It Started With a Voicemail From a CPA I'd Never Met

Last week, I received a voicemail from an accountant in Massachusetts. He was returning "my" call about becoming a client and wanted to discuss next steps. The problem with this is I never contacted him, never heard of his firm, and I don't even have any business connections in Massachusetts.

Someone had called this CPA pretending to be me, using a slight variation of my name, and had apparently discussed becoming a client, which typically involves sharing tax information, financial records, and other sensitive business data. This wasn't an isolated incident, though. Over the past few days, multiple people within and external to my LinkedIn network had received messages from someone claiming to represent my company. They were offering web development "deals" and trying to establish business relationships.

The common thread: none of these communications came from our actual business email domain. They came from a free Outlook account designed to look legitimate at a glance. This is business impersonation fraud, also known as Business Email Compromise (BEC). It's one of the fastest-growing forms of cybercrime, and it's targeting businesses like mine, and probably yours, every day.

Here's what I've learned about how these schemes operate, why they're so effective, and what you can do to protect yourself and your business.

The Anatomy of a Business Impersonation Scheme

These attacks aren't random. They follow a methodical process that exploits publicly available information and human trust.

Stage 1: Research and Reconnaissance

Before a scammer even sends a message, they've done their homework. LinkedIn is a goldmine for this:

  • Company names, employee names, and titles
  • Business relationships (who comments on whose posts)
  • Industry terminology and communication style
  • Professional services providers (accountants, lawyers, vendors)
  • Recent company news or projects

The more professional your online presence, the more material they have to work with. Ironically, being visible and engaged on LinkedIn, something we're all encouraged to do, provides scammers with exactly what they need.

Stage 2: Creating the Infrastructure

Once they understand your business, they start building their toolkit:

  • Lookalike email addresses: derek.neuts1@outlook.com instead of derek@ironglove.studio
  • Fake LinkedIn profiles: Same photo, similar job title, slight name variation
  • Spoofed phone numbers: VoIP services let you display any caller ID
  • Similar domain names: iron-glove-studio.com or ironglove.studio.net, sometimes they can use a zero in place of an “o” at times

The goal is to be close enough that someone scanning quickly won't notice the difference. They realize you’re busy and hope you won’t take the time to really look. Also, they test your system first and attempt to probe it, our email servers block many of these attempts daily as they’ll send tests to determine how far they can push. Don’t push off those random emails with blank content, they are part of reconnaissance.

Stage 3: Initial Contact

The first outreach is designed to seem legitimate and establish credibility:

  • "Hi, I run a web development agency and noticed your work..."
  • "I'm looking for accounting services for my business..."
  • "Following up on our conversation last week..."

Notice the tactics: they reference real things about you, use professional language, and often imply an existing relationship. People are naturally inclined to be helpful, especially when someone seems to know them. They prey on the psychology of human connectivity, but they do it all wrong. They do it in a manner that’s more methodical and stereotypical, whereas actual connections are more dynamic without pretense or pressure.

Stage 4: Escalation to Financial Fraud

Once trust is established, requests escalate:

  • Tax documents "for the accountant"
  • Wire transfers for "urgent invoices"
  • Credential sharing for "account access"
  • Payment for services that were never actually discussed

The genius of this approach is that the victim often doesn't realize they're being scammed until much later, if ever. The CPA who received the fake call might have onboarded a new "client," collected sensitive information, and never known it wasn't legitimate. We get fake messages attempting to spoof our own employees with Gmail and Outlook addresses asking for their HR records, or they need to update payroll, or they completed a PTO request and I just need to click this link to review and approve it.

Why They Can't Use My Real Email (But Might Be Able to Use Yours)

Here's the technical reality that most small business owners don't know: your email domain is either locked down or it's an open door for fraud. Three protocols determine whether someone can send emails that appear to come from your domain:

SPF (Sender Policy Framework)

This tells receiving email servers which IP addresses are authorized to send mail on behalf of your domain. If someone tries to send from an unauthorized server, the email can be flagged or rejected.

