That Email From Your Web Designer? It Might Not Be From Them at All
Picture this. You get a text from a client. "Hey, did you send me an email about updating my website?"
You didn't send anything.
That's exactly what happened to a web designer whose clients were targeted by a sophisticated scam. Someone created a fake email address designed to look like hers. They found their clients by searching the internet. Then they sent those clients professional-looking emails, pretending to be her, offering website services. The payment link would have stolen credit card numbers and installed malware on their computers.
This is real. It happened. And if you run any kind of service business, it can happen to you, too.
At AskDotty, we talk a lot about showing up online with confidence. Part of that confidence comes from knowing what to watch out for. So let's walk through exactly how this scam worked, step by step, in plain English.
Key Takeaways
Scammers create fake Gmail addresses that look like they belong to real businesses
They find client contact info by searching the web for a designer's portfolio or footer credit
The scam happens in three stages: a friendly email, a fake website audit, and then a payment link
The payment page was unbranded and had nothing to do with the real business
Most clients who got the fake email said nothing. Only one spoke up.
Any service-based business can be impersonated this way
One text or email to your service provider can stop a scam in its tracks
How This Scam Actually Works
This scam runs in three carefully planned stages. Each one builds on the last, earning trust before asking for money.
Stage One: The Friendly Email
The first email arrived looking completely normal. It was signed with the web designer's real name, real photo, and real business name. It referenced past work together. It offered a friendly website refresh with better design, stronger SEO, and updated content.
The tone was warm. Professional. Like it came from someone the client already knew.
The fake email address looked like this:
See the trick? They took her real name, added her domain, and slapped it on @gmail.com. On a phone screen, where the full address often gets cut off, it can look perfectly legitimate. Slow down and read the whole thing, and the Gmail part gives it away immediately.
That first email did not ask for money. It just started a conversation. That's what made it so effective.
Stage Two: The Fake Website Audit
When a client wrote back, the scammer sent a follow-up email. It included a screenshot of that client's actual website. It showed a performance score. It listed specific problems found:
Homepage design issues
Weak content and SEO
Navigation problems
Slow mobile loading speed
This is a trust move. Seeing your own website in an email makes you think, "They clearly looked at my site. This must be real." It feels personal. It feels researched.
None of it was real. The audit was fabricated. The performance scores were fake screenshots designed to look credible.
Stage Three: The Pricing Email and Payment Link
After the fake audit, a pricing email followed. Two packages were offered, with a 10% "returning client discount" applied to both. That detail is clever. It mimics the way a real, relationship-based business would treat a loyal client. It felt familiar. It felt earned.
Basic Package
Original price $350, discounted to $315
Timeline: 3-5 business days
Included a homepage redesign, navigation updates, mobile optimization, and speed improvements
Premium Package
Original price $550, discounted to $495
Timeline: 5-7 business days
Included everything in the Basic package plus SEO optimization, trust elements, and ongoing support
The payment link went to a Shopify-style store selling something called "Website Enhancement." The store had zero branding connected to the actual web designer. No logo. No business name. Nothing. That was a mistake on the scammer's part. A client paying close attention would notice the mismatch immediately.
Had anyone completed the purchase, the scammer would have walked away with their credit card details. And the "instant download" attached to the product? Almost certainly malware.
Where Did They Find Your Clients
Here's the piece that surprises most people.
Many web designers include a small credit line at the bottom of every website they build. Something like: "Website by [Designer Name]." It's a standard professional practice, like a contractor putting a yard sign in front of a house they just built.
That credit line is also public. Indexed by Google. Searchable by anyone.
The scammer searched for that credit line, found every website the designer had built, then scraped the contact information from those sites. Every business with a public email address or contact form became a target.
This is not a flaw in the designer's work. It's just how the internet works. Public information is public. Scammers know this, and they use it.
Did you know: According to the FBI's Internet Crime Complaint Center, Business Email Compromise costs US victims over $2.9 billion in a single year. The reason it works so well? It doesn't feel like a random scam. It feels like a message from someone you already trust.
This Could Happen to Your Business Too
This is the part I really want you to sit with.
You don't have to be a web designer. You don't have to be a big business. If you have a website, a client list, and a name people recognize, you can be impersonated.
Here is how simple it is for a scammer to do this:
They find your business name and website online
They create a Gmail address using your name or business name
They search for your clients through your testimonials, portfolio, social media tags, or any public mention
They email those clients pretending to be you, offering services your clients would expect from you
The scammer likely created a specific fake email address for this particular business. If they are running this at scale, and experienced scammers usually are, they are doing the same thing for dozens of businesses at a time. One fake address per target. Each one looks legitimate at first glance.
Your clients trust you. They have a history with you. They want to believe your email is real. That trust is exactly what the scammer exploits.
At AskDotty, we work with solopreneurs who are building real relationships with their clients every day. Those relationships are your biggest asset. Being proactive about protecting them is part of running a smart business.
The Part That Should Concern You Most
After discovering the scam, the web designer sent an alert to all of her clients. She included a screenshot of the fake email and asked who had received it.
What came back was eye-opening.
Many clients said yes, they had received the same email. Most deleted it and moved on. A few replied to the first email, then recognized something was off when the fake audit arrived. Only one client reached out to the designer at the time.
Only one.
That is not a failure on the clients' part. It is completely human. Deleting a suspicious email feels like handling it. Life is busy. Nobody wants to bother someone about something they've already taken care of.
