QUESTIONS FROM BUSINESS OWNERS

Is this email or call I got about my website legitimate, or is it a scam?

how to avoid scams targeting website owners

Scam emails, phone calls, and letters are on the rise. As businesses get serious about their web presence, scammers see opportunities to deceive or take advantage of us. I don’t want you to fall victim to these scammers!

Common types of scams include:

  • Telling you there’s a problem with your website and they can fix it
  • Promising traffic or top placement in search results
  • Warning you that your google listing won’t be visible unless you pay them
  • Physical mail disguised as a bill for your domain name
  • Robocall claiming to be from Google, an employee, or official partner of Google

All of these are 100% scams.

Red flags: quick ways to identify scams

Often, just searching for a sentence or two from the email will be enough to identify it as a known scam. But even before you go to that effort, you might be able to steer clear of a scam based on the following warning signs:

Scam emails often use poor English. Very often, the bottom tier of scammers send emails filled with typos, odd word choice, poor grammar, and false names that just… sound a little off. (I think the strangest scammer name I’ve heard was “Prince Toe,” who claimed he wanted me to build him a website.)

They try to pressure you with a deadline. Scammers (especially on the phone) tend to give dates or time limits. For example, they might tell you that your listing is expiring soon and your website will not be visible unless you give them money by a certain date. They want you to be off balance and act before thinking it over or asking someone who is familiar with your website.

For example, here’s a picture a client sent me of a letter she got in the mail, asking if it was legitimate. It is disguised as a bill for her domain name, and uses time pressure and official-sounding language and imagery to get her to send money:

example of a domain authority fake bill scam letter sent by mail
A scam letter in the wild.

In the fine print (on the reverse, not pictured), they are legally required to disclose that it’s not a bill for your domain name. But it seems intended to represent that it is. And take a look at the amount of the bill– $289! For reference, domain names are usually about ~$10 per year. So not only are these guys liars, they’re greedy liars.

There’s actually worse examples, too– some of them will actually get you to transfer your domain name to them and charge you extortionate prices! At least the above scammer is just charging for a useless “directory listing,” if they deliver anything at all.

Scammers often call on the phone with automated, robotic voices or sometimes realistic recordings. Sometimes the robotic voices are reading a script with non-standard english, and more sophisticated scammers use realistic voices (some even program in “ums” and “ahs”!) Scammers can disguise the call as if it’s coming from any phone number, likely one in your area code, or sometimes from random cities all over the US.

They may claim they are affiliated with Google. Google will never call you unsolicited.

SEO scams promise things they can’t guarantee regarding search engine rankings. Many claim they can get you to the #1 position on Google search results for your desired keywords– but no one can really guarantee that. Legitimate SEOs will give you realistic expectations.

What should you do if you’re contacted by a potential scammer?

Chances are, if it seems suspicious, it isn’t legitimate. If it’s an email, don’t reply to the email, not even if it says “Reply ‘stop’ to be taken off the list.” That just tells them that your email address is active and you will get more emails in the future. If it’s a phone call, hang up. If it’s a physical piece of mail, shred any personal details before discarding it.

If you’ve been contacted and you’re not sure if it’s a scam or legit, contact whoever helps you with your website. If you’re a website care plan customer of mine, I am always happy to help.

I would rather answer a million emails asking “is this legit or a scam?” than for these dishonest thieves to get a penny from you. So please never hesitate to ask.

Forewarned with all the above general information, you’re probably safe from 80% of malicious emails. But I’m also going to include some more detailed information on some newer, more sophisticated scams that have cropped up in the past year or two.

Detailed scam profiles

1. Alleged “copyright infringement”

There’s a more sophisticated scam that’s on the rise where someone posing as a photographer claims that you’ve stolen their images.

It might say something like:

“Your website or a website that your organization hosts is infringing on a copyright protected images owned by our company (name of company).”

Check out this doc with the URLs to our images you used at [yourwebsite].com and our previous publications to obtain the proof of our copyrights.”

The giveaway is they want you to click a link– it’s usually a Google Docs link. Don’t click the link. It’s malware (or a phishing attempt).

The scam is very sophisticated compared to the average effort. There’s quite a number of variations, but the one that I read first (not the one quoted above, but similar) had perfect English, a story that made sense, and was from a gmail address that sounds like one a photographer would have! The first time I saw it, I almost thought it was a real demand letter– except they were claiming copyright infringement by a client of mine whose only images on his entire website were watercolor paintings he had done himself. And instead of asking for money for the image, there was a link claiming to be to view the copyrighted work.

