Warning: Squarespace designer email scam

Squarespace
Written By Miko Coffey

Scam Alert!

Scammers are targeting Squarespace website owners pretending to be Squarespace designers or Squarespace the company. Find out how to stay safe.

Have you been contacted by your web designer out of the blue, regarding an audit, security, verification, license issue or update? It could be part of a sophisticated spoofing/phishing scam.

Learn out about a spate of scams impersonating actual web designers and targeting website owners, how to tell if an email is a scam, and what to do about it.

Jump to:

What to do if you are targeted by the scam:

How to keep your Squarespace website and account safe

Final thoughts

What is this scam? What’s happening and how are they doing it?

Recently many of my clients and clients of other designers have been the target of a growing trend of email spoofing and phishing scams. The scammers are using sophisticated AI tools to extract email addresses and to bulk send contact forms on Squarespace websites, and also scraping web designer portfolios, forums and marketplace platforms. They are using these tools to find the connection between the target and the Squarespace web designer that they will impersonate to get the target to either send them money for fake services, or to gain access to the target’s website to perform nefarious actions.

It is not just Squarespace. I am aware of the same sorts of scams on Webflow, Wix, Wordpress, Shopify and ShowIt platforms. And I have verification from Squarespace that this is not due to a security breach, so personal details have not been leaked. The scammers are using AI and other automation tools to scour the web for their targets and extract details of designers, such as names, photos and logos.

The emails look incredibly legitimate; it’s hard to distinguish from the real thing.

Example of a Squarespace designer scam email

In addition to impersonating the web designer’s name, in some cases, the scammers have even included a photo and/or logo from the designer’s company in the email, and they often reference being a Verified Squarespace Partner (or similar). I’ve included one of the scam emails here as an example.

The email mentions having worked together before, and then gives some technical reason for them “reaching out” to help ensure compliance or to fix critical errors, or else the website will be restricted or suspended.

The scammer is relying on the pre-established relationship to bring the target’s guard down, and expecting the target to be a bit scared and perhaps baffled by technical jargon. They say that they will perform X service for free, or that they need access to the website in order to perform the service, but later they will say that they found more problems so they need money to fix these. Some examples include:

  • Compliance issues or accessibility compatibility checks

  • Platform or security updates or audits

  • License or domain verification

  • Extension or plugin updates or patches

This scam is particularly bad because it relies on people like me having a good relationship with my clients, who trust me to help them. The added photo and signature make it seem even more real.

It’s also affecting web contact forms, so check your form submissions carefully, too.

Some of the scammers are unable to find an email address on the target’s website, so instead they send these types of phishing requests by submitting contact or enquiry forms on the website. Therefore, the email you receive will appear to be the same as usual contact form submissions: it will show “Squarespace” as the sender, and the subject line will be something like “Form Submission - xxxxxxx”. However, the email address that shows in the body of the email AND the reply-to address will be the scammer’s email address.

How to tell if it’s a scam

1. Always check the email address domain name! It’s the only foolproof verification.

The sender name on an email can be faked. You can put anything you want in that space, so it’s very easy to pretend to be “Miko Coffey”. It’s also easy to create legitimate-sounding email addresses that are not the real thing. For example, here are some of the scammer email address formats:

  • miko.usingmyhead@gmail.com

  • hello.usingmyhead@hotmail.com

  • sales.usingmyhead@proton.me

Email header showing usingmyhead.com domain name

What cannot be faked is the email domain name - the part after the @ symbol. Ignore everything before the @ symbol; that can be anything. No unauthorised people will be able to actually send an email from @usingmyhead.com so that’s the important part to look at. Although it is possible to fake the domain name in the email header as the sender, most email software has security measures in place to flag or reject any email that attempts this, so these would either go into your spam folder or show in your inbox with a warning. This means that you are normally OK just looking in the email header for the sender address; however, to be 100% sure, you should use the instructions below for your email software to view the full email header details. Look at the Signed by domain name (or Mailed by, if there is no Signed by) and check that this matches the domain name of your web designer.

Overall, you should always be wary of anything that comes from Gmail, Hotmail, Protonmail or any other free email service provider. I’d be surprised if any legitimate web designer who is serious about their business uses a free email address.

  • You need to be in the web browser and not the mobile app.

    Click the little down arrow / triangle next to the words “to me” as shown in the above green screenshot.

    1. Click the three-dot icon (...) in the top-right corner of the message pane (not the top of the browser).

    2. Select View.

    3. Select Message details

    • In the menu bar, go to View > Message > All Headers.

    • To revert, select View > Message > Default Headers

Tip: If you're on a mobile or you couldn't see/understand the header using the instructions above, a "hack" is to check the Reply-To address by hitting reply on the email, BUT DO NOT SEND A REPLY. Just check what email address shows in the reply window. A scammer could never put the real designer's email address as the Reply-To address. Be sure to discard the empty draft reply after you check the address.