But here's the problem. When clients stay silent, the business owner has no idea the scam is happening. They cannot warn other clients. They cannot report it. They cannot protect their reputation if clients start quietly wondering whether the emails were somehow connected to them.
Here is what this means for you as a solopreneur:
Tell your clients upfront what your emails look like
Tell them where you send payment links from
Tell them what you will never ask them to do over email
Ask them to reach out if anything ever seems off
One text. One email. That's all it takes to stop this kind of thing from spreading.
And if you are on the receiving end as a client, please speak up. Your service provider would rather get a quick "Did you send this?" than lose a client to a scammer.
What Were They Really After
The money was just part of it.
Yes, the payment would have gone straight to the scammer. But the real prize was the download.
The "instant download" attached to that fake Shopify product almost certainly contained malicious software. Once a client opened that file, here's what could have happened without them knowing:
A keylogger records every password and credit card number they type
Ransomware locks their files until they pay to get them back
A backdoor giving the scammer ongoing access to their computer
This is a two-layer scam:
Layer One: Steal the credit card number at checkout
The scammer gets paid immediately
The victim thinks they purchased a real service
No work is ever delivered
Layer Two: Install software for ongoing access and theft
The "instant download" installs silently in the background
The scammer can access the computer long after the purchase
The victim may not know anything is wrong for weeks or months
The payment is almost a bonus. The file is the real goal. Never download a file from a purchase you did not seek out yourself through a trusted source.
What to Do Right Now
Whether you are a solopreneur worried about being impersonated or a client learning to spot fakes, the steps are the same. And none of them require being techy.
If You Run a Service Business
Email your clients now and let them know scammers may try to impersonate you. Do not wait for it to happen first.
Tell them your real email domain and that you will never ask for payment through a random link in an email.
Set up a free Google Alert for your business name at google.com/alerts. You will be notified whenever your name appears somewhere new online.
Add a short note to your website with your official contact information and email address.
If You Are a Client or Small Business Owner
Read the full email address, not just the display name. A Gmail address from an established business is a red flag worth pausing on.
Never pay through a link in an unexpected email. Go directly to the business website instead.
Do not open downloads from emails you were not expecting, even if the sender looks familiar.
When something feels off, say something. A quick message to your actual contact takes 30 seconds and could save everyone a lot of trouble.
Report suspicious emails to the FTC at reportfraud.ftc.gov.
Spot the Difference
A real email from your service provider:
Comes from their actual business domain, not Gmail or a free email service
References specific details only that they would know about your work together
Links to their own website for any payment
Has no urgency or pressure to act fast
Branding matches everything you have seen from them before
A scam email pretending to be them:
Comes from Gmail, Yahoo, Outlook, or another free email address
Uses vague references to "past work together" without real specifics
Links to an unrelated third-party store for payment
Creates a sense of urgency or a limited-time offer
The payment page looks different or has no recognizable branding
Key Takeaways
Scams like this work because the trust they steal is real. The relationship was genuine. The work was real. The history was real. Only the email address was fake.
The best protection is not a tech tool or a security plugin. It is open, proactive communication with the people who trust you and the people you trust.
At AskDotty, we believe that showing up online confidently means knowing your space well enough to protect it. That includes knowing when something does not look right and speaking up when it does not.
If you have questions about protecting your online presence as a solopreneur, this is exactly the kind of thing we dig into together. You are not alone in figuring this out.
FAQ
How do I know if an email is really from my web designer or service provider?
Check the full email address, not just the name that shows in bold. Your service provider's email should end in their actual business domain, not @gmail.com or any other free service. If you are unsure, do not reply to the email. Instead, reach out through a phone number or email address you already have saved from a previous real conversation.
Can my small service business really be impersonated like this?
Yes, and it is more common than most people realize. If your business name appears online anywhere, a scammer can use that information to build a fake identity. They create a free email address using your name and look for your clients in the same public places your name appears. The smaller and more personal your business, the more convincing the impersonation can feel to your clients.
What should I do if one of my clients tells me they got a suspicious email claiming to be from me?
Contact all of your clients right away. Do not wait to find out how many were targeted. Send a clear, calm message letting them know what happened, what the fake email looked like, and how to reach you through your real contact information. Then report the fake email address to Google and file a report with the FTC at reportfraud.ftc.gov. The faster you communicate, the less damage the scammer can do to your reputation.
Is it safe to open an email from someone I know, even if something feels a little off?
Opening the email itself is usually fine. The risk comes from clicking links or downloading files inside it. If the email feels slightly off, trust that feeling. Contact the sender through a separate channel before clicking anything. Your gut is a pretty good spam filter.
I deleted the suspicious email. Did I do the right thing?
Deleting it protected you from accidentally clicking something harmful, so yes. The one additional step worth taking is letting the person being impersonated know that you received it. A quick message saying "Hey, I got a weird email that looked like it came from you, just wanted to flag it" takes less than a minute and could make a real difference for them and for other clients who might still be at risk.
I'm not very techy. Is there a simple way to check if an email is real?
Absolutely. Here is the simplest check: look at the full email address in the "From" field. On most email apps, you can tap or click the sender's name to see the full address. If it ends in @gmail.com, @yahoo.com, @outlook.com, or any free email service, and the person emailing you runs an established business, that is worth a second look. Legitimate businesses use their own domain in their email address. That one check alone will catch a lot of fakes.
At AskDotty, no question is a dumb question, especially when it comes to protecting your business online. If you want to learn more about staying safe and visible as a solopreneur, come hang out with us.
