How to Spot a Scam Email and Keep Your Website (and Sanity) Safe

As a small business owner, your email inbox can feel like a second office. It’s where you talk to clients, book jobs, pay bills, and keep everything running smoothly. But lately? It’s also where scammers are working harder than ever to trip you up.

I’ve had several clients send me emails lately with subject lines like: 

“Is this real?” 

“Do I need to do something about this?” 

“Eeeek! Should I be worried?”

You’re not alone. Even I occasionally get emails that make me stop and double-check.

In this post, I want to walk you through:

• why these scams are getting harder to spot

• how to figure out what’s real and what’s not

• what to do if you get a suspicious email

• and real examples from my own inbox and my clients’ inboxes, so you can see how these scams play out in the real world.

Let’s take the fear (and the scammer’s power) out of your inbox.

Why Are Scam Emails Getting Smarter?

Scammers know we’re more suspicious than we used to be. Gone are the days of badly-written emails from a prince in Nigeria promising millions.

Now, they’re impersonating businesses you trust — Wix, Meta, even local cleaning companies — and they’re doing it in ways that look almost legitimate.

Wix even sent me a note recently, saying they’d noticed how much worse the problem has gotten and put out this helpful article on how to identify and report phishing: Wix’s guide to spotting scam emails

And they’re right. Scammers are getting better at copying real logos, using real company names, and even redirecting fake domain names to real websites. That’s why you can’t rely on just one quick check.

Here are some of the real-life examples I’ve seen lately — and how I figured them out.

Example 1: The Fake Cleaning Company

Not long ago I received what looked like a very professional email from “Paul at Kayr Facility Service.”

The email claimed to be from a local cleaning service, offering their services and asking if I’d like to book.

At first glance, it seemed pretty normal. But when I hovered over the sender’s email address, I saw something strange: it wasn’t coming from Kayr Facility Service at all. The sender was actually someone named John, and the domain name was concordcleaning.online.

So here’s what I did:

STEP ONE:

Google the business name & compare the details. I Googled “Kayr Facility Service” — and yes, it’s a real cleaning company, but they’re in South Sydney. That didn’t make sense since the email claimed to be “local” to me, and never actually mentioned what suburb they serviced.

STEP TWO:

Google the domain in the sender's email & compare the details. I Googled the sender’s domain, making sure to separate the bits before and after the period so that it didn't accidentally go directly to the url: ie "concordcleaning" .online. Nothing came up. No business website, no results at all.

STEP THREE:

Check the sender domain directly. I typed "concordcleaning.online" directly into my browser. Oddly enough, it redirected to the real Kayr Facility Service website. This is a common trick — scammers set up fake domains that simply point to a legitimate site, so it looks real at a glance.

STEP FOUR:

Check or confirm any additional details provided in the email. I checked Kayr’s staff directory for good measure. There was no “Paul” and no “John” working there.

The verdict? Definitely a scam.

Why would someone pretend to be a cleaning company? Probably not to sell me a cleaning service. More likely, they wanted me to reply — even if it was just to say “no thanks” — so they could confirm my email address is active and sell it to other scammers or use it for further attacks.

Example 2: The Wix Form Submission

One of my clients, forwarded me a panicked email she received through her own website’s contact form.

It looked very official — it said it was from “Wix Secure Authority” and claimed: “This is the final communication regarding the redirect activity detected on your website. Your store is at risk of temporary access restriction within 24 hours.” Exactly the sort of message to stir your anxiety and make you react out of fear.

It also listed scary consequences like search penalties and ad account disruptions, and urged her to reply with: “I NEED A SPECIALIST”

The email even came through her own website’s contact form inbox, which made it feel more real.

But here’s the thing: the sender’s email address was a Gmail account (wixdreamerssite.info@gmail.com)

— not from an email ending in @wix.com.

So I told her: ignore it. Don’t reply. Don’t click. Just delete it.

PLEASE NOTE:

Wix will never contact you about account, billing, or domain issues through your website’s contact form.

There’s not much you can do to stop scammers from filling out your contact form — but you can make it harder for them by adding a CAPTCHA.