DKIM (DomainKeys Identified Mail)

This adds a cryptographic signature to your outgoing emails. The receiving server can verify the signature matches your domain's public key, proving the email hasn't been altered and actually came from an authorized source.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

This is the enforcement layer. It tells receiving servers what to do when an email fails SPF or DKIM checks. With a strict policy (p=reject), fraudulent emails are rejected entirely so they never reach the recipient's inbox.

Here's the critical point: If you've properly configured all three, scammers cannot send emails that appear to come from your domain. Gmail, Outlook, Yahoo, and other major providers will reject them automatically.

That's exactly why the scammer impersonating me had to create a free Outlook account. They couldn't use @ironglove.studio because our DMARC policy is set to reject unauthorized emails. So they created ‘derek.neuts1@outlook.com’ and hoped people wouldn't look closely.

The problem? Most small businesses haven't configured these protections. According to various industry studies, fewer than 30% of domains have a DMARC policy in place, and even fewer have it set to "reject." That means scammers can send emails that appear to come directly from those domains complete with the real company name in the "From" field.

If someone can spoof your actual domain, the fraud becomes much harder to detect. You’ll never know that your company is collecting invoices from other companies, doing business under your name, and operating with criminal intent until investigators reach out to you.

Red Flags: What to Watch For

Whether you're a business owner, an employee, or just someone who receives professional emails, train yourself to notice these warning signs:

The Email Domain Doesn't Match the Website

This is the single most reliable check. If someone claims to represent a company, their email should come from that company's domain.

  • ✅ derek@ironglove.studio → matches ironglove.studio
  • ❌ derek.neuts1@outlook.com → free email, not company domain
  • ❌ derek@iron-glove-studio.net → lookalike domain, not the real one

Before engaging with any business inquiry, verify the email domain matches the company's actual website. Do your homework, look them up, are they real? We’ve had scammers contact us posing as companies for deals, just to get their hands on documents, processes, pricing, and other competitive information. We’ve contacted the actual companies and they were completely unaware but grateful that we let them know. We have a specific way to determine the legitimacy of these requests and I can talk about that in another article.

Slight Name Misspellings

"Derek Noots" instead of "Derek Neuts." "lronglove" (with a lowercase G) instead of "IronGlove." These small variations are designed to pass a quick glance but fail close inspection. We also use our restricted mark as this is a federally recognized brand, which also means statutory damages for those using our mark without permission.

Urgency and Pressure

"I need this handled before end of day." "This is time-sensitive." "Please don't discuss this with anyone else yet." Legitimate business relationships rarely involve urgent, secretive demands for sensitive information.

Unusual Requests Early in a Relationship

A new contact immediately asking for tax documents, wire transfers, account credentials, or detailed financial information is almost always a scam. Real business relationships build trust over time.

Requests to Change Communication Channels

"Let's move this to my personal email." "Can you call me at this other number?" "Let's continue this conversation on WhatsApp." Scammers want to move away from channels that might be monitored or where their inconsistencies could be spotted.

Inconsistencies in Details

Phone calls from unexpected area codes and references to conversations you don't remember having are quite common. Job titles or company details that don't match what's publicly available are also red flags, as these small inconsistencies often reveal the fraud.

What to Do If Your Business Is Being Impersonated

If you discover someone is using your business name or identity fraudulently, or you think they may be doing this, here’s some ways you can fight back:

1. Document Everything

Save screenshots, emails, voicemails, and any reports from people who were contacted. Note dates, times, and the specific accounts or phone numbers used. This documentation is essential for reporting and may be needed if the situation escalates legally.

2. Alert Your Network Immediately

The faster you warn your connections, clients, and vendors, the less effective the scam becomes. Post on LinkedIn, send emails to key contacts, and make sure your team knows to be vigilant.

