← Back to blog
Small BusinessEmailSecurityPhishingWeb Development

What to Do When Someone Impersonates Your Business

A gold mask lying on the ground.
Image Credit: https://www.pexels.com/@anete-lusina/

Someone recently tried to impersonate Avietech.

The email didn’t come from our domain. It came from a free email account using our name, dressed up with an urgent WordPress warning, a little pressure, and links that weren’t what they appeared to be.

That’s phishing in its most common form. Not a dramatic hack. Not someone breaking through a firewall in a dark room. Just a scammer borrowing a trusted name and betting the recipient is busy enough to click.

It’s worth talking about because the same thing can happen to almost any small business.

Why this matters more in 2026

Phishing has always been a numbers game. What’s changed is how fast attackers can now make those messages look specific, polished, and believable.

The old advice was to look for typos and weird wording. That advice is basically retired. CrowdStrike’s 2026 threat reporting describes this as the “AI era” of attacks, and the practical meaning is simple: the work of researching a target, writing a convincing message, and tweaking it for different recipients has gotten cheap and fast. A phishing email can now be well written, correctly formatted, and completely fake.

So the gut check has to change too. The question isn’t “does this look sloppy?” anymore. It’s “did this actually come from who it claims to?”

Being impersonated doesn’t mean you were hacked

When people hear “someone sent an email as us,” they usually assume their account or website got compromised.

Sometimes that’s true. But more often the explanation is simpler: impersonation. A scammer creates a Gmail account, picks a display name that looks like your business, scrapes a few public details from your website, and emails your clients. They never touched your systems.

That distinction matters, because the response is completely different. If your systems were actually compromised, the job is technical and urgent: lock accounts, reset passwords, review logs, preserve evidence. If your name was borrowed from an outside account, the job is to warn the people who got the message, report the abuse, and clean up the public clues that made the scam easy. Both are serious. They’re just not the same fire to put out.

Why scammers love your public information

Most small businesses publish more useful-to-a-scammer information than they realize.

Your website might list clients, projects, testimonials, staff names, partner badges, and contact links. Your Google Business Profile shows real customer reviews. Directory sites mirror old addresses and outdated staff. None of that is alarming on its own. It’s just normal business visibility.

Put it all together, though, and it becomes a map: who you work with, what you offer, which platforms you use, and which clients already trust your name. That’s everything a scammer needs to write a message that sounds plausible.

The fix isn’t to hide your business from the internet. It’s to make sure your public information is intentional and current, not more specific than it needs to be.

What to do first

Start by separating facts from assumptions. Look at the actual sender address, not just the display name, and check whether the message really came from your domain. If you’re comfortable reading email headers, the authentication results buried in there will tell you whether the message was actually allowed to send as you. (If that sentence made your eyes glaze over, don’t worry. More on that in a minute.)

Once you know what you’re dealing with, report the abusive account through the email provider’s abuse process. Then get a short notice out to anyone who might have received the fake message. That notice has exactly one job: tell people what to do without setting off a panic. Keep it clear, specific enough to be useful, and short enough that people actually read it.

What to tell your clients

If someone impersonates you, your client notice really only needs to cover the basics:

  • This message didn’t come from us.
  • Don’t click the links or reply.
  • Don’t share passwords, payment details, website access, or anything sensitive.
  • Use the “report phishing” button if your email program has one.
  • If you’re unsure, call or email us directly at a number you already trust.

Resist the urge to overexplain. Your clients don’t need a lecture on SPF, DKIM, and DMARC. They need to know what happened, what not to do, and how to reach the real you.

What to check on your own domain

Even when the attacker uses a throwaway Gmail account, this is a good moment to check your own email setup. At a minimum, your domain should have three records working together:

  1. SPF says which services are allowed to send mail for your domain.
  2. DKIM adds a signature proving your messages weren’t altered in transit.
  3. DMARC tells receiving servers what to do when a message fails those checks.

These won’t stop someone from spinning up a lookalike Gmail account. But they make it much harder to spoof your actual domain, and they help inboxes tell your real mail apart from the fakes. If you don’t know whether yours are set up correctly, find out. It’s one of those quiet chores that only feels urgent after something has already gone wrong.

What to clean up online

Once the immediate response is handled, take a look at the public information around your business.

Search your business name. Then search it again with words like “clients,” “reviews,” “portfolio,” “partners,” and “directory.” You’re hunting for stale or risky details:

  • Old email addresses
  • Former employees still listed as current contacts
  • Client lists more detailed than they need to be
  • Directory pages with outdated services or addresses
  • Partner listings that make you sound like the official support line for something you don’t actually control

You don’t need to scrub your reputation off the web. You just need to remove the unnecessary targeting details and fix anything that makes a scammer’s story easier to sell.

This is also a great place to put AI to work defensively. Give an assistant a bounded task: find where your business name, client names, old domains, and contact info show up publicly, then turn that into a cleanup checklist. The useful job is exposure review, not guessing private email patterns or collecting anything you wouldn’t want used against you.

Save the evidence

If a client gets a suspicious message, ask them to forward it to you as an attachment if they can. A normal forward is fine for awareness, but it usually strips out the technical headers. The original attached message is the good evidence: it can show the sending server, authentication results, timestamps, and redirect paths that actually help an abuse report stick.

And ask them not to click the links “just to see where they go.” Curiosity is how a suspicious email turns into an active problem.

The bottom line

Phishing works because it borrows trust. For a small business, that means your good reputation can be turned against your own customers, and a scammer doesn’t need to break into anything to do it. A free email account and a message that sounds just official enough is plenty.

The best response is calm and practical:

  • Verify whether the message really came from you.
  • Warn people quickly.
  • Report the abusive sender.
  • Save the original messages.
  • Check your domain authentication.
  • Clean up stale public listings.

You can’t prevent every impersonation attempt. But you can make your business harder to impersonate, your clients harder to fool, and your response a whole lot faster when something does slip through.

Worried someone could spoof or impersonate your business by email? Send us a message and we’ll review your domain authentication, public listings, and client-facing communication in plain English.

Want more practical notes on small business tech, security, websites, and AI? Subscribe to the Avietech list for monthly-ish advice written by us and tested on us first.

← Back to all posts