Impersonation is the world's most-reported scam — a text or email wearing a trusted name. The fastest way to break it is to know how that company really reaches you. Search a bank, government agency, courier, payment app or tech company below and see its own published position: how it contacts you, what it will never do, and how to check.
Almost no legitimate company will text or email you a link to pay, “verify,” or move money, and none will ask for your password or a one-time code. Banks and tax agencies are the most impersonated, and both are explicit that they don't do this. Whatever the message says, the safe move is the same: ignore it and go to the source yourself — the official app, or the address typed by hand.
Don’t see a company? The rule is the same for all of them: a real organisation never needs you to act through a link in an unexpected text or email. Go to the official app or type the address yourself. Not sure about a message? Ask us free.
Imposter scams are the most-reported fraud category year after year, and they all run the same play: borrow a name you trust — your bank, the tax office, a courier, Amazon, Apple — and use the trust that name carries to make you act before you think. The logo, the formatting, even the sender ID can all be faked. What can't be faked is the company's actual behaviour, and that's the one thing most people never check.
Read enough of the entries above and a single pattern emerges. Real organisations converge on the same boundaries: they don't text or email a link to pay or “verify,” they don't ask for your password or a one-time code, and they don't tell you to move money to “protect” it. The differences are mostly in how to verify — your bank's number on the back of your card, the official app, the address you type yourself. Couriers add one wrinkle: a fake “customs fee” text is almost always a scam, with DHL the one exception that sometimes does collect real duty — so you verify on the official site, never via the link.
If you only remember one thing, make it this: go to the source yourself. Impersonation only works while you stay inside the scammer's channel — their link, their number, their app. The moment you reach the company the way you normally would, the illusion collapses. For a specific message you can run through our scam checker, or check a suspicious text against your country's tool below.
Don't judge it by how it looks — judge it by what it asks you to do, then check the company's own published position. Almost every real organisation says the same thing: it will never text or email you a link to pay, “verify,” or move money, and it will never ask for your password or a one-time code. The single safe move is to ignore the message and go to the source yourself — open the official app, or type the address by hand — rather than tapping anything in the message. This index lists what each major company actually does and doesn't do.
No. This is the most important entry in the index. No legitimate bank, and no police force, will ever tell you to move your money to a “safe account,” or ask you to read out a one-time passcode. The FTC's rule is blunt: no one legitimate will ever tell you to move or transfer your money to “protect” it. If a “fraud team” call pressures you to move money, hang up and call the number on the back of your card.
No. Tax authorities are among the most impersonated organisations, and they're consistent: the IRS says “a letter or notice is the first way the IRS will contact a taxpayer,” HMRC says it never texts a link to claim a refund or make a payment, and the CRA won't text you a link to a refund or demand payment by e-transfer, gift card or crypto. A text offering a tax refund or threatening arrest is always a scam — verify only by logging in to the official site or app yourself.
Almost never — with one nuance worth knowing. USPS, Royal Mail, Canada Post, An Post and Australia Post do not text you a link to pay a delivery or customs fee. DHL is the exception: it does sometimes legitimately collect customs duty, but its official messages come only from a genuine DHL domain, never free webmail. So the safe rule even for DHL is to verify any fee on the official site by typing it yourself — never through the link in the message.
Go to the source yourself. A real organisation never needs you to act through a link in an unexpected message — it's always safe to ignore the message and reach the company the way you normally would: its official app, or its address typed by hand. Impersonation works by making you act inside the scammer's channel; the entire defence is refusing to, and using your own.
No — it's a general reference, aggregated from each organisation's own published security guidance and reviewed periodically. Companies update their policies, and scams evolve, so always confirm with the company through its official channel. If you're unsure about a specific message, you can ask us for a free, confidential second opinion.