A client calls: they received an 'invoice' from your company… that you never sent. It is probably not a hack of your mailbox — it is domain spoofing, and it can be blocked.
Two very different situations:
Quick clue: if the fake emails are not in your sent items, it is almost certainly spoofing.
Email, designed in the 1980s, does not verify the sender by default. Three modern protections close that hole: SPF (the list of servers allowed to send for you), DKIM (a digital signature) and above all DMARC — the instruction given to providers: "if an email claims to come from me but fails the checks, reject it". Without DMARC in blocking mode, fake emails get through.
No, and it is the most widespread misunderstanding. An email actually has two senders: the envelope address (invisible, used by servers — like the return address on the back of a postal envelope) and the displayed address — the "From:" your client reads. SPF only checks the envelope. A fraudster therefore sends their message with an envelope pointing to their own domain (which passes SPF just fine) while displaying your address in the From field. DMARC is what closes that door, by requiring the verified domain to match the displayed one — and instructing receivers to reject otherwise. SPF is necessary, but on its own it does not stop someone from displaying your name.
Warn them without delay (a short email or a note on your site): "fraudulent emails are circulating in our name; we never request payment to a new account without phone confirmation." It is also good practice under privacy laws that require you to prevent this kind of incident.
Small businesses are precisely who fraudsters target: large companies already have DMARC at "reject", small ones do not. Forging 500 fake invoices in your name costs a few dollars; dealing with them costs your reputation. Closing the door takes less than an hour — start with the test.
Enter your domain: we test your SPF, DKIM, DMARC and website, and give you the exact action plan.
Run the free check