If you suspect that you really do have an infringing photo, and they are asking for money (not something like gift cards or bitcoin) instead of trying to get you to click a link– it’s possible it’s legitimate. You should ask whoever helps you with your website for more info. It’s not unheard of for a copyright holder to send a demand letter by email to the website owner, which shouldn’t be ignored.

When I work with clients to source images for their website, I include premium stock photography I purchase for you from a reputable service, so you are not at risk of getting sued over copyrighted images.

2. The “Your website has a problem” scam (updated 15 December, 2021)

Emails claiming your website needs some work and they can help have been around for ages, but there’s a new version that is a bit more sophisticated and malicious. Unlike offshore website “experts” who are just cold-calling writ large, this one is aimed at installing malware and harvesting your data maliciously by getting you to visit a phishing link. Here’s the version I recently saw come through a client’s contact form.

I just noticed that there is the “error 500” appearing on some of your website pages. I’m pretty positive that those types of errors won’t be appreciated by your customers and you are basically losing money as a result, plus they can significantly reduce the number of clicks from Google.

I’ve decided to help and created the document for you with a few screenshots of errors and also indicated the links to the pages where they appear, hope it helps.

Here’s the link to the doc, check it out:

[link redacted]

The link in this scam is randomly generated and will get deleted sooner rather than later. It’s usually a Google Docs link that gets nuked as soon as Google notices the problem, but like a game of whack-a-mole, it’ll pop up somewhere else. So never click the link… random people on the internet rarely ‘decide to help’ via your website’s contact form!

3. Fake DDoS scam (updated 19 October, 2021)

If you get an email claiming to be from an IT Department which says something like:

This message was written to you in order to notify, that we have detected a DDoS attack on our servers coming from the your website or a website that your company hosts [yourwebsite]

We have strong evidence and belief that your website was hacked and your website files were modified, with the help of which the DDoS attack is currently taking place.

It’s not real! This one can be a real panic-inducer, especially with the added time pressure used since the alleged attack is “currently taking place.” But it’s a common, known scam.

Worrying about your website getting hacked is the last thing you need on your plate. If I manage your website, you can be sure that your website is safe from hacking and has redundant backups in multiple locations.

What if it’s a real email?

Sometimes, you might get emails from a web host or domain name registrar and you’re not sure if it’s a real bill, an upsell to a legitimate service, a scammer, or an unneeded service that you forgot to cancel. It can be really hard to tell the difference!

If you get an email from someone saying they are your registrar saying your domain name is expiring, or your web hosting needs payment, don’t ignore it. Check your records to see through whom your domain name is registered or who your web host is.

If you’re not sure who your domain name registrar or web host is, try searching your email archives for the phrase “domain name” or “web hosting”. You can also use online tools to look up your registrar, like this lookup tool. (Or, if I’m your web designer, just ask me for help finding this info.)

If your domain name expires, it can be difficult to get back, if you can at all. Some people make money by buying up expired domains and reselling them at thousands of dollars.

Your domain name is how customers actually find your website, so it’s important to maintain control of it. If you’re not sure if an email is from who it claims to be, don’t click the link in the email itself– navigate to the registrar’s website directly and see if there’s something that needs your attention.

If you lose your domain name, you have to start from scratch building your reputation up with Google. And your customers may be directed to an error page, or a notice that the domain is for sale. So when in doubt, ask!

In a similar vein, web hosting is the only way your website is made available on the internet. If the web hosting bill goes unpaid, visitors may see an error page, or even a notice that your bill is unpaid.

With both web hosting and domain names, my best recommendation is to put the bills on auto-pay and make sure your payment method is kept up-to-date.

Now you are forewarned and forearmed against a variety of scams– just remember:

1. If you’re suspicious, statistically, it’s probably spam

2. Know exactly who your domain name registrar and web host are

3. Read emails carefully and prefer directly visiting their website rather than clicking links

4. When in doubt, search for a line or two from the email, or just ask your web professional

Be careful out there– be skeptical, be a little suspicious, and stay safe!

Kelsey Barmettler headshot

Kelsey Barmettler

I'm a web designer near Tucson, AZ and I write these articles to help business owners (including my clients) be more informed and empowered about their websites.