When the scam looks exactly like the real thing

For the past several weeks, someone has been impersonating us. They took names from our website, crafted emails that looked like they came from our team, and sent them to our clients. People we’ve worked with for years — smart, experienced business owners who know us well — got messages that looked legitimate enough to take seriously.

We reported it. We got the account shut down. And then another one appeared. We got that one shut down too. And then another. It’s been weeks of this — a relentless, exhausting game of whack-a-mole with no clear end in sight.

There’s a particular kind of frustration that comes with having someone put words in your mouth and actions to your name that you would never take. It feels violating in a way that’s hard to describe until it happens to you. This person — or bot, or operation, whatever it is — is out there having conversations as us, making impressions as us, potentially damaging relationships we’ve spent years building. And there is not a thing we can do to stop them from trying again tomorrow.

And why wouldn’t our clients take those emails seriously? They weren’t obviously fake. There was no broken English, no sketchy logo, no “Dear Valued Customer.” They looked real because whoever is behind this did their homework. Or more accurately, they let an AI tool do it for them.

That’s where we are now. And we’re writing this because we think you deserve to understand what’s actually going on when this happens — and why it’s not as simple to stop as you might think.

This didn’t happen because anyone did something wrong

Not our clients. Not us. There’s no moment where someone should have known better, because there wasn’t a moment to catch.

Here’s what actually happened: a bad actor used an automated tool to scrape our website — meaning it crawled our public pages and collected business names, website links, images, and information about our business.

This isn’t hacking. What they collected wasn’t private data. It didn’t require breaking into anything. If information is visible on a website, a scraping tool can collect it. Every business with a public web presence is exposed to this, and no firewall or security setting changes that.

No accounts were breached. No passwords, payment information, or sensitive records were accessed. But they took what they found and used it to impersonate us — and that’s where the real damage happens. Not in the data, but in the trust.

The part that actually got to us

Here’s what we didn’t expect: this changed how we read our own inbox.

Just this week we received an email from someone who appears to be a genuine prospective client. It had a link to a PDF with some notes about what they’re looking for. And our first reaction — before excitement, before curiosity — was suspicion. We had to stop and think about whether to open it.

Legitimate communication starts to feel dangerous. Normal business interactions require a second thought they never used to.

That’s the collateral damage nobody talks about. For a company that runs on relationships and responsiveness, that’s not a small thing. It’s a slow erosion of something that used to just be easy.

We imagine some of you are feeling the same way.

What these scams actually look like now

The reason smart people get caught by this is simple: the old version of a phishing email is not what you’re dealing with anymore.

The old version had typos, strange formatting, a sender address that was obviously wrong, and a generic greeting. You spotted it in two seconds and deleted it.

The new version has none of that. AI tools can now generate emails that are grammatically perfect, contextually relevant, and personalized enough to feel like they came from someone who actually knows you. They can reference real names, real companies, and real relationships — because they scraped that information from real public places online.

So when we say our clients didn’t do anything wrong by believing these emails, we mean it.

A few things that still work

We’re not going to give you a generic checklist. You’ve read those. Instead, here’s how we actually think about it now:

• The display name is not the email address. An email can say it’s from anyone — “Travis at Cougar Digital,” your bank, your accountant — and the real sender address can be something completely unrelated (or a misspelling of something that your brain just looks over). On most email clients you can click or hover on the sender name to see the actual address behind it. That’s worth making a habit, especially when an email is asking you to do something or click something.
• Unexpected attachment plus urgency equals pause. If an email you weren’t expecting asks you to open a file or click a link — even if the email looks totally legitimate — the right move is to verify through a completely separate channel before you do anything. A text. A phone call. Not a reply to the email. Thirty seconds of friction is worth it.
• Unexpected requests for money are a red flag, full stop. Our scammer didn’t just impersonate us — they tried to charge for it. The emails went out offering to fix supposed issues with recipients’ websites for a fee. That kind of unsolicited “we found a problem, here’s the invoice” pitch is a classic pressure tactic. Legitimate businesses you already work with don’t cold-email you with a problem you didn’t know you had and a payment link to solve it. If that lands in your inbox, call the company directly before you do anything else.
• When something feels slightly off, that feeling is data. Maybe the timing is strange. Maybe the request is a little out of character. Maybe you can’t put your finger on it. That low-level sense that something isn’t quite right is worth paying attention to, even if you can’t articulate why. Trust it enough to make a quick call.

A data breach and scraping are not the same thing

We want to be clear about this because the word “breach” gets thrown around in ways that aren’t always accurate — and we’ve seen it cause unnecessary panic.

A breach means unauthorized access to private systems or data — passwords, payment information, personal records. That’s serious and requires immediate action.

What happened to us was scraping of public information. Our clients’ business names and web addresses were visible on our website because it’s mutually beneficial for SEO to link to other local businesses. Someone likely used a tool to collect it and misuse it. Frustrating and disruptive — but a meaningfully different category of problem, and one that didn’t put anyone’s private data at risk.

Why this is only going to get more common

AI tools have made this kind of attack cheaper, faster, and easier to scale than ever before. The barrier to running a sophisticated impersonation campaign used to require a lot of time and real technical skill. Now it doesn’t. That means the volume of attempts is going up, and businesses of every size are targets.

We’re not saying this to scare you. We’re saying it because awareