Scammers often impersonate businesses to appear more legitimate and trustworthy, resulting in scams that are harder to detect. Scammers can use business impersonation to target the clients of a business or the business itself, often with the intent to steal sensitive information, money, or gain unauthorised access to online accounts. Business impersonation scams can result in customers losing money and/or their personal information, putting them at risk of further exploitation. This can significantly damage the reputation and customer trust in the business being impersonated, despite not being involved in the scam itself.
Website impersonation: Scammers often use duplicate websites to pose as an existing business. This can be executed by creating websites that use addresses that are very similar to a legitimate business and using style and branding to look like the business they are impersonating. A legitimate business may use the website URL ‘businessname.com’, which a scammer can impersonate by slightly altering the domain name – for example, ‘businessnameaustralia.com’ (this is called typosquatting). Additionally, scammers can buy different extensions of a legitimate business’s website domain – the business may own ‘businessname.com’, but scammers could buy extensions like ‘businessname.co’ or ‘businessname.org’. These websites can be used to gather sensitive information from a business’s customers such as credit card details, or sell fraudulent products, or promote malware.
Business email compromise (BEC): BEC is a type of email scam that involves scammers exploiting employee and client trust in a business’s email, usually with the objective to obtain information or money. Scammers use BEC for a variety of scams such as sending fraudulent invoices to clients of the impersonated business, requesting sensitive information from employees by posing as a colleague, administrator or management, or conducting phishing attacks. BEC can be conducted through email compromise or email spoofing, and sometimes involves both methods.
Email spoofing: Scammers often use email addresses that closely resemble the legitimate email addresses used by a business in the hopes of evading a cursory inspection. For instance, a legitimate business using the email domain ‘Lee@example.com’ could be impersonated by scammers using the domain ‘Iee@exampIe.com’ - these domains appear to be identical, but the scammer version uses a capitalised ‘i’ to replace the ‘l’. Alternatively, the display name of a legitimate business may be impersonated – scammers could use ‘businessname@gmail.com’ to impersonate ‘businessname@example.com’ but use the same display name.
Email compromise: Scammers gain access to the legitimate email accounts or domain of a business and use this to defraud its customers or employees. This can occur when a scammer steals the credentials of an employee, often through phishing, using them to gain unauthorised access to the business’s email or gain access to email infrastructure by compromising the system itself. Once the business email is compromised, the scammers can access any sensitive information contained in the email account and can redirect/request payments.
Unauthorised advertisements: Scammers use online advertisements to impersonate a business. These advertisements are often circulated on social media and promote fake products and/or services using the brand of a real business. The advertisements are used to increase traffic to scam websites, phish for personal details or payment information, or distribute malware.
Scam call impersonation: Another technique used by scammers is conducting scam calls, in which they claim to be employed by a legitimate business. The scam callers will often make illegitimate sales under the guise of representing a real business.
Social Media impersonation: Scammers and fraudsters may opt to create a fake business social media page with the aim to defraud existing and new customers.
How to Prevent Business Impersonation
There are several steps a business can take to help mitigate the risk of being impersonated by scammers.
Increase general scam knowledge: Businesses can minimise the risk of clients falling victim to scams by providing general education on scams. This can be achieved by providing resources on good scam safety practices such as verifying the legitimacy of communications sent to them by double checking with the business directly, avoiding clicking on links, and recognising phishing attempts.
Empower clients to recognise and respond to an impersonation attempt: A business can help clients recognise an impersonation attempt by communicating to clients exactly how and why the business would contact them, and by outlining what the business would not request from a client. Businesses should also consider setting up a clear reporting mechanism for clients, such as an online form or a dedicated phone line.
Train employees on scams: Businesses should ensure that employees are well-equipped to recognise and respond to scam attempts. The delivery of training and resources on scams will help enable employees to practice good scam safety. Resources on various types of scams can be found in our Learning Centre.
Enforce multi-factor authentication (MFA): The use of MFA across a business should be mandatory. MFA adds a second verification step for online account access, in addition to a unique username and strong password or passphrase. MFA methods include one-time passcodes sent to a trusted mobile phone number or email address, or the use of an authenticator app. MFA adds an extra layer of security that can help prevent a business’s accounts being compromised.
Monitor the use of business name: Businesses should actively monitor the use of their business name online, in order to detect any impersonating websites or social media pages. Businesses should also consider buying like-domains and ensure they keep up to date on domain expiry dates to ensure scammers cannot buy the business domain if ownership is not promptly renewed. Additionally, businesses can implement intrusion detection system rules that detect emails with extensions that are similar to the business’s domain coming into their systems. Businesses can also setup alerts on Google Alerts to notify them of any new search results or activity using their brand on websites.
Consider privacy protection: Scammers can use information openly available online to appear more credible if they impersonate a business. Employees should be careful posting information online that identifies their workplace, position, work email address, and personal email address – this can make them easier to impersonate. Businesses should implement a policy of verifying email addresses and identity before completing sensitive email requests.
