When scammers use your name: what we learned, and the response guide we built

Key takeaways

• Scammers cold-called members of the public claiming to be Austcover brokers and offering private health insurance — a product we neither sell nor advise on.
• This was brand impersonation, not a breach of our systems. The distinction matters: the two demand very different responses, and most businesses are far better prepared for the latter than the former.
• The available guidance — from Scamwatch and elsewhere — is built around scam websites and fake social media ads. It offers little to a business whose name is being appropriated purely over phone calls.
• Where there is no money stolen, no identity taken and no data compromised, formal recourse is limited. The most effective response within your control is often plain, prompt honesty.
• Whether the issue is brand impersonation or a cyber attack, the same opening sequence applies: verify, contain, communicate, report, support.
• If something doesn't seem right, raise it with your broker early. Prompt communication protects both your people and your reputation.

What happened

The first indication wasn't a security alert. It was a phone call from an understandably angry business owner in Perth, telling us that "Austcover" had been contacting him and his clients — and that the callers had been persistent and used bullying tactics.

Before we could respond, we had to answer a more immediate question: was it actually us? Could a broker have made those calls? Was a campaign running that hadn't reached us? Ruling out our own involvement was the necessary first step — and, as it turned out, the one that cost us the most time.

Once we did, the picture was clear. The callers were offering private health insurance, which Austcover doesn't offer advice on. They were contacting businesses and individuals out of the blue, by phone — no emails, no fake websites, just calls from numbers that changed constantly. Our name was being used to lend credibility to a scam we had nothing to do with.

A gap in the available guidance

As a regulated, risk-averse insurance broking business, we plan for disruption — and we hold cover for it. We maintain robust response plans, backed by cyber insurance, for the events most businesses should anticipate: phishing, ransomware, data breaches, fraud. Brand impersonation conducted entirely over phone calls fitted none of them.

What struck us when we went looking for guidance was how little existed. The scam categories most people recognise — account takeover, phishing, investment fraud, identity theft — don't quite describe a scammer simply borrowing a legitimate business's name to sound credible. There isn't a neat label for it, which may be part of why so few businesses have a plan for it.

ScamWatch, run through the National Anti-Scam Centre, does have a useful page on business impersonation — but it's designed around scam websites and fake social media profiles: identify the host, report it, request a takedown. None of that applies to a campaign run purely over calls and text messages. We're not critical of Scamwatch; it exists to protect consumers and does that well. The point is that a business finding its own name misused in this way sits just outside the help currently designed for it — and that the framework could, over time, be more directly supportive of businesses in this position.

Part of the explanation lies in how harm is measured. A compromised bank account or a stolen identity is concrete and quantifiable. Reputational damage is real but harder to evidence — and where no money changes hands and no data is stolen, formal recourse is limited. Even the modest step of having someone help you warn the broader community, beyond your own channels, is difficult to find.

That leaves a genuine question: once a business knows its name is being misused, what does it owe the wider community? There is no clear obligation and no obvious mechanism. We came to the view that being open about it is simply the right thing to do. Hence this article.

Where the law is heading

There is relevant movement underway. The Scams Prevention Framework Act 2025 — Australia's new overarching anti-scam legislation — for the first time defines a "scam" in law to include deception that impersonates a regulated business in connection with its services. It places enforceable duties on designated "regulated entities" to prevent, detect, disrupt, report and respond to scams that use their services, overseen by the Australian Competition and Consumer Commission (ACCC).

The framework's protections are aimed at consumers and small businesses, and its obligations fall on sectors the Minister designates. Banking, telecommunications, social media and insurance are all listed as candidates — but each requires formal designation, and the early focus has been on the channels scammers exploit to reach people. The telecommunications providers carrying these calls now bear real anti-scam obligations, which is meaningful. But an impersonated business in a sector not yet designated sits outside the framework's direct scope. It is a significant step forward; it doesn't yet close this specific gap.

We're an insurance broker, not lawyers — if any of this is relevant to your circumstances, proper legal advice is the right next step.

How we responded

While the legislative landscape continues to evolve, we couldn't wait for it. With our name already in circulation and members of the public calling us to verify whether the contact had been genuine, we needed to act with what was available to us. Once we'd confirmed the calls weren't coming from us, we moved on several fronts:

• We published a scam alert — a notice on our website and a dedicated alert page, so anyone who'd just taken a call or searched for us could quickly confirm what was happening.
• We posted across our own channels, setting out clearly what Austcover will and will never do — giving people a practical test to apply.
• We briefed our team so frontline staff could respond consistently if a client or disgruntled caller raised the issue.
• We reported to Scamwatch (scamwatch.gov.au), providing the mobile numbers recorded by those targeted, along with call times and frequency. The more specific the detail, the more useful the report.
• We invited people to report back to us — which gave us a clearer picture of the activity and useful detail to pass on to authorities.

