The Squarespace Designer Impersonation Scam: What You Need to Know

If you've gotten an email recently claiming your Squarespace site needs a "compliance audit," "security review," or urgent platform update, here's the short version: it's a scam, your website is fine, and you don't need to do anything except report it and delete it.

This isn't theoretical. Squarespace has officially confirmed that scammers are impersonating legitimate web designers across the Circle Partner program, and the activity has escalated significantly since late 2025. Designers across the community — including some I know personally — have had clients targeted, and a handful of business owners have lost money to this scheme.

Here's what's happening, how to spot it, and what both clients and designers should be doing right now.

What the scam looks like

The scammers do their homework. They scrape designer client lists from publicly visible sources — portfolio pages, "Built by" footer credits, case studies — and then send emails to those clients pretending to be the designer who originally built the site.

The emails follow a predictable pattern. They claim something is urgently wrong with your website and that immediate action is required. Common variations include:

• A "compliance license" needs to be configured or renewed

• A "compliance audit" is required to meet new GDPR, CCPA, or accessibility standards

• A "security review" or SSL certificate fix is needed

• Your domain is at risk of being restricted or taken offline

• Squarespace is conducting a platform-wide review and your site needs attention

The messaging often includes a deadline, a request to simply reply "YES" to authorize work, or an invoice for a payment to be processed through Fiverr, Upwork, or a similar third-party platform. Some versions reference made-up "Acts" or laws to add a layer of false legitimacy.

The tactics shift constantly. Recent variations have referenced "Squarespace platform updates" causing imminent "downtime," and the scammers have started using language pulled from real client communications to sound more convincing.

Why it's effective

Three reasons this scam works on otherwise careful business owners:

It looks personal. The sender knows the name of the designer who built your site. They know what platform you're on. They may even reference details that feel specific to you. That kind of context usually signals legitimacy.

It creates urgency. Compliance, security, downtime — these words trigger a "fix it now" reaction. Most people don't pause to verify when they think their website is about to go offline.

It mimics tone. The emails are friendly, professional, and signed off with the real designer's name. They're not the typo-riddled phishing attempts of 10 years ago.

How to spot a fake email

Once you know what to look for, the tells become obvious.

Check the sender address. Real Squarespace designers communicate from their business domain — not a personal Gmail account. If the email is from something like agave.studio.support@gmail.com or includes a slight misspelling of the business name (an extra space, a missing letter), it's a scam. Scammers will often build a Gmail address that contains the designer's name to fool people who only glance at the "From" field.

Verify the language. There is no such thing as a "Squarespace compliance license." Squarespace does not run platform-wide audits or send compliance warnings through third-party designers. If your site genuinely had an issue, you'd see it on your Squarespace dashboard when you logged in.

Watch for urgency and payment requests through third parties. Legitimate designers invoice through their own systems — HoneyBook, Stripe, QuickBooks, or whatever they normally use. They don't suddenly route payment through a Fiverr link or ask for a wire transfer to a bank account you've never seen before.

Cross-check before responding. If anything feels off, don't reply to the email. Open a new browser tab, go to your designer's actual website, and use the contact information there. A 30-second verification protects you completely.

What to do if you receive one

If you get a suspicious email referencing your Squarespace website:

1. Don't reply, don't click links, don't agree to anything — even a one-word "YES" reply gives scammers an opening to engage you further.

2. Don't share login information or grant site access to anyone claiming to be your designer until you've confirmed the request through a separate channel.

3. Report it to Squarespace by forwarding the full email (including headers) to reportphishing@squarespace-security.com.

4. Report it to your email provider as phishing or spam.

5. File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov if you've lost money or shared sensitive information.

6. Forward it to your designer so they can track patterns and warn other clients.

Your Squarespace account is not compromised by these emails. The platform itself hasn't been breached. Your site is safe unless you intentionally hand over credentials or grant access to the impersonator.

What designers should be doing

If you're a Squarespace designer, this scam is hitting your reputation whether or not you've noticed yet. A few practical steps:

Audit your public client exposure. Portfolio "View the Site" buttons and "Built by [Your Studio]" footer credits are exactly how scammers build their target lists. Consider whether named case studies, footer attribution, and public client lists are worth the visibility cost. There's a real tradeoff here, but most designers haven't actually thought it through.

Get email authentication right. Make sure SPF, DKIM, and DMARC are properly configured on your sending domain. This won't stop scammers from spoofing you with a Gmail account, but it does prevent direct impersonation of your actual domain.

Tell your clients before it happens. A short email explaining the scam, your only legitimate contact addresses, and what to do if something looks suspicious is one of the most valuable communications you can send. Get ahead of it.

Set communication norms early. During onboarding, make it clear which email addresses you use, how invoices are sent, and that you'll never request urgent payment through a third-party platform. Document it in your client agreement.

Track patterns. When clients forward suspicious emails, save them. The tactics evolve, and having a record helps you warn the rest of your client base when something new shows up.

The bottom line

Your Squarespace site doesn't need a surprise compliance audit. Squarespace doesn't dispatch designers to chase down license keys. And no legitimate designer is going to ask you to wire payment through Fiverr because of an "urgent" platform update.

When in doubt, slow down. Verify through a channel you already trust. Most scams fall apart the moment you take 60 seconds to check.

If you're an Agave Studio client and you've received something that feels off, or you just want a second set of eyes on an email, please send it our way so we can report it. We'd rather review 10 false alarms than have one client get caught.