Your Web Designer Is Being Impersonated and You Could Be Next
If you own a small business and recently hired a web design agency to build or manage your website, there is a scam you need to know about right now. It does not involve hacking, data breaches, or sophisticated technology. It involves a scammer spending about an hour on Google and LinkedIn, and then sending you an email that looks like it came from your web designer. Thousands of small business owners are being targeted this way, and most of them never see it coming.
How Scammers Use Agency Portfolio Pages to Find Their Victims
Most web design agencies are proud of the work they do. They publish a portfolio page on their own website showcasing every client they have built a site for. It is good marketing. It shows potential customers proof of their experience and range. If you want to see what a legitimate client portfolio looks like, you can browse the BragDeal projects page to understand how agencies present their work publicly.
Scammers know this too.
A scammer will visit a web design agency website, open the portfolio page, and write down every single client listed. Then they visit each client website one by one and collect the general contact email address listed on the page. In some cases they use automated tools to do this even faster. Within an hour they have a complete list of every business that agency serves, along with a direct email address for each one.
Then they move to LinkedIn. They search for the agency owner, study their profile, take note of their full name, job title, company name, and how they write and present themselves professionally. Some scammers even use the owner’s profile photo to make their fake communications look more convincing.
With all of that information gathered, they craft a mass impersonation email and send it to every client on that list, pretending to be the agency owner.
What the Scam Email Looks Like
The email will use the real name of your web designer. It will reference your website and mention something vague but alarming, like your site not being aligned with the latest platform requirements, or your domain and plugins being due for renewal. It will tell you that action needs to be taken immediately, usually before a very specific short deadline like within 48 hours or by a date just a few days away.
It will warn you that failing to act could result in your website being flagged, going down temporarily, or in serious cases being permanently taken offline. The language is designed to make you panic just enough to respond without stopping to think.
What it will not include is an invoice, a client account number, a specific plugin name, or any verifiable documentation. It will simply ask you to reply right away so things can be handled promptly.
The Biggest Red Flag: Real Agencies Never Use Gmail for Business
Here is the single most important thing to check when you receive any email from your web designer. Look at the actual sender email address, not just the name displayed in your inbox.
A legitimate web design agency will never contact you from a random Gmail account. Ever. Real agencies operate from a professional branded email address that matches their company domain. If your web designer’s agency is called ABC Ltd., their email will come from something like dan@abc.com. It will not come from abc.support@gmail.com or any variation of a free email account.
This is non-negotiable. A Gmail address is not a minor detail or an oversight. It is the clearest possible sign that the person contacting you is not who they claim to be. If you receive an urgent email from your agency and the sender address is a Gmail account or any domain that does not match their official website, stop. Do not reply. Do not click anything. That is not your web designer.
If They Never Emailed You Like This Before That Should Tell You Everything
Beyond the email address, there is another powerful way to detect this scam that many people overlook. Think about your history with your web design agency. How have they communicated with you up until now? Did they send you calm, professional emails with detailed invoices when something needed to be renewed? Did they give you plenty of notice before any deadlines? Have they ever sent you a frantic, last-minute email demanding you take action within 48 hours or risk losing your website?
If the answer to that last question is no, then ask yourself why they would suddenly do it now.
Scammers rely on urgency to shut down your critical thinking. They want you to feel like there is no time to verify, no time to call, no time to question. But that urgency is completely artificial. It is manufactured specifically to get you to act before your instincts kick in.
Your real web design agency has been working with you calmly and professionally. A legitimate renewal notice does not arrive as an emergency. It comes with documentation, a proper invoice, and enough time for you to review and respond. If the tone of an email is completely out of character with every other communication you have received from your agency, that inconsistency alone should put you on high alert. Recognizing patterns in how your agency normally operates is one of the most reliable defenses you have.
What Scammers Are Actually After
The goal of this scam is usually one of three things. The first is direct payment for fake renewals or services that do not exist. The second is your login credentials for WordPress or your hosting account, which gives them full control of your website. The third is personal or business information they can use to target you further or sell to other bad actors.
None of these outcomes are recoverable without serious effort and cost. A compromised WordPress site can mean significant website security maintenance work to undo the damage, and in worst case scenarios the site may need to be rebuilt entirely. Understanding what makes a website look professional versus vulnerable starts with who is managing it and how securely they communicate with you.
What to Do the Moment You Receive a Suspicious Email
If you get an email that claims to be from your web design agency but feels off in any way, do not reply to it. Do not click any links inside it. Do not send any payment.
Instead, call your agency directly using a phone number you already have saved. Do not use any contact information provided in the suspicious email itself. A quick two-minute phone call is all it takes to confirm whether the message was real or not.
Forward the suspicious email to your real agency contact so they are aware it is happening. Save a screenshot of the full email including the full sender address. If you believe you have been targeted, report it to the Canadian Anti-Fraud Centre at antifraudcentre.ca or, if you are in the United States, at ic3.gov.
How to Choose a Web Agency That Communicates Professionally From Day One
The best protection against this scam is building a relationship with an agency that sets clear communication standards from the start. A trustworthy agency will always use a branded professional email, provide detailed invoices for any renewal or service, and never pressure you with vague deadlines.
If you are currently looking for a web design partner, it helps to know what actually matters when hiring a top web design company before you sign anything. And if you are evaluating whether your existing website is set up with the right website maintenance protocols, that is a conversation worth having directly with your agency using contact information you already trust.
Protect Your Business by Knowing What Normal Looks Like
Ask your web design agency how they handle renewals and billing. Understand what their normal communication process looks like so you know immediately when something does not fit. Save their real phone number and email domain somewhere accessible. And treat any email that combines urgency, vague technical claims, and a short deadline as suspicious until you have personally verified it is real.
Your web designer built your website to help your business grow. Scammers are trying to use that relationship against you. A moment of awareness is all it takes to make sure they cannot. If you have questions about how BragDeal handles client communication or want to know more about our process, visit our FAQ page or get in touch directly.
