Why Scammers Impersonate Businesses (And What You Can Do)

Every day, scammers send millions of fake emails pretending to be from banks, retailers, shipping companies, and government agencies. Here's why they target these specific businesses - and how to stay safe.

Why These Specific Businesses?

Scammers don't pick targets randomly. They choose businesses that:

1. Have Large Customer Bases

Send emails claiming to be from "Your Bank" and some recipients will actually be customers of that bank. It's a numbers game - spray enough emails and some will hit legitimate customers.

2. Handle Money or Sensitive Data

Banks, government agencies, and retailers are targets because that's where the money is. People expect emails about transactions, making fake ones more believable.

3. Send Legitimate Action-Required Emails

Companies like AusPost, banks, and the ATO regularly email customers asking them to take action. Scammers mimic these patterns because we're conditioned to respond.

4. Have Recognizable Brand Trust

An email from a trusted brand gets opened. An email from an unknown sender gets deleted. Scammers borrow that trust.

Most Commonly Impersonated

High-Value Targets

• Banks and financial institutions
• Government agencies (ATO, MyGov, Centrelink)
• Major retailers (Amazon, eBay)
• Tech companies (Microsoft, Apple, Google)

Utility Targets

• Shipping companies (AusPost, DHL, FedEx)
• Telecom providers
• Energy companies
• Internet providers

The Real Problem: Many Businesses Don't Protect Their Domains

Here's a frustrating reality: many legitimate businesses haven't set up proper email authentication. They don't have SPF, DKIM, and DMARC configured correctly (or at all).

This means:

• Scammers can send emails that appear to come from their domain
• Email providers can't tell the difference between real and fake emails
• Customers get scammed using the business's good name

Why Don't All Businesses Protect Their Domains?

Setting up email authentication requires technical knowledge. Many small businesses don't know it exists, or they're afraid of breaking their email delivery. Some large businesses have complex email systems that make implementation challenging. None of these are good excuses - but they're the reality.

What You Can Do

Check Domains with TrustNope

When our checker launches, you'll be able to see instantly whether a domain is protected. A "Nope" verdict means extra caution is warranted.

Verify Through Official Channels

If you receive an email asking you to take action, don't click the link. Go to the company's website directly or call their official number.

Be Skeptical of Urgency

Legitimate companies rarely send "ACT NOW OR ELSE" emails. If something seems urgent, that's exactly when you should slow down and verify.

Report Suspicious Emails

Forward phishing emails to the company being impersonated (most have a dedicated address like phishing@company.com) and to the ACCC's Scamwatch.

Are You a Business Owner?

If your domain isn't protected, you're not just vulnerable to scammers - you're putting your customers at risk. Every fake email sent in your name damages your brand and could cost someone their savings.

AuditROI can help you implement proper email authentication and monitor your domain for threats.

Protect Your Business

The Bottom Line

Scammers impersonate businesses because it works. They leverage the trust we have in brands we know. The solution is two-fold: businesses need to protect their domains, and consumers need to verify before they act.

Until every business properly protects their email, tools like TrustNope help bridge the gap - giving you visibility into which domains can be trusted and which are wide open for abuse.