This quick tip covers the pros and cons of listing your email address or team email addresses on your website. This is particularly relevant for professional advisers who are in trusted positions, such as financial advisers, accountants, mortgage brokers, solicitors, and so on.

In this article we’ll be covering:

  • Why it’s typically a bad idea
  • Alternative options for having your emails on your website
  • Other non-technical tips to reduce scammage

Why it’s typically a bad idea

For a long time, the primary concern with listing your email on your website was that you would be opening yourself up to being spammed. There were pros and cons to this, and for many smaller businesses the feeling was a little spam was a small price to pay for presenting as being accessible and for prospective clients to know they could get a direct line to the person they needed.

However, this has flipped to be more malicious in recent years as concerns aren’t around spam, they’re around scams.

By listing your email addresses on your website, you’re declaring what your email address is to anyone considering impersonating you. Knowing your email format is <First name>.<Last name>@<domain>.com.au takes the guesswork out of pretending to be you. As trusted advisers, this isn’t acceptable in this day and age.

This is particularly dangerous given how easy email is to impersonate (see email spoofing) and given our clients would often receive instructions on how to transfer funds via email.

Alternative options for having your emails on your website

Any modern website should have some means of communicating with your business, typically through some kind of contact form. In most cases, this is all you need.

In a pinch, you could even build these out per team member if it were essential visitors felt they could make contact directly. This might be relevant where inbound referrals would often be to an individual and not the broader business. However, in these cases, we prefer using a scheduling tool (eg Calendly) to book a chat rather than send a message.

If for some reason an email address is important to keep on your contact page or elsewhere for ease of reference, make it an inbound-only email address. It can auto-forward wherever you like once received, but make it an address that nobody would expect to receive an email from.

For items where you will have an email address that is unavoidable, such as within a Complaints Policy, that should be an email address that would never send an email to a client. Examples could be complaints@, compliance@, or even contactus@ could work for these.

Three simple tips to reduce scammage

Your client being scammed is bad, your client being scammed from your email address would be much worse. Whilst there are technical things you can do (ask your IT provider about ensuring your DMARC policy is live and effective), there are also several simple and effective non-technical steps you can take.

In the event your email is spoofed or even hacked, these will help your clients to identify something suspicious or be better trained to take the right action if they are uncertain. These include:

  1. Having a professional and sharp email signature that you and your team consistently use (or two if you want a simpler alternative for replies/mobile use);
  2. Encouraging clients to call the office to confirm the details whenever you instruct them about sensitive steps such as a transfer of funds;
  3. Regularly communicating to clients that you will never ask for login details to their bank account, or anything else that you know you wouldn’t do but your clients might not be aware of. This is a great option for your email signature.

Example: We will never ask for your banking or other financial institution login details<if your firm is using or planning on using a scraping tool via a client portal>via phone or email<end>. If you have any concerns that a request may not be genuine, please phone us immediately.

We’d consider these to be absolute no-brainers, as these actions are either best practice for branding, or help your clients remain aware across all their financial affairs, something a trusted adviser should consider important.

Email on website FAQs

The article mentions DMARC as a technical measure to reduce email spoofing. What is DMARC and what should an adviser ask their IT provider to check?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. In plain terms, it is a technical email security standard that tells receiving mail servers what to do when an email claims to be from your domain but fails authentication checks. Without an active DMARC policy, a scammer can send an email that appears to come from your address with little technical barrier stopping it from reaching your client’s inbox.

To check your current status, ask your IT provider or email administrator the following: “Do we have a DMARC record published for our domain, and is it set to quarantine or reject unauthenticated messages rather than just monitor them?” Also ask them to confirm that SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are correctly configured, as DMARC depends on both being in place to function effectively. These three together form the baseline of email authentication for any professional firm handling client communications and financial instructions.

If a client is defrauded after acting on an email that was spoofed to look like it came from an adviser’s firm, what is the adviser’s legal and regulatory exposure?

This is an area where the law is still developing in Australia, but the risk is real and should not be underestimated. If a client suffers a financial loss as a result of a spoofed email purporting to come from your firm, and it can be shown that your firm failed to take reasonable steps to prevent impersonation, you may face a civil claim from the client. Under the Corporations Act 2001 and the Australian Consumer Law, operating in a way that allows misleading representations to be made in your name, even where you were not the author, can create liability depending on the circumstances.

