Blog

AI text scams and fake websites are scaling fast: how small businesses can protect customer trust

Google's latest action against AI-powered phishing shows why small businesses need clearer contact paths, brand monitoring, and safer website workflows.

13 June 2026 · 6 min read

#ai scams#phishing#website security#customer trust
Original illustration of a verified website shield blocking AI text scams

Image: Original illustration by Vritul

AI-powered scams are no longer only a problem for banks, telcos, and large technology companies.

They are becoming a trust problem for every business with a website, contact form, payment link, booking flow, or recognisable brand name.

On 12 June 2026, Google announced legal action against an organised cybercrime operation it calls the "Outsider Enterprise". Google says the group coordinated through Telegram, distributed phishing kits, sent 2.5 million messages to Android users in a two-week period in May, and connected its campaigns to 9,000 fake websites and more than 1 million fraudulent URLs.

That is the part small businesses should notice.

Scammers do not always need to hack your website to hurt your business. Sometimes they copy the shape of trust around it: the logo, the tone, the text message, the payment request, the booking link, or a domain that looks close enough.

Why this matters for small businesses

Most customers do not think like security teams.

If a message appears to come from a business they know, they may click. If the page looks familiar enough, they may enter details. If the payment request feels urgent, they may act before checking.

AI makes that easier for scammers because it can help them produce:

  • More convincing message copy.
  • Fake landing pages at scale.
  • Variations for different brands and industries.
  • Urgent support or delivery messages.
  • Payment and account update lures.
  • Scam sites that look polished enough to pass a quick glance.

For a small business, the damage can include lost customer trust, confused enquiries, support overhead, payment disputes, reputational harm, and search results polluted by impersonation pages.

The business may be a victim too, even if the customer lost the money.

Make your real website easier to verify

One of the simplest protections is clarity.

Your real website should make it easy for customers to know what is official.

That means:

  • Use one primary domain consistently.
  • Keep contact details current.
  • Make payment instructions clear.
  • Explain how customers can verify a request.
  • Avoid using too many disconnected third-party links.
  • Keep booking, payment, and form links branded where possible.
  • Add a simple warning if customers are being targeted by impersonation scams.

If a customer receives a suspicious text or email, they should be able to visit your official website and quickly work out what to do.

This is not only a security task. It is part of customer experience.

Protect the contact path

Scam messages often push people toward fake forms, fake login pages, or fake payment flows.

Review the places where customers share information or take action:

  • Contact forms.
  • Quote request forms.
  • Booking forms.
  • Payment links.
  • Account login pages.
  • File upload pages.
  • Email reply workflows.
  • SMS reminders.

For each one, ask:

  • Is this clearly branded?
  • Does the URL look trustworthy?
  • Is the next step explained plainly?
  • Are customers told what you will and will not ask for?
  • Can customers verify the request from your website?
  • Are submissions protected from spam and abuse?

The goal is to reduce confusion before scammers exploit it.

Watch for brand impersonation

Scamwatch's business impersonation guidance recommends taking action if a brand or website is being impersonated, including identifying the fraudulent website host, reporting the site to that host, and reporting scam ads to the relevant platform.

Small businesses can make this easier by keeping basic records ready:

  • Official domain names.
  • Logo files and brand assets.
  • Screenshots of the real website.
  • A list of official social profiles.
  • A list of authorised payment methods.
  • A short response template for customers who report suspicious messages.

If an impersonation page appears, speed matters. The faster you can report it clearly, the faster hosting providers, platforms, or registrars can assess the takedown request.

Teach customers what normal looks like

Many scam messages rely on urgency and surprise.

Your website can lower that risk by setting expectations:

  • "We will never ask for card details by SMS."
  • "All payments are made through this secure link."
  • "If you receive a suspicious message, contact us using the details on this page."
  • "We do not ask customers to verify passwords through email links."
  • "Booking changes are confirmed from this email address."

Do not overload the website with warnings. Keep it calm, specific, and close to the action.

For example, a payment page can include a short note about official payment methods. A contact page can explain the safest way to verify a message. A booking confirmation email can tell customers which sender address to expect.

Keep internal systems harder to spoof

Customer-facing scams are only one side of the issue.

Small businesses are also targeted through business email compromise, invoice substitution, and fake supplier requests. Cyber.gov.au warns that criminals may impersonate business representatives through compromised email accounts or lookalike domain names, often to trick contacts into sending money.

Useful protections include:

  • Multi-factor authentication on email accounts.
  • Strong passwords and password managers.
  • Domain-based email authentication where possible.
  • A rule that bank details are verified through a trusted channel.
  • Separate approval for payment changes.
  • Staff training on urgent payment requests.
  • Clear ownership of website, DNS, email, and domain accounts.

AI can make fake messages more polished. Process is what stops one convincing message from becoming a loss.

Respond quickly if customers report a scam

If a customer tells you they received a suspicious message using your brand, take it seriously.

A simple response plan helps:

  1. Ask for a screenshot and the suspicious link.
  2. Confirm whether the message is official.
  3. Tell the customer not to click the link or enter details.
  4. Report the scam to Scamwatch and the relevant platform, telco, host, or registrar.
  5. Add a temporary warning on your contact or support page if needed.
  6. Tell staff what has happened so they answer enquiries consistently.
  7. Keep records of reports and actions taken.

This does not need to be dramatic. It needs to be fast and clear.

What to check this week

Use today's AI scam news as a practical prompt.

Check whether:

  • Your contact page clearly shows official phone, email, and location details.
  • Your payment instructions are easy to verify.
  • Your forms explain what information you collect.
  • Your booking or payment links use trustworthy domains.
  • Your social profiles link back to your official website.
  • Your team knows how to handle suspicious customer reports.
  • Your domain and email accounts have multi-factor authentication.
  • Your website has analytics and enquiry tracking so odd spikes can be noticed.

These steps help customers trust the real business when fake versions start appearing.

The takeaway

AI is helping scammers scale fake messages and fake websites faster than before.

Small businesses cannot stop every scam network, but they can make their own digital presence clearer, harder to impersonate, and easier for customers to verify.

That starts with a trustworthy website, consistent contact paths, safe forms, secure business accounts, and a simple response plan for suspicious messages.

Read more about AI-generated code security before launching a website, website enquiry forms that bring in better briefs, or contact Vritul if you want your website and customer contact flow reviewed.

Sources: Google on combatting AI scams and the Outsider Enterprise lawsuit, Scamwatch business impersonation resources, Cyber.gov.au phishing guidance, Cyber.gov.au business email compromise guidance.