Request access
RankShield Network · Financial

CEO fraud preventionwhen a cloned executive orders the wire.RankShield Financial is a verifiable, pre-settlement payment platform for CEO fraud prevention — the deepfake and business email compromise (BEC) scam that triggers fraudulent wire fraud. It binds a signed liveness verdict to the specific payment and holds the wire before it settles.

liveness-signedintent-boundheld before the wire
liveness verdict · signed detectordetector-signed
synthetic likelihood12 / 100
threshold: hold at ≥ 70
verdict · human · live
RELEASED — liveness confirmed, intent may settle

The verdict is cryptographically signed by an enrolled detector and bound 1:1 to this exact payment intent, so it can’t be forged or replayed. Liveness applies only inside the app’s own verified channel.

01 // Impersonation
The threat

What is CEO fraud, and how does it lead to wire fraud?

CEO fraud is a scam in which an attacker impersonates a senior executive to pressure an employee into sending an urgent wire transfer to an account the fraudster controls. It is a variant of business email compromise (BEC): the attacker spoofs or hijacks an executive’s email — or, increasingly, clones their voice or face — and issues a payment instruction that carries the weight of authority and urgency. The finance or accounts-payable employee, believing the request is genuine, authorizes a wire. That is where BEC becomes wire fraud: the money leaves on a properly approved instruction, so the bank sees nothing anomalous. Because the transfer is authorized by a real employee acting in good faith, there is no intrusion to detect and, on most wire and instant rails, little or nothing to reverse once it clears. The vulnerability is trust in the executive’s identity, and that is exactly what the deepfake attacks.

Why authorized payments are irreversible
02 // The moment
The moment it happens

Why do voice and video deepfakes defeat human trust?

Voice and video deepfakes defeat human trust because they deliver exactly the confirmation an employee was trained to look for. A finance team that hesitates over a suspicious email will usually comply once they hear the CEO’s real-sounding voice on a call or see them approve the transfer on video. Cloning tools now reproduce a public figure’s voice from a keynote, or a face from social footage, convincingly enough to pass a quick human check under time pressure. The employee is not negligent — the attacker has simply defeated the verification cue itself. Once the trusted signal can be faked on demand, the human layer alone cannot be the last line of defense before an irreversible wire.

The deepfake wire

A cloned CEO authorizes a $96,000 wire

Finance gets a call. The voice is the CEO’s — cloned from a public keynote. The instructions are urgent, specific, and plausible. The clip is even re-used from an earlier recording to pass a naive check. By the time anyone doubts it, an irreversible payment has already settled.

RankShield: a liveness challenge on the company’s own verified channel returns a signed synthetic verdict; the replayed clip fails the anti-replay nonce — the wire is held, not released.
03 // BEC surface
The broader attack

How does CEO fraud fit inside business email compromise?

CEO fraud is one tactic inside business email compromise, the broad category of scams that hijack or spoof business communications to redirect payments. BEC also covers supplier-invoice fraud, payroll-diversion, and attorney-impersonation scams — but the executive-impersonation variant is among the most damaging because it borrows the authority of the top of the organization. Deepfakes have widened this surface: an attacker no longer needs to compromise an inbox when a cloned voice on a phone call, or a synthetic face on a video call, can carry the same instruction. Whatever the entry point, the payoff is the same — an authorized wire to the fraudster. That is why the control has to sit on the payment itself, verifying the approver and the intent before release, rather than trying to secure every possible communication channel an attacker might spoof.

Executive
CEO fraud borrows top-of-house authority to rush an urgent wire past scrutiny.
Supplier
BEC also spans invoice-swap, payroll-diversion, and attorney-impersonation variants.
One payoff
Every variant ends the same way — an authorized wire to the fraudster’s account.
04 // Liveness
The counter

How does a signed liveness verdict bound to the payment stop it?

A signed liveness verdict stops CEO fraud by proving the approving human is live and present inside a channel the company controls, then binding that proof to the exact wire. RankShield issues a one-time challenge with an anti-replay nonce and captures the response directly; a detector returns a synthetic-likelihood verdict that must be cryptographically signed by an enrolled detector identity and bound 1:1 to the specific payment intent. A replayed or recorded clip fails the nonce and is treated as synthetic. When the signed score crosses the hold threshold, the wire is held before settlement. This works only inside the app’s own verified channel — never on the live scam call itself, whose stream the operating system never releases to an app. Drag the meter to watch a held verdict flip to released as the score falls below the threshold.

liveness verdict · signed detectordetector-signed
synthetic likelihood12 / 100
threshold: hold at ≥ 70
verdict · human · live
RELEASED — liveness confirmed, intent may settle

The verdict is cryptographically signed by an enrolled detector and bound 1:1 to this exact payment intent, so it can’t be forged or replayed. Liveness applies only inside the app’s own verified channel.