ASIC has also signalled that cybersecurity governance is a licensee obligation, not just an IT matter. An AFS licensee that cannot demonstrate it had reasonable fraud prevention measures in place, including email authentication, client communication protocols, and staff training, faces potential regulatory scrutiny in addition to the civil exposure. Review ASIC’s guidance on cyber resilience for financial services at asic.gov.au. Seek your own legal or compliance advice on your specific exposure.

The article recommends a complaints or compliance email address for required disclosures. Does an AFS licensee have specific obligations about how complaints must be received and handled, including by email?

Yes. Under the Australian Financial Services licensing regime and ASIC’s Regulatory Guide 271 on internal dispute resolution, AFS licensees are required to have a clearly accessible complaints process and must acknowledge and respond to complaints within defined timeframes. ASIC RG 271 requires complaints to be acknowledged within one business day where received electronically, including by email, and resolved within 30 calendar days for most complaints, or 45 days for superannuation-related matters.

The email address used for complaints on your website or in your Financial Services Guide must be actively monitored, not a passive inbox that goes unchecked. Using a dedicated complaints@ address is good practice, but it only works if someone is responsible for monitoring it daily. Confirm with your compliance manager or licensee that your complaints email is mapped to a monitored inbox and that your internal dispute resolution policy reflects the current RG 271 requirements. Review ASIC Regulatory Guide 271 for full obligations. Seek your own legal or compliance advice.

If a client is scammed through a spoofed version of an adviser’s email, does professional indemnity insurance respond to the client’s loss, and what cover actually applies in this scenario?

Professional indemnity (PI) insurance covers claims arising from errors or omissions made in providing professional services. A spoofed email scenario, where a fraudster impersonates your firm and deceives a client into transferring funds, does not typically arise from an error in your professional advice. It is a cybercrime event, which means a standard PI policy is unlikely to respond to the client’s loss. The cover most relevant to this scenario is a combination of cyber liability insurance, which may cover your firm’s costs in responding to the incident, and crime or fraud insurance, which may cover direct financial losses caused by social engineering or impersonation fraud.

Whether any of these policies actually pay out depends heavily on the specific policy terms, the circumstances of the fraud, and whether your firm can demonstrate it had reasonable preventative measures in place. Ask your insurance broker: “If a client transfers funds in response to a spoofed email impersonating our firm, which of our policies responds to the client’s loss, and which covers our own costs?” This is general information only and not insurance or legal advice.

The article recommends regularly communicating to clients that your firm will never ask for banking login details. Does this kind of proactive client communication have any standing in reducing regulatory or legal liability if a scam does occur?

Proactive client education does not provide a legal shield, but it is relevant to demonstrating that your firm took reasonable steps to protect clients from foreseeable harm, which is a factor regulators and courts consider when assessing whether a business met its duty of care. Under the Privacy Act 1988 and the broader obligations on AFS licensees, firms are expected to take reasonable steps to protect client information and to manage foreseeable risks. Documenting that your firm regularly communicated fraud warnings through email signatures, newsletters, or client communications creates a contemporaneous record that reasonable precautions were taken.

This is particularly useful if the matter is ever reviewed by the OAIC, ASIC, or in civil proceedings. Keep records of when these communications were sent and what they said. The Australian Cyber Security Centre also publishes guidance for businesses on scam prevention that can inform your client communication approach at cyber.gov.au. Seek your own legal or compliance advice on what constitutes reasonable precautions for your firm’s specific client base and risk profile.

Posted by Patrick Flynn
02 Nov 2022

The Trust Stack

Subcribe for exclusive adviser insights to build credibility at scale.

Cartoon style graphic of mobile phone in hand with Google Review button and orange background relevant to financial advisers

Google Reviews in financial advice

Learn the power of Google reviews, managing feedback, and strategies for effective collection.

Read article
Google search bar with a written longtail keyword example targeting to financial advice clients

How advisers can use longtail keywords to attract the right clients

Many advice firms target broad search terms, but real growth comes from relevance. Discover how longtail keywords help financial advisers attract higher-quality enquiries by aligning website content with real client intent.

Read article

Too many leads, not enough time?

Typically, advisers treat websites as a marketing tool but their real value is operational: triaging leads, streamlining workflows, and driving lasting efficiency.

Read article