None of that was complicated. But it took longer than it should have, and the reason is worth being direct about: we had no plan for this scenario. Our existing response frameworks assumed an attack on our systems. Here, our systems were untouched; the target was our name, playing out entirely on other people's phones. When the first call came in, we were resolving several questions at once — whether the activity was genuinely ours, whether the reports themselves might be a secondary scam, and what we could responsibly say publicly before we had the facts.

A written plan — even a single page — would have materially shortened that process. Knowing in advance who needs to be notified, how to confirm the activity isn't ours, what to publish and where, and in what order each step should happen: that structure alone is worth hours.

Once the immediate pressure eased, we built exactly that. What follows is the plan we created, and the one we're sharing so others don't have to start from scratch.

The response guide: brand impersonation

If you suspect your business name is being misused

1. Confirm it isn't you. Rule out a legitimate staff member, supplier or campaign acting on your behalf. Make this step fast — it is the one that costs the most time if left unresolved.
2. Capture the evidence. Record numbers, screenshots, exact wording, who was targeted and when, and any claimed locations. Authorities will ask for this detail.
3. Name who owns the response. Assign clear ownership across management, marketing and IT before anyone asks "whose job is this?"
4. Warn your audience promptly. A website alert, your social channels, and direct client contact where warranted. State plainly what you will never do — ask for payment by text link, for instance, or make unsolicited calls offering products outside your services.
5. Report it. Lodge a report with Scamwatch and provide specific detail: numbers, times, frequency, who was targeted. If phone calls or texts are involved, your telecommunications provider and the Australian Communications and Media Authority (ACMA) are also worth contacting. For any cyber element, report through the Australian Cyber Security Centre at cyber.gov.au. Reporting may not produce an immediate visible outcome, but it feeds the data authorities rely on to act.
6. Invite people to report back to you. It strengthens your evidence, helps authorities, and signals to those affected that you are taking it seriously.
7. Keep the alert live. Leave your warning in place until the activity subsides, then document what you learned while it's fresh.

The response guide: cyber attack

If you believe your own systems or data may be affected

1. A cyber incident is a different situation — but a clear structure helps. IDCARE, Australia and New Zealand's national identity and cyber support service, frames the response in four parts: Support, Respond, Inform and Enhance.
2. Support. Look after the people affected first — customers and your own team. Communicate honestly and calmly, and direct affected individuals to IDCARE for free, case-managed assistance.
3. Respond. Contain the incident — isolate affected accounts or systems, but preserve the evidence you may need later. Bring in the right people: internal IT, external incident response if the situation calls for it, and management informed early. Activate your cyber insurance and notify your broker. Many cyber policies include access to an incident response team — forensic IT, legal and communications specialists — that can act from the moment you notify. Cyber policies also carry strict notification timeframes; leaving it late can affect how a claim is treated.
4. Inform. Report through the ACSC's ReportCyber tool at cyber.gov.au. If personal information may be involved, consider your obligations under the Notifiable Data Breaches scheme and contact the Office of the Australian Information Commissioner (OAIC). Keep affected parties informed in plain language throughout.
5. Enhance. Once the immediate threat is resolved, address what allowed it to happen — multi-factor authentication, password resets, staff awareness. Review whether your cyber insurance will respond appropriately to a similar event in future.

Why we're telling you this

The hardest part of this experience was the one we've been direct about throughout: when your name is misused this way, your options for stopping it are genuinely limited, and much of the activity sits beyond what any one business can control.

What became clear is that the one lever firmly within our power is honesty. Being open about what happened — quickly, without spin, and while it was still underway — allowed us to protect our clients, warn others who might otherwise have been caught out, and act in line with our values as a business. That transparency is what "we're on your side" means in practice.

We're on your side

If you've received a call, text or message claiming to be from Austcover, please let us know. You can reach us on 07 3237 8666, email contactus@austcover.com.au, or use the form on our scam alert page. Reporting it helps us protect others and assists the authorities.

If this has prompted you to think about your own exposure — to brand impersonation, to scams targeting your clients, or to cyber risk more broadly — that's a conversation we're well placed to have. Understanding how your cover responds before something goes wrong is one of the most effective ways to avoid a difficult situation later.