05 // Binding
The binding

Why bind the verdict to the specific wire in your own channel?

Binding matters because a verdict that can be lifted, forged, or reused is worthless against a determined attacker. RankShield reduces the wire to a canonical intent — payer, payee, amount, purpose — signs it with composite ML-DSA-65 under NIST FIPS 204, and binds the signed liveness verdict 1:1 to that record. Move the verdict onto a different payment, or change the payee or amount, and the binding breaks. Doing this inside the company’s own verified channel is what makes the approval trustworthy: it is the only place RankShield actually holds the media stream, so it is the only place a liveness verdict can be honestly asserted. A cloned executive on an uncontrolled carrier call can be convincing, but that call never becomes an approval, because the approval has to happen where it can be verified.

Detector-signed

enrolled identity

The verdict carries a signature from an enrolled detector identity — not an anonymous score — so its origin is verifiable and cannot be spoofed by an unenrolled party.

Bound 1:1

one wire only

The verdict ties to one canonical intent. Change the payee or amount, or reuse it on another wire, and it no longer verifies.

Anti-replay

one-time nonce

A one-time challenge nonce enforces freshness. A replayed clip of the executive fails the nonce and is treated as synthetic media.

Own channel

honest boundary

Liveness runs only where the app controls the media path — never on a live carrier or FaceTime call, whose stream the OS never releases.

06 // Old vs new
The difference

Callback policies versus a signed liveness gate — what changes?

Traditional CEO-fraud advice leans on human callbacks and dual approval. Those help, but a determined deepfake defeats a callback and time pressure erodes dual control. A signed, intent-bound liveness gate changes the decision from human judgment under pressure to verifiable evidence before release.

ControlHuman callback / dual approvalRankShield liveness gate
Defeated by a voice clone?Often — the callback hears the cloneNo — the clone fails the verified-channel challenge
Where it runsUncontrolled carrier callThe company’s own verified channel
Reused-clip attackMay pass a naive checkFails the one-time anti-replay nonce
Bound to the wire?No — verbal onlyYes — verdict bound 1:1 to the intent
Evidence producedA note in a ticketSigned, sealed, tamper-evident record

We are not aware of another platform that combines pre-settlement interception, deepfake liveness bound to the specific payment, and quantum-safe signing in one verifiable step. The differentiation is cryptographic intent attestation with identity binding, not merely acting before settlement.

07 // Governance
For accounts payable

How does governance protect an accounts payable team?

Governance protects an AP team by enforcing who may approve what, up to which limits, before a wire is released rather than reviewing it after a loss. Releasing a payment requires an M-of-N quorum, so no single compromised key or coerced employee can push a wire alone. Signing keys live in an HSM, and each intent is sealed to a tamper-evident record on the RankShield Network. The team gets a released, held, or denied decision on every executive-authorized wire, backed by a signed liveness verdict and a signed canonical intent. Instead of one employee absorbing the pressure of a convincing impersonation, the control is systemic, verifiable, and auditable — and it produces evidence that supports the team’s fraud-monitoring obligations.

M-of-N
releasing a wire needs a quorum — no single key can push it alone
HSM keys
signing keys live in hardware; the ledger stores commitments, not account numbers
Held
a synthetic or out-of-authority approval is held before the wire settles
Evidence
signed decisions support fraud-monitoring obligations — not a compliance guarantee
08 // Pre-settlement
The gate

Why does the hold have to happen before settlement?

The hold has to happen before settlement because a wire, once cleared, is effectively final — there is no card-style chargeback and, on instant rails, no window to intervene at all. RankShield’s decision is a signed input evaluated before release: when the liveness verdict crosses the hold threshold or the approver falls outside their authority, the intent is held and never reaches the rail; when everything verifies, it is released and sealed. Because the decision sits at the one instant a deepfake-driven wire is still reversible, it prevents the loss rather than documenting it. That is the difference between stopping CEO fraud and merely reconstructing how it happened. The same pre-settlement gate applies whether the wire runs over a traditional rail or an ISO 20022 instant scheme.

