Back to Resources
    Troubleshooting

    Protecting Yourself From Scams, Spam & Fraud Leads

    March 2025·9 min read

    The moment you have an online presence, you become a target for scammers. From fake invoices to phishing emails to fraudulent leads, the threats are constant. Here's how to recognize and avoid the most common scams targeting website owners and small businesses.

    Domain Renewal Scams

    One of the most common scams targets domain owners with official-looking renewal notices:

    • Fake renewal invoices: Letters or emails that look like bills but are actually offers to transfer your domain to a different (often overpriced) registrar
    • Urgent expiration warnings: Emails claiming your domain is about to expire when it isn't
    • SEO domain listings: Offers to "list" your domain in various directories for a fee

    How to protect yourself: Only renew through your actual registrar (GoDaddy, Namecheap, etc.). Log in directly. Never click links in emails. Check your registrar dashboard for actual expiration dates.

    Red Flags in Renewal Notices

    • Sender isn't your actual registrar
    • Excessive urgency ("FINAL NOTICE")
    • Prices significantly higher than normal
    • Payment to a different company than usual
    • Generic greeting instead of your name

    SEO and Marketing Scams

    Business owners are flooded with unsolicited SEO and marketing offers. Most are low-quality at best, scams at worst:

    "We Found Problems With Your Website"

    Generic emails claiming they found SEO issues, security vulnerabilities, or accessibility problems. They rarely have actually looked at your site. These are mass-sent templates. Legitimate audits are specific and usually not unsolicited.

    "Get to Page 1 of Google Guaranteed"

    No one can guarantee Google rankings. Anyone claiming otherwise is either lying or planning to game the system in ways that could get your site penalized. Legitimate SEO professionals discuss strategies and timelines, not guarantees.

    "We'll Get You Thousands of Followers/Backlinks"

    Purchased followers are fake accounts. Purchased backlinks violate Google's guidelines and can result in penalties. Both are vanity metrics that don't translate to real business results.

    How to protect yourself: Ignore unsolicited SEO emails. If you need SEO help, research providers yourself rather than responding to cold outreach.

    Phishing and Account Access

    Phishing attempts try to steal your login credentials or payment information:

    Fake Login Pages

    Emails that appear to be from your hosting provider, domain registrar, or CMS, asking you to "verify your account" or "update payment information." The links go to convincing fake login pages that steal your credentials.

    Compromised Email Chains

    Scammers sometimes gain access to email accounts and reply within existing threads, making their messages appear legitimate. They may request wire transfers, login credentials, or other sensitive information.

    How to protect yourself:

    • Never click login links in emails. Go directly to the site.
    • Enable two-factor authentication everywhere
    • Verify unusual requests through a different channel (call instead of email)
    • Check sender email addresses carefully (scammers use similar-looking domains)

    Fake Leads and Orders

    If you have a contact form or online store, you'll encounter fake submissions:

    Overpayment Scams

    A "customer" sends a check for more than the invoice amount and asks you to refund the difference. The original check bounces after you've sent real money. Never refund overpayments from new customers you haven't verified.

    Elaborate Fake Projects

    Detailed project inquiries that seem legitimate but eventually lead to requests for wire transfers to "partners," purchases of supplies from specific vendors, or other payment schemes. Real clients don't require you to pay third parties upfront.

    Spam Form Submissions

    Automated bots submitting your contact form with links to malicious sites or advertisements. These waste your time and can contain malware links.

    How to protect yourself:

    • Implement reCAPTCHA or honeypot fields on forms
    • Never accept overpayments
    • Verify new clients through video calls or verified payment methods
    • Be suspicious of urgent requests from new contacts

    Signs of a Fake Lead

    • Vague about their actual business or needs
    • Unusual payment arrangements proposed
    • Extreme urgency from a brand-new contact
    • Requests for wire transfers or cryptocurrency
    • Grammar/spelling inconsistent with claimed location
    • Email domain doesn't match claimed company

    Hosting and Service Scams

    Fake Tech Support

    Phone calls or pop-ups claiming to be from Microsoft, Google, or your hosting company, warning about security issues that require immediate action. Legitimate companies don't cold-call with security warnings.

    Unauthorized Changes to Your Domain

    Scammers may pose as your web developer and contact your registrar to transfer your domain. Enable domain lock and verify any transfer requests through multiple channels.

    Ransomware Threats

    Emails claiming hackers have compromised your site or have embarrassing footage of you, demanding payment (usually Bitcoin). Most are bluffs. If you're genuinely concerned about a security breach, consult a professional rather than paying.

    Invoice and Payment Fraud

    Business email compromise (BEC) is increasingly common:

    • Fake invoices: Emails with attached invoices for services you didn't order
    • Vendor impersonation: Emails appearing to be from real vendors requesting payment to new bank accounts
    • CEO fraud: Emails appearing to be from company leadership requesting urgent wire transfers

    How to protect yourself: Verify any payment request changes by phone using known numbers (not numbers from the suspicious email). Establish payment change procedures that require verbal confirmation.

    What to Do If You've Been Scammed

    1. Change all passwords immediately: start with email, then financial accounts, then hosting/domains
    2. Enable 2FA everywhere if you haven't already
    3. Contact your bank if financial information was compromised
    4. Report the scam to the FTC (reportfraud.ftc.gov) and your state attorney general
    5. Scan for malware if you clicked any suspicious links
    6. Alert others: if you're a business, your team needs to know

    Prevention Checklist

    • ✓ Two-factor authentication on all accounts
    • ✓ Domain lock enabled at your registrar
    • ✓ reCAPTCHA or honeypot on contact forms
    • ✓ Bookmark your registrar and hosting dashboards (don't click email links)
    • ✓ Verbal confirmation required for payment changes
    • ✓ Regular password updates with unique passwords per account
    • ✓ Team training on recognizing phishing

    Final Thoughts

    Scammers succeed by creating urgency and exploiting trust. The best defense is skepticism: verify everything through independent channels, never act on urgency alone, and remember that legitimate businesses don't pressure you into immediate action.

    If something feels off, it probably is. Trust your instincts, verify before you act, and when in doubt, do nothing until you've confirmed the legitimacy of any request.

    Questions About Online Security?

    If you've received suspicious communications or aren't sure if something is legitimate, reach out. I'm happy to help you verify.