Watch out for misleading “typos”!

Look very closely at the email domain name, because there are also scams going around pretending to be Squarespace. Sometimes these scammers go the extra step to purchase domain names that look very similar to the actual domain. Here’s one such domain name from a scammer:

  • security@squarespacee.com - would you catch this one? Pretty sneaky!

I’ve even heard of another designer whose clients were getting scam emails from name@designercompany.co instead of their actual email, which is name@designercompany.com - stay vigilant to the finer details!

2. On a website form submission, the email address will not be the email sender. It’s the reply-to address and the email address in the form text.

First, I should say here that the most likely way to contact someone you’ve worked with before is through a direct email. I will never contact a past client using the contact form on their website, except in the very rare circumstance that my contact has left that company. So, you should already be a little suspicious about your web designer using this form of communication. However, it could happen, so be sure you look at the reply-to address and/or the address in the actual email text that is sent to you from your Squarespace website form. The sender will say “Squarespace” just like usual, like all your legitimate contact form submissions. Here’s an example of a scam form submission email:

 
Example scam Squarespace form submission, showing how to check the email reply-to field
 

3. Does what they are asking sound like something your designer would say? Stop for a moment and think.

Many of these emails say something like: “If you’d like me to carry out this free audit for you, just reply YES to this email.” Most legitimate business people would never ask something in this manner.

Other emails say something like: “In order to perform the license upgrade, I will need you to give me access permissions to your website.” Most web designers will already have access to their client’s website. Why would they need to ask again? They wouldn’t. Never give anyone access to your website without verifying that they are who they say they are. Check out my tips below on how to keep your Squarespace account safe.

Another thing to check is the tone of voice. Does the email sound overly formal or overly familiar? Does it seem like it’s filled with technical jargon or terminology that you haven’t used before with your designer? For example, I would never say: “This’s Miko Coffey, your Squarespace Verified Partner” (actual wording from a scam email my clients received).

4. If they are asking for payment, does the method of payment match how you’ve paid in the past?

If you end up in a position where your “designer” (aka the scammer) is asking for payment for services, are they asking you to pay in some way that they haven’t in the past? For example, are they asking you to pay by PayPal or some other payment platform that you haven’t used with them before? If they send an invoice, does it look like your past invoices? Be very careful! Sometimes these payment links will take your money, which is bad enough, but other times the link to “PayPal” (or other payment platform) will actually take you to a clone website that has been designed to look exactly like the real PayPal website, but instead includes malicious code that can do all sorts of damage such as installing malware on your computer or capturing your credit card data. Never, ever click any links or buttons in an unverified email; always look at the sender domain name before you click on anything.

5. If in doubt, reply to an old email thread or send a separate email to check.

If you’re still not sure, you can always email your designer directly. The safest way would be to find an old email conversation with your designer and reply to that. Or, you can send a new email or forward the scam to the email address you have in your address book. However, be careful: if you replied to the scammer, their email address might have been automatically added to your contacts! If you are sending a fresh email to your designer, double check the “to” field to make sure it’s the actual email address you’ve communicated with before and not the scammer’s email address.

What to do if you have been targeted by the scam

Why marking and reporting the scam is important

You may be tempted to simply ignore the scam emails, but this won’t stop them coming, nor will it help to get the scammers shut down. While it can be annoying to have to take time out of your busy day to mark and report the emails, doing so can actually make a difference. Reporting phishing attempts helps to:

  • Cut down the number of scam emails that reach your inbox

  • Make yourself a more difficult target for scammers

  • Protect other people from online cyber crime

Marking and reporting should only take a minute, and all of us legitimate business owners really do appreciate your help.

Mark and report a scam email to your email software provider

If you received this scam as an email - not a form submission - then you can report it to your email provider. Do not report a Squarespace form submission email to your email software, or else you risk all future legitimate form submissions going into your spam folder. Follow the instructions below under Form Submissions instead.

All modern email software gives you the ability to do two things that can cut down on these types of scam emails. First, you should use the relevant instructions below to report the email as phishing to your email software provider. Then, you should mark the email as spam. Taking both of these steps will help the email software learn the patterns of the scam emails, and by marking the email as spam, it will stop future emails from the scammer using that particular email address from appearing in your inbox at all.

    1. Open the email in Gmail.

    2. Click the three vertical dots (More options) next to the "Reply" button.

    3. Select Report phishing

    4. Lastly, you’ll want to mark it as spam, too: check the box to the left of the email and in the top toolbar, click the Report spam icon ( ! ). Alternatively, if the email is open, click the Report spam button in the top menu.

