What is brand impersonation phishing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've almost certainly seen one of these land in your inbox. An email that looks exactly like it came from your bank, from Amazon, or from Microsoft, with the right logo, the right colors, and that familiar urgent tone. That's brand impersonation phishing, and it works because it borrows trust you already have.

Brand impersonation phishing is when an attacker copies the visual identity and tone of a well-known company to trick recipients into clicking a link, handing over credentials, or sharing payment details. The email looks legitimate because it was designed to. That's the whole point.

The most commonly impersonated brands are ones that already send high volumes of transactional email. Microsoft 365, Amazon, PayPal, DHL, Netflix, and major banks all top the list. People expect emails from these companies, which makes a fake one much easier to believe.

There are two main techniques attackers use. The first is domain spoofing, where the attacker forges the sender address so the email appears to come directly from the real brand's domain. The second is lookalike domains, where they register something close (think amaz0n.com or paypa1.com) hoping you won't notice. DMARC enforcement shuts down domain spoofing. Lookalike domains are trickier because they're technically "authentic" senders on their own fake domain.

Now if you run a brand, impersonation campaigns hurt you even when your own systems are clean. Your customers see a convincing fake, lose money or data, and then blame you. That's a reputation problem you didn't create but still own.

Here's how to spot a fake, whether you're a recipient or checking your own brand's exposure. Look at the actual sending domain in the email headers, not just the display name. Check whether the link destination matches the brand's real domain. Notice whether the greeting is generic ("Dear Customer") rather than using your actual name. And watch for urgency designed to make you skip those checks entirely ("Your account will be closed in 24 hours").

For senders protecting their own domain, DMARC at enforcement is the single most important step. It stops attackers from sending email that appears to come from your exact domain. Pair that with BIMI if you want your verified logo to appear in supporting inboxes, which gives recipients a visual cue that the email is genuinely from you.

Not sure if your domain is properly protected? You can check your DMARC setup with our free DMARC generator, or run your domain through the blocklist checker to see if impersonation activity has already affected your reputation.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Ask AI about brand impersonation

I just learned about brand impersonation phishing. My brand is your brand name and we send email from your domain. Can you explain why attackers target well-known brands specifically? What are the subtle differences between a real email from a brand and a fake impersonating it? And what technical steps should I take to protect our domain from being spoofed by attackers trying to impersonate us?

Edit the yellow boxes, then send to the AI of your choice.