Wix has a handy guide here on how to enable CAPTCHA on your forms: Protecting your site forms from spam.

I can help you increase your form protections too if you'd prefer to do it together. This won’t stop everything, but it cuts down on the volume of automated spam.

Example 3: The Meta Account Suspension

Another client recently received an email supposedly from the “Meta Community Support Team” saying her Facebook business page was going to be suspended for posting “provocative” or “misleading” content.

The email looked polished. It was written in professional, formal language and even included a neat list of supposed violations, like:

• Provocative or sensitive content

• Misinformation or misleading content

• Copyright violations

• Unauthorized content usage

This is important to note, because a lot of these scam emails no longer look like messy walls of text. This one was well-formatted, with Meta style branding colours, clear headers, and spacing that made it feel much more like the kind of template a big company would use, it even had Meta Business Support business information in the footer.

It also contained a prominent button at the bottom labelled “Submit a Complaint”, which invited her to click and begin the “appeals process” to avoid her account being suspended.

And that’s the danger. The button makes it feel “real” — like you can quickly fix the problem with one click.

But when I checked, the sender’s email address was something completely unrelated, just another Gmail address.

That’s your giveaway: Meta does not contact business page owners about account suspensions from a personal Gmail address, and they do not ask you to click a button to “submit a complaint.” In my experience they don't warn you at all actually, they just take your page down, but that's a different issue.

If my client had clicked the button, it almost certainly would have taken her to a fake login page, where the scammers could have harvested her Facebook login details and locked her out of her own account.

How to Spot a Scam Email

After seeing so many of these, here are some easy checks you can do:

• Look at the sender’s email address, not just the name. Real companies don’t use Gmail addresses or weird misspellings of their domain name.

• Watch for urgent language like “Immediate action required” or “Final notice.”

• Be wary of generic greetings like “Dear User”, "Dear Merchant" or “Dear Customer.” Real companies usually use your name.

• Look for spelling or grammar errors — scammers often make little mistakes.

• Don’t trust links just because they look right. Hover over them and check where they actually go.

• Be suspicious if they ask you to confirm personal information or download attachments.

What to Do If You Get a Suspicious Email

If you’re unsure, here’s what you can do:

• Don’t click on any links or download any attachments.

• Don’t reply — even to say no.

• Mark the email as spam and delete it.

• If it claims to be from Wix, forward the email (including the full email headers) to reportphishing@wix.com so they can investigate.

Wix has a full guide here:Wix’s guide to spotting and reporting phishing

And if you want to learn how to find the full email headers (which help Wix figure out where the email really came from), their guide also shows you how to do that for Gmail, Outlook, and other email providers.

How to Tell If It’s Really From Wix (or Me)

Here’s a good rule of thumb: if something is genuinely wrong with your website, you’ll hear about it from me directly (if I manage your site), or from an email that ends with @wix.com — not a Gmail address, not a misspelling of wix (ie wixx or Wiix), and not through your website’s contact form.

If you ever see something that doesn’t look right, feel free to send it to me for a second opinion. I will never charge for sense checking scam.

Why Scammers Want You to Reply

One of the most important things to know about scam emails is this: scammers don’t necessarily care what you say. They just want you to say something.

Replying — even to say “please remove me” — tells them your email address is real and active. That makes it more valuable.

Once they know it’s a live email, they can:

• sell it to other scammers

• target you for more phishing attacks

• try to get you to reveal more information over time

That’s why the safest thing you can do is: don’t engage.

Final Thoughts

I know how stressful it can be to see an email threatening to take down your site, suspend your ad account, or freeze your domain. But you don’t have to panic — and you don’t have to figure it out alone.

Here’s my advice in short:

• Don’t click.

• Don’t reply.

• Don’t engage.

• Delete it.

• If it claims to be from Wix, forward it to reportphishing@wix.com.

• If you’re still not sure, send it to me and I’ll check it for you, free of charge.

Your website is an important part of your business — and keeping it safe doesn’t have to be complicated.

Stay safe out there.

Your partner in this digital nonsense,

Milly