Impersonation scams are surging across Australia. Banks, the ATO, and even the AFP are warning of attackers mimicking trusted brands, using breached data, and exploiting AI to create convincing emails, messages, and even calls.
Identity fraud is up 8%, and email compromise remains the most prevalent cybercrime impacting Australian businesses, according to the Australian Signals Directorate (ASD).
This article explores today’s most common impersonation threats, how to recognise them, practical verification techniques, and how to help your staff confidently respond to suspicious contact.
Before you can protect your business, you need to know what a suspicious request looks like. Below are the most common impersonation scams affecting organisations today.
Scammers impersonate a known business or individual and send a fake email or SMS from what appears to be a legitimate address. These messages often include links or requests for personal information, which are commonly framed as:
Verifying account activity
Confirming customer details
Completing a survey
Once obtained, this personal information can then be used to access accounts or impersonate the individual elsewhere.
Threat actors impersonate clients, vendors, or employees and request payment to an account they control.
Invoice fraud is particularly common: attackers compromise or spoof a vendor’s email and send a modified invoice with updated bank details and contact information. Businesses often don’t realise money has been diverted until it's too late.
Threat actors also impersonate executives to authorise fraudulent invoices or request urgent banking detail changes.
Scammers can create fake websites using stolen logos, ABNs, and branding to appear legitimate. They often request goods before payment, which leaves legitimate businesses out of pocket.
When targeting individuals, scammers often offer goods at unusually low prices as a lure..
For businesses, scammers may impersonate suppliers and request payment for routine services or goods, such as domain renewals, repeat advertising, or office supplies.
These scams rely on social engineering, such as urgency messaging, rather than sophisticated malware, which often results in a high success rate.
The AFP has reported a rise in BEC attacks targeting the construction industry, where high-value payments and large invoice orders make the sector a prime target.
In a recent incident, scammers impersonated a real Queensland construction company and deceived one of their clients into paying more than $1 million into a fraudulent account. Attackers replicated internal processes with “alarming precision” and used malware to capture logins and set hidden mailbox rules to intercept or hide emails with terms like ‘invoice’ or ‘payment’.
Sender address looks unusual or slightly altered
Mismatched display names and email headers
Requests that bypass normal processes
Pressure to act quickly
Poor spelling or grammar
Generic greetings
Requests outside of normal business hours
Unfamiliar tone from a known contact
Multiple follow-ups pushing for action
Conflicts with documented procedures
Unexpected outreach from a company or partner
Identity verification
If a potential threat actor has reached out to your business, the first thing you should do is confirm the request using a separate, trusted channel: phone call, email, or internal directory.
To verify a business:
Look them up on the Australian Business Register or Australian Securities and Investments Commission (ASIC).
Check relevant permits or licences, for example financial services licences.
Search for reviews on reputable third-party platforms, not social media or the business’ own site.
Unexpected outreach from a company or partner
If you’ve been contacted by someone who you’ve dealt with before, compare digital signatures, known domains, or previous messaging patterns.
Process verification
Another step to validate a potential scam request is to check it against internal workflows and systems:
Confirm PO numbers.
Check invoice formats.
Technical tools
Technical safeguards many organisations implement include:
These tools add automated layers of defence beyond human detection.
Internal checks
Best practices include:
Your people are one of the highest risk factors when it comes to impersonation scams because they’re often the primary target. That’s why training staff to know, spot, and respond to potential scams before they interact with the potential scammer is essential to protecting your business.
Start with the fundamentals, such as simulating phishing or impersonation attempts, role-based training, or interactive quizzes that help them engage and make decisions in real time.
Once a regular training schedule is set up, establish a routine behavioural assessment to help keep scam awareness top of mind, for example, sending out monthly phishing reminders and encouraging anonymous reporting.
Scamwatch recommends a simple three-step framework anyone can follow:
Stop: Don’t rush into making a decision
Check: Verify who you’re dealing with
Protect: Act fast if something feels wrong
Our team of cybersecurity experts are on hand to help you choose the right protection strategies, safeguard your data, and monitor your environment 24/7. We also offer security awareness training that strengthens your team’s ability to recognise and report malicious activity.
Contact us today to see how we can help your business go from exposed to scam-resilient.