    1. Select the suspicious message.

    2. In the top ribbon (Home tab), click Report or Report Message.

    3. Choose Report phishing from the dropdown list.

    4. A popup will appear, allowing you to confirm the report and send a copy to Microsoft.

    5. Lastly, right-click the message and select Junk > Block Sender

    1. Open the email.

    2. Tap the three dots (...) menu in the top right corner.

    3. Select Report Junk.

    4. Select Phishing or Report Phishing.

    5. Lastly, right-click the message and select Junk > Block Sender

    1. Select the phishing message

    2. Go to the top menu bar, and choose Message > Forward As Attachment

    3. Send this to reportphishing@apple.com

    4. Lastly, lick the Junk icon in the Mail toolbar to help improve filtering and move it out of your inbox.

Report a phishing email to Squarespace

Squarespace are actively investigating these scams and looking for ways to stop them. Please forward the entire scam email to reportphishing@squarespace-security.com making sure you include the email header and subject line.

Report a phishing email to the cyber crime unit in your country.

If you have the time and really want to help cut down this type of scam, you can also report the phishing email to the relevant cyber crime unit in your country. Most of these governmental departments have the power to get the email accounts shut down, and can actually investigate to close down crime rings, as these types of scams are normally part of a large operation. I’ve listed the contact details for UK, USA, Canada and Australia below as this is where most of my clients come from, but you can look up the relevant email address for your country on a search engine by typing “report phishing email in xxxxx”.

Form Submissions: use the built-in link to report to Squarespace

If you received the scam as a form submission email (the scammer completed a form on your website rather than emailing you directly), then you should use the link at the bottom of the form submission email to report the scam to Squarespace. It’s the last line of text on the form submission that says: Does this submission look like spam? Report it here.

As mentioned above, do not report the form submission email to your email software, or else you might accidentally send all future website enquiries into your spam folder by blocking the Squarespace form sending email address. Not what you want!

How to keep your Squarespace website and account secure

  1. Never share your Squarespace password with anyone, even your web designer. Your login is tied to you personally. A legitimate web designer will never ask you to send them your Squarespace login details. They will have their own personal login.

  2. Never grant access to your website as an administrator or contributor without verifying the person’s email address and/or that they are who they say they are.

  3. Always use a strong password and do not reuse passwords across multiple different platforms. Even though there hasn’t been a Squarespace data breach, if you use the same password on Squarespace as some other platform, if that platform has a leak, you are vulnerable. Use a password manager app such as 1Password (Mac) or NordPass (Windows) or ProtonPass (free) to securely store your passwords and simplify logins.

  4. Enable 2-Factor Authentication on your Squarespace account.

  5. Always double-check the sender’s email address on every email that appears to be from Squarespace. Even if the logo and formatting look identical to an email that you have received from Squarespace in the past, you must check the email header to be 100% certain. Generally speaking, emails from Squarespace will come from @squarespace.com , @mail.squarespace.com or @squarespace.info - but there are some exceptions for specialist services such as Squarespace Campaigns or AcuityScheduling. You can check the list of valid Squarespace email senders here and you can find general tips on how to tell if an email from Squarespace is legitimate here.

  6. Perform regular browser and website hygiene, such as forcing devices and apps to log out of your Squarespace account, keeping your browser version updated, and removing any old contributors. Find out more about these and other Squarespace general security tips here.

Final thoughts about scams

Several years ago, it was pretty easy to spot a scam: a money request from a Nigerian prince, an email riddled with spelling errors and poor grammar. These days, things are much more sophisticated. Don’t speak English well? An AI tool can write the email for you in whatever tone of voice you want, with perfect grammar and spelling. Not sure how to run a scam? AI can help you there, too - from helping with strategy and logistics, telling you what the easiest targets are, to automation tools that can scour and scrape the web in seconds. This is big business. I even got contacted personally through my own website by a company offering to sell me their AI service for sending bulk contact form submissions that had been trained to bypass CAPTCHA security (those annoying things that ask you to select all pictures of motorcycles and such).

Unfortunately, as these types of automated and AI tools get more and more powerful, the more they can be used by unscrupulous people to make life even harder for the rest of us who just want to run our businesses in peace. Authenticity is becoming more and more important in a world where anyone with a phone can make a fake video of anyone doing anything.

I can only hope that authentication tools and techniques will catch up with the rapid growth of automations and fakes. Until then, we unfortunately have to keep our own personal scam-spotting skills sharp and up to date. I hope this article has helped you do that.

This article was written 100% by a real human.

Miko Coffey

About the Author

I'm a Squarespace expert and web problem-solver who helps people make the most of digital tools, techniques and practices. With over 20 years’ experience working with websites, I’m more than just a web designer, I work with clients to maximise their online presence and make their websites work harder. I’ve designed on Squarespace since 2007, and I’m a Squarespace Authorised Trainer, Marketplace Expert, Platinum Partner, and Squarespace Circle Community Leader, meaning I am one of the most highly accredited Squarespace partners in the world.

More about Miko

Next

Do I really even need a website?