Ensure network security protection: Businesses can complete the following tasks, or can engage their internet service provider (Telstra, Optus etc.) for assistance if they do not have the technical knowledge to do so.
o Check/change wireless network encryption to WPA2 or WPA3. This is a simple setting on your router which may already be enabled, however it is imperative that you confirm this is the case.
o Change router and modem password from default settings. Generally, Admin / Password is used by most hardware retailers, you should change this to be more secure and consider updating this password every six-months.
o Check that the WiFi router’s inbuilt firewall is enabled.
o Hide network SSID and change the default network name. This will stop the name ofyour network from being broadcasted publicly.
o Check and remediate WiFi router update requirements and configure auto update if available. This may be a manual process which involves updating the firmware of your router. You may need to check the retailer’s website (depending on the router used) for the latest available updates.
o Enable MAC whitelisting on your router. A MAC address is the identifier linked to a specific device (your phone, computer and tablet will have individual MAC addresses). By ‘whitelisting’ the MAC addresses of approved devices, you are preventing anyone with a MAC address NOT whitelisted from accessing your business networks.
o Disable remote administration on your WiFi router. This will prohibit an outside party from monitoring or altering the settings of your network.
Conduct data asset review and risk management: Businesses should consider the information they collect; why it is collected, where it is stored, how it is protected, who has access to it, how long it is kept for, and where and how it is destroyed. Where information assets, (such as client, supplier, and payroll details), are stored on a local machine, businesses should consider backing up this information in a secure manner. Businesses may wish to encrypt this data with a password (office products like Word and Excel may have a password added to them via file > info > protect document > encrypt with password) and store a backup on removable media or on a secure cloud-based provider (OneDrive for example).
How to Respond to Prevent Business Impersonation
An effective response to business impersonation depends on the type of business impersonation and subsequent damage or harm done. General guidance is provided below and will apply in any events of business impersonation. Following this section is more specific information relating to the type of impersonation you may have experienced.
In any event of business impersonation, follow these steps:
Notify internal accounts receivable, accounts payable and payroll team of the impersonation.
Report to law enforcement: Australian businesses can report impersonation scams to ReportCyber. A reference number will be provided after submitting a report, which should be recorded. The information in your report will be sent to the appropriate police jurisdiction for assessment, however, note that not all reports are investigated.
Report a scam to the Australian Competition and Consumer Commission(ACCC): If you have not already, you can report a scam to the ACCC through Scamwatch using their online web form. This will not lead to an investigation of the scam but is used by the ACCC to collect data around scams and to inform the public. In some cases, the ACCC may contact you if they require extra information about the scam. Please note that the ACCC is unable to help you recover any money you have lost to a scam or assist in tracking down the scammer.
Notify your customers: Businesses should prioritise informing customers of any compromise so they can take the necessary steps to protect themselves. Public awareness of the issue should be encouraged through social media channels or other communications. Additionally, businesses should ensure that any transactions are verified and facilitated through an alternative method.
Check other online platforms: Businesses should check if their business name has been compromised on any other platforms. A simple Google search can help determine if there are any scammers impersonating your business through social media pages, websites, or incorrect business listings (changed details).
Getsupport for handling the breach of sensitive information: Businesses should consider whether there may have been unauthorised access to, or disclosure of, your customers’ or employees’ personal information through the compromise or impersonation event. The Office of the Australian Information Commissioner (OIAC) has information about what a notifiable data breach is, and IDCARE can provide support and advice in determining your next steps if an event has occurred.
1. Do not click on any links or images within the impersonation website, as they may be malicious.
2. Report the website to the registrar that owns the domain (the domain registrar): To find the domain registrar for websites and where to report abuse, use whois.domaintools.com. Include information about the fraudulent domain name and how it is similar to your business in the takedown request.
Where the website ends in ‘.au’, you can also submit a complaint to auDA – which is the official Australian authority for domain names ending in ‘.au’, such as ‘com.au’, ‘net.au’ and ‘org.au’. You may also use the auDA Whois lookup to find the domain registrar and where to report abuse.
3. Report the website to WA ScamNet: Businesses may be able to have the impersonating website listed on the WA ScamNet alert pages. Businesses do not have to operate in WA to be listed. WA ScamNet has information relating to trending scams, alerting customers of fraudulent sites. They can also offer further advice regarding small business compromises. WA ScamNet can be contacted on 1300 30 40 54.
1. Report fraudulent email usage to the relevant provider: Businesses should determine if the impersonating email was an instance of email spoofing or compromise by checking the email address. Spoofed emails can be reported to the relevant provider. Please see instructions on how to do so for Gmail or Outlook. For other email providers, refer to their websites for abuse reporting methods.
2. Contain business email accounts:
Implement MFA on all user accounts.
Log off all machines and impose a password reset on all accounts immediately.
