomain of a scammer-controlled domain. This pattern slips past visual inspection on mobile email clients that truncate long sender addresses.

From: Mark Thompson <m.thompson@apex-corp[.]net> To: HR Director Subject: Quick favour Hi — I’m in a meeting and can’t step out. Can you do me a quick favour? I need to send some thank-you gifts to the AccessTech team for their work last quarter. Can you buy 5 x $500 Apple gift cards and email me the codes? I’ll expense it next week. Time-sensitive please. Mark

The gift-card variant. Amount is small per card but quick to execute. Real company gift programs run through procurement, never through HR-buying-cards-on-personal-credit. This one is still common because the absolute loss is small enough that some HR staff just absorb it personally rather than escalate.

Why AI has changed BEC, and why some things stay the same

What AI changed. The traditional “poor English” tell is gone. Modern LLMs write in the cadence of a busy native-speaker executive: concise, warm-but-direct, occasional sentence fragments, the kind of voice that reads as real. They can also incorporate context the scammer fed them — the executive’s LinkedIn bio, recent press releases, the target employee’s name and role — producing emails that feel personalised. The cost per email has collapsed to a few cents, so the scammer can run thousands of variants per target organisation, picking off whoever bites.

What AI hasn’t changed. The underlying mechanics. A BEC scam still needs to:

Route mail from an address the target’s mail system will accept — either a lookalike domain or a compromised account
Request a financial action the target can actually authorise (wire, gift cards, account changes, payroll modification)
Bypass normal verification channels (otherwise the target would just call the real executive and verify)

The mechanics haven’t changed, so the defences against the mechanics still work. AI made the words better; it didn’t change the email plumbing or the human verification options.

The six signals that still distinguish AI-written BEC

1Header chain mismatch

View the full email headers (Gmail: three-dot menu → Show original; Outlook: File → Properties → Internet headers). Check:

From address matches the visible sender name's actual corporate email
Reply-To matches From (mismatch is a strong tell)
Return-Path matches the sending domain
Authentication-Results: SPF=pass, DKIM=pass, DMARC=pass for the claimed domain

A real CEO email from david@crestmount.com will have SPF/DKIM/DMARC all passing on crestmount.com. The fake will fail one or more, or will pass on a different domain entirely.

2Domain typosquats and lookalikes

Common patterns: crestm0unt.com (zero for o), crestmou nt.com (added space character that displays invisibly), crestmount-corp.com (added word), crestmount.co (different TLD), helixtech.in.payments-confirm.com (brand-as-subdomain). On mobile clients the sender often shows only the display name (“David Reeves”), hiding the address entirely. Always reveal the full sender address before acting.

3Out-of-band urgency, bypassing normal channels

Real CEO emails about finance actions usually loop in the CFO, the controller, or the relevant department head. AI-written BEC almost always says "don’t loop Mark in", "keep this between us", or "the board has already approved". Any email that asks for finance action AND asks you not to follow your normal authorisation chain is fraudulent until proven otherwise.

4Tonal evenness

Real busy executives write tersely, sometimes with typos, sometimes mid-sentence, sometimes from their phone with autocomplete dropping in odd words. AI writes fluently — uniformly grammatically correct, sentences of consistent quality, no typos, no autocomplete weirdness. If you’ve been receiving emails from David for six months and they’ve always been three-line fragments, then a perfectly-composed five-paragraph email arrives, ask why the writing style changed.

5The request shape

BEC requests cluster into a small number of shapes regardless of writing quality:

Wire to new beneficiary — "transfer to this account today"
Vendor banking change — "update vendor X’s payment details to the account below"
Gift cards — "buy gift cards for thank-you / urgent client gifts"
Confidential bonus / advance — "process this payment, don’t tell anyone"
Payroll modification — "change the bank account on my own payroll record"

Any of these requests, by email, requires out-of-band verification. AI didn’t change which financial actions BEC targets.

6The verification gap

The request explicitly tells you not to call, not to loop in finance, not to verify through normal channels. "I’m in meetings, just handle it by email." "This is confidential, don’t walk it past Mark." No real executive demands you skip verification on financial actions. Every legitimate executive will thank you for verifying.

The single defence: out-of-band verification

The six signals above are detective controls. The preventive control that catches every variant is a hard policy: any financial action requested by email must be confirmed through a separate channel that the requester didn’t choose.

Specifically:

Call the executive on a phone number you already had — not a number in the email
Walk to their desk and ask in person
Send a Slack / Teams / corporate-IM DM to their established handle (you already had it before this email arrived)
Reply to a different email thread you already had with them, asking for confirmation

The verification call must be initiated by you using contact details you already had. Calling a number supplied in the suspicious email reaches the scammer, not the executive. This rule is so important that some organisations now publish their executives’ verified phone numbers internally on a known intranet page so anyone receiving a suspicious email can find the right number to call.

No executive will be insulted by being asked to verify an unusual financial request. Every CEO worth working for will thank staff for the discipline. The only people who object to out-of-band verification are scammers running BEC. This is true even when the email’s tone implies you should just trust it.

If your organisation has already lost money

Move within 24 hours. The FBI’s Financial Fraud Kill Chain has high recovery rates for same-day reporting (~70% per IC3 statistics) and the rate drops sharply after that.

Call your bank’s wire fraud / SWIFT department immediately. Same-day report can in many cases be recalled or held.
File at ic3.gov (US) or your country equivalent: Australia — ReportCyber; UK — Action Fraud; India — cybercrime.gov.in + helpline 1930.
Engage IT / security to determine: (a) was the email account compromised or just spoofed? (b) Is there evidence of any other unauthorised access?
Communicate internally with finance and HR staff so they don’t fall for the inevitable follow-up attempts (scammers often try twice).
Engage cyber insurance if you have a policy — many cover BEC up to specified limits.
Post-incident review on: email authentication (SPF, DKIM, DMARC); out-of-band verification policy; finance approval thresholds; staff training cadence.

The honest forecast on BEC

AI has not changed the fundamental dynamics. BEC has been the highest-loss category of cybercrime by reported dollars for the past five years; the same controls (out-of-band verification, email authentication, finance approval thresholds, staff training) that worked in 2020 still work in 2026. The improvements in AI-written email quality have eroded the traditional signals (typos, broken grammar) but the structural signals (header inconsistency, request shape, verification gap) all survive. The defences are policy and process, not phishing-detection technology.

Organisations that have implemented a strict "all unusual financial requests verified out-of-band, no exceptions" policy generally report zero successful BEC regardless of how sophisticated the AI-written emails become. The policy beats the technology.

Got a suspicious "CEO" email asking for a wire?

Paste it into ScanTotal’s Email Analyzer first — we’ll check the headers, the sender domain, and the embedded URLs against impersonation patterns.

Open Email Analyzer