Let's assume he's an actor and DNS is poisoned. Clearly this is intended to reach a wide audience. Presumably, the real CEO would learn of the fraud shortly. Let's say that takes a few hours. The corrected DNS will take 4 hours to propagate. So, how many people will sign up for fraud protection in between?
If I was designing an attack, a high visibility, low persistence attack where I send my victims to a website not under my control (unless you're asserting the attackers also got control of protectmyid.com) would not be my first choice, especially if I'm spending the money it took to shoot that video and stream it to all the people who you ostensibly want to see it.
> The corrected DNS will take 4 hours to propagate.
This misconception bothers me a lot. DNS changes are complicated: there's no "n" where "n = the amount of time where any domain will magically be fixed".
"Propagation" is based on the configured TTL values of the specific DNS records requested, for the specific zone. Add in layers of application/OS/intranet/ISP/DNS provider caching, and it's a complicated nightmare to fix/predict reactively.
Most BIND9 installations use 86400 seconds by default: 24 hours. And some domains use more, some less, some have dynamically generated TTLs to simulate changing of records at a set/recurring wall clock time, instead of a time to live, some DNS caches are reset frequently, some caches retain values much longer than allowable by TTL...