Check the affected accounts for changed account recovery settings - for example, unknown phone numbers and email addresses. If these have been changed, restore them to the legitimate recovery settings.
Check for any forwarding rules on any email accounts, including in the email application (i.e. desktop) and web email interface (i.e. browser).
Check other email folders to see if emails have been moved. Scammers will often store emails which they have sent or engaged with in lesser accessed folders such as RSS Feed (Outlook) or deleted items.
Check for any stored (cached) email address autofill to avoid accidentally sending emails to an unauthorised person. If you type in an address that is autofilled to an unknown third-party simply delete the email address, so it is removed from autofill.
Review this step-by-step guide on email account security provided by ASD.
3. Contain affected computers and network systems:
Run an antivirus software scan and ensure that your business devices are up to date with the most recent security patches and system updates. Configure your settings to ensure that the antivirus scan automatically runs, at least daily, and that system and security updates occur automatically in future.
FOR WINDOWS: Enable Windows Defender and Windows update to ensure the most recent updates are automatically downloaded and applied to your business’s system. For additional guidance, see Microsoft’s Security webpage for Windows 10 and 11. Additionally, consult IDCARE’s Malware and Small Business Fact Sheet.
Check the level of security as outlined in the Windows Security Centre on your machine – check that the following points are enabled, and no further actions are needed:
o Virus and Threat Protection;
o Firewall and Network Protection;
o App and Browser Control; and
o Account Protection.
FOR MAC: See Apple’s guidance here. Additionally, consult IDCARE’s Malware and Small Business Fact Sheet.
Sign out of any unrecognised devices (Microsoft, Gmail, Yahoo, AppleID, Facebook).
For network-accessed devices and storage devices: check and restore recovery settings, update the password, and implement multi-factor authentication if possible.
Report to the relevant social media platform: Most social media platforms have mechanisms in place to deal with reported impersonation scams. Businesses can report such content by using the in-built reporting mechanisms of platforms.
Facebook: According to Facebook Community Standards, the platform does not tolerate content that falsely claims to represent an established business for the purposes of scams and fraudulent activity. Please visit this webpage for directions on how to report a Facebook profile, post, or advertisement that is impersonating your business. Visit this webpage for guidance on how to report an impersonating account if you do not have a Facebook account yourself.
Instagram: According to Instagram’s Terms of Use, the platform can remove or ban any content that is fraudulent, used for illegal purposes, or impersonates someone else. Please visit this webpage for directions on how to report an Instagram account, post, or advertisement that is impersonating your business.
X (formerly Twitter): Impersonation is a violation of the X Rules, and can result in accounts being permanently suspended. Please visit this webpage for directions on how to report an impersonation scam on X, and for further information on how X handles impersonations
TikTok: Please visit this webpage for directions on how to report an impersonation scam on TikTok.
For all other social media platforms, visit the relevant platform’s help centre for directions on how to report content.
Report to the hosting website: If the unauthorised advertisement is on a site that is not a social media platform, then businesses should report the advertisement to the website that is hosting the advertisement. Please see information on how to report advertisements hosted on Google and Bing.
Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:
Mon - Fri: 8am - 5pm AEST
QLD: 07 3555 5900
ACT & NSW: 02 8999 3356
VIC: 03 7018 2366
NT, SA & WA : 08 7078 7741
Mon - Fri: 10am - 7pm NZST
AKL: 09 884 4440
IDCARE as a registered charity does not ask individuals to donate or pay for our front line services. We are not a charity that can receive tax deductible donations.
We rely on organisations that care enough about you to care about us to keep our charitable service going. Proudly these organisations are displayed above and on our Subscriber Organisations page.
If you are asked for payment from someone claiming to be from IDCARE, please report this to us using our Report Phishing email.
IDCARE has access to the Department of Home Affairs Free Interpreting Service, delivered by the Translating and Interpreting Service (TIS National). Access to the Free Interpreting Service is provided to assist you to communicate with non-English speaking people who hold a Medicare card. Please note that the service does not extend to New Zealand citizens or residents who do not hold an Australian Medicare card, or to tourists, overseas students or people on temporary work visas.
New Zealand Relay provides services to help Deaf, hearing impaired, speech impaired, Deafblind and standard phone users communicate with their peers.
A TTY user connects to New Zealand Relay via a toll-free number and types their conversation to a Relay Assistant (RA) who then reads out the typed message to a standard phone user (hearing person).
The RA relays the hearing person's spoken words by typing them back to the Textphone (TTY) User.
The National Relay Service (NRS) is an Australian government initiative that allows people who are deaf, hard of hearing and/or have a speech impairment to make and receive phone calls.
The NRS is available 24 hours a day, every day and relays more than a million calls each year throughout Australia.
ABN 84 164 038 966
IDCARE acknowledges and Respects the traditional custodians of the land on which we operate across Australia and New Zealand.
This website may contain names, images and voices of deceased Aboriginal, Torres Strait Islander and Māori peoples.