The release-or-hold decision model
Final
A cleared wire has no chargeback; instant rails leave no window to intervene.
Before release
The held / released / denied decision is evaluated before the rail settles.
Sealed
Every verified wire is sealed to a tamper-evident record on the RankShield Network.
FAQ

CEO fraud and wire fraud — questions, answered.

What is CEO fraud?
CEO fraud is a scam in which an attacker impersonates a senior executive to pressure an employee — usually in finance or accounts payable — into sending an urgent wire transfer. It is a form of business email compromise, or BEC, and it works by exploiting authority and urgency rather than by breaking into systems. The target believes they are following a legitimate instruction from the CEO or CFO, so the resulting payment is genuinely authorized. That authorization is exactly what makes CEO fraud so hard to reverse once the money moves.
How is CEO fraud related to wire fraud and BEC?
CEO fraud is a specific tactic within business email compromise (BEC) that typically results in wire fraud. BEC is the broad category of scams that hijack or spoof business communications to redirect payments; CEO fraud is the executive-impersonation variant; the wire transfer is the mechanism the money leaves by. An attacker spoofs or compromises an executive’s email or clones their voice, issues an urgent payment instruction, and the finance team pushes an authorized wire to the fraudster’s account. All three describe parts of the same attack.
How do voice and video deepfakes defeat human trust?
Voice and video deepfakes defeat human trust by removing the sanity checks people rely on. A finance employee who might question a suspicious email will often comply when they hear the CEO’s actual voice on a call or see them on video approving the transfer. Cloning tools can now reproduce a public figure’s voice from a keynote or a video from social footage convincingly enough to pass a quick human check. The employee is not careless — they are being shown exactly the confirmation they were trained to look for, which is why the human layer alone is no longer sufficient.
How does a signed liveness verdict stop CEO fraud?
A signed liveness verdict tests whether the person approving a payment is genuinely live and present inside a channel the company controls, then binds that cryptographically signed verdict to the specific payment intent. The detector verdict is signed by an enrolled identity and tied 1:1 to that exact payer, payee, amount, and purpose; a one-time nonce defeats replayed clips. When the synthetic-likelihood score crosses the hold threshold, the wire is held before settlement. A cloned executive on a real call cannot satisfy the challenge inside the verified channel, so the fraudulent instruction never reaches the rail.
Can RankShield detect a deepfake on the actual scam call?
No. A live carrier or FaceTime call’s audio and video are never handed to a third-party app by the operating system, so no software can analyze that stream, and any vendor claiming otherwise is overreaching. RankShield performs liveness only inside its own verified channel — a challenge it issues and captures directly, where it controls the media path. The defense is not to eavesdrop on the scam call; it is to require that any executive approval of a payment pass through a channel RankShield can actually verify before the wire is released.
Why bind the verdict to the specific payment?
Binding the verdict to the specific payment stops an attacker from lifting a genuine approval onto a fraudulent transfer. RankShield reduces the payment to a canonical intent — payer, payee, amount, purpose — and binds the signed liveness verdict 1:1 to that record. Change the payee or amount, or move the verdict to another payment, and the binding breaks and no longer verifies. Without this binding, a valid-looking approval could be replayed against a different wire. With it, the approval is only ever good for the exact payment it was captured for.
What does this give an accounts payable team?
It gives an AP team a pre-settlement gate and a verifiable record. Instead of relying on an employee to catch a convincing impersonation under time pressure, the team gets a released, held, or denied decision on each executive-authorized wire, backed by a signed liveness verdict and a signed canonical intent sealed to a tamper-evident record. Governance rules — who may approve what, up to which limits — are enforced before release rather than reviewed after a loss. The team keeps a checkable trail of exactly why each wire was allowed or stopped.
Does this make our company compliant with fraud rules?
No single tool makes a company compliant. RankShield produces evidence that supports compliance: signed intents, signed liveness verdicts, and sealed release-or-hold decisions that document how each wire was verified before settlement. That evidence aligns with the direction of fraud-monitoring expectations, including Nacha’s expanded rules pushing detection earlier. Your controls, policies, and governance still determine compliance; what RankShield adds is a tamper-evident, cryptographically verifiable record that the checks were actually performed at the moment the payment was still reversible.
Verify, then settle

See your payments verified before they settle.

RankShield Financial is rolling out with design partners on instant and tokenized rails. Request access and we’ll map it to your settlement flow.

Request accessHow it works