Defaults.Exposed

Defaults.ExposedParandusedGuides

That Invoice-Fraud Story You Heard — Could It Happen to Your Firm? Find Out in Two Minutes (2026)

Avaldatud 2026-07-08

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains — we never publish an individual domain’s results. See how we grade.

Very possibly, yes — and you can find out for certain in about two minutes, free. 89.41% of the 261,086,232 domains graded in the Defaults.Exposed census (as of 2026-06-29) could be impersonated the way that story describes, because a free setting that blocks it was never switched on. The check shows whether yours is one of them.

In plain words, this page covers: what happened in the story you heard, why it was possible, the free two-minute check, and a note to copy and send — report attached — to whoever looks after your IT.

What actually happened in that story?

The details vary, but the pattern is nearly always the same. A criminal sends an invoice that looks, to any normal reader, exactly like it came from a real firm’s email address — same name, same address after the @, a plausible amount. A customer pays it, the money is moved on within hours, and the firm whose name was on the email — which did nothing wrong and knew nothing about it — takes the angry phone call and the damaged relationship.

Notice what’s missing from that story: nobody was hacked. The criminal never touched the firm’s systems at all.

How can someone send an email that looks like it comes from my firm?

Because email still works the way it did decades ago: the “from” line is like the return address on an envelope — anyone can write anything there. Unless your domain says otherwise, a receiving mail system has no way to know whether “an email from your firm” really came from you.

There are free settings — short lines of text published alongside your domain name — that tell the world: genuine email from us comes only from these places; refuse anything else as fake. Switched on and enforced, the invoice in the story is rejected before a human ever sees it. Off, it lands in the inbox looking perfect.

Most businesses have never switched them on — nobody ever told them the settings existed. Of the 261,086,232 domains graded in the Defaults.Exposed census (as of 2026-06-29), 89.41% have not enforced the setting that blocks impersonation, and 46.4% never took even the first step. In that majority you’re not negligent — you’re normal. But you are checkable, and so is the fix. (Longer explanation: can someone spoof my domain?)

How do I find out in two minutes whether it could happen to us?

  1. Run the free scan at defaults.exposed. Type in your domain — the part of your email address after the @. No signup, no card; it reads only public settings and never touches your systems.
  2. Read the grade. An A means faked email carrying your name gets refused by receiving mail systems. Anything below an A means the door is open to some degree.
  3. Keep the report. It’s dated, in plain language, and lists what’s in place and what’s missing.
  4. Forward it — next section.

Where firms actually stand:

Where domains standShare of the 261,086,232 domains we graded (as of 2026-06-29)What it means for the story
Impersonation not blocked — the enforcing setting never switched on89.41%The story could run tomorrow with their name on the invoice
Never took even the first step46.4%Receiving mail systems are told nothing about what genuine email from them looks like
Protected — fakes get refusedroughly one domain in tenThe fake invoice bounces before anyone can pay it

What do I do with the result?

Forward the report to whoever looks after your IT — the person who set up your email, or whoever you’d call when it breaks. You don’t need to understand the contents; you need them to. Copy and send this with it:

Hi — after hearing about an invoice-fraud case doing the rounds, I ran a free check on our domain at defaults.exposed. The report is attached. Could you look at the email settings it flags and tell me what’s involved in getting us to an A? I understand it’s configuration rather than new software — roughly an afternoon’s work. Happy to approve that time. Thanks.

When they open it, the words they’ll use are SPF, DKIM and DMARC — the last (Domain-based Message Authentication, Reporting and Conformance) is the setting that tells the world’s mail systems to refuse fakes carrying your name. The report shows which of the three your domain has and links step-by-step instructions, starting from how to fix DMARC. It’s your IT person’s language, deliberately.

If you have no IT person, the report tells you exactly what to ask for. Take it to whoever registered your domain or hosts your email — their support desk handles these settings every day — and ask for what it lists as missing.

Will this be expensive to fix?

No — and this is the honest part, not the sales part. The settings are free: lines of text in your domain’s configuration, not software, not a subscription. For a competent IT person, getting a typical small firm to an A is an afternoon’s work — the care is in listing every legitimate sender first (email provider, newsletter tool, invoicing system) so real email keeps flowing when enforcement goes on. The barrier has never been money; it’s that nobody told you.

Frequently asked questions

Is this the same as being hacked? No. Nothing was broken into — no stolen password, no virus, no one inside your systems. The criminal writes your name on the envelope and posts it from somewhere else: forgery, not burglary. That’s also why antivirus and firewalls never catch it — there’s nothing on your side for them to see. The missing settings are the only thing that stops it, and 89.41% of the 261,086,232 domains we graded (as of 2026-06-29) are open to it.

Will fixing it cost money? The settings are free; paying someone to configure them carefully is an afternoon’s work. Given that 46.4% of graded domains never took even the first free step (census as of 2026-06-29), it’s one of the cheapest genuine risk reductions a firm can buy.

How would I know if it’s already happening? You usually wouldn’t — until a customer rings about an invoice you never sent. The spoofed firm is typically the last to find out; the two-minute check is faster than waiting for that call. If the call has already come, go straight to the emergency guide: someone is sending emails from your domain.

What about the old domain from our rebrand — the one we still own but don’t use? Check it too. A domain that sends no email can still be impersonated if it was never locked — and nobody’s watching it: that old domain from your rebrand is a door you left open.

Forward this to whoever looks after your IT

That’s the whole action this page asks: run the free check, then forward the report with the note above. Two minutes for the check, one for the email — and the fear from Tuesday morning becomes a dated document and a booked afternoon of someone else’s time. Keep the report: it’s the same evidence that answers the email-security question now turning up on cyber-insurance renewal forms.

Check your domain → · Someone is sending emails from your domain → · Can someone spoof my domain? → · Aggregate data only. Data stored and processed in the EU.