3. Report the Fraudulent Accounts

  • Microsoft (Outlook/Hotmail): https://msrc.microsoft.com/report/abuse
  • Google (Gmail): https://support.google.com/mail/answer/8253
  • LinkedIn: Report fake profiles directly through the platform
  • Domain registrars: If they've registered a lookalike domain, report it to “abuse” addresses

4. File Official Reports

  • FTC Identity Theft Report: https://www.identitytheft.gov/ Creates an official record and provides a recovery plan
  • FBI IC3: https://www.ic3.gov/ For reporting internet crimes, especially if financial fraud was attempted
  • State Attorney General: Many states have consumer protection divisions that handle business fraud

5. Take Protective Measures

If tax information was specifically targeted, consider applying for an IRS Identity Protection PIN (we have one). If financial information was involved, place fraud alerts on your credit reports. You can also lock your credit down (we’ve done this, also).

Protecting Your Business Before It Happens

Don't wait until you're a target. Here's what to do now:

Lock Down Your Email Domain

This is the single most important step. Configure SPF, DKIM, and DMARC for any domain you use for business email. If you're not technical, your IT provider, web host, or email service can help. The cost is minimal, often just DNS record changes, but the protection is significant.

Set your DMARC policy to ‘p=reject’ so fraudulent emails are blocked entirely, not just flagged.

Check Your Current Configuration

Free tools like MXToolbox (mxtoolbox.com) can analyze your domain and tell you whether SPF, DKIM, and DMARC are properly configured. Run a check today and fix any gaps.

Educate Your Team

Make sure everyone in your organization knows how to spot impersonation attempts, both ones targeting your business and ones where your business identity is being used against others. Create a culture where unusual requests get verified through a second channel. Some companies have their own IT team create phishing and fraud tests for employees that they randomly implement, and if they fell for it, this is an opportunity for education and coaching to stay safe.

Monitor Your Brand

Set up Google Alerts for your business name, owner names, and key employee names. Periodically search for your domain with variations to see if lookalike domains have been registered. We’ve found so many of these over the years for clients that it’s shocking.

Verify Before Acting

Establish internal policies that financial requests, things like wire transfers, payment changes, tax document submissions, credential sharing, always get verified through a known phone number or in-person confirmation before action is taken. Always contact the known-good source, not what was provided to you.

Have a Response Plan

Know what you'll do if impersonation happens. Who handles reporting? How will you communicate with affected parties? Who contacts authorities? Having a plan means you respond quickly instead of scrambling. We’re still working on this, it takes time.

The Uncomfortable Truth

Business impersonation fraud is effective because it exploits something valuable: the reputation and trust you've built over years of legitimate business. The scammer impersonating me didn't need to compromise my systems or steal my passwords. They just needed my name, my company name, and the ability to create a free email account. They research targets on LinkedIn, make their approach seem professional, and count on people being too busy to verify.

Most victims never realize they've been scammed. The CPA who received that fake call might have onboarded a fraudulent "client," collected sensitive tax information, and handed it directly to criminals, all while believing they were helping a legitimate business owner.

That's what makes this so insidious. And that's why awareness matters, because another call came in this morning and we’re reaching out to them, as well.

The technical protections exist. SPF, DKIM, and DMARC can prevent your domain from being spoofed. Verification procedures can catch lookalike accounts before damage is done. But these protections only work if people know they exist and implement them.

If you've read this far, you're now better equipped to spot these schemes than most. Share this knowledge, it’ll help keep you safe. The more friction we create for scammers, the less profitable their operations become.

Protect staff and equipment with MFA. Using multifactor authentication is a necessity now, so purchases such as Yubikeys for employees are a must. I purchased them for everyone so they can not only lock down their social accounts from being hacked, but we use them to access all managed systems. So even if someone has the correct credentials to login, they’ll never have physical access to that Yubikey which is the final step to allow access.

If You've Received Suspicious Communication

If you've received a message, email, or phone call that claimed to be from the team here at IronGlove Studio® but it seemed off, please let us know. We're documenting every instance of this fraud, and your report helps us build a complete picture.

Legitimate communication from our team always comes from @ironglove.studio and never from Gmail, Outlook, Yahoo, or any other free email provider. When in doubt, verify through our website or an existing conversation thread. We'd rather you double-check than fall victim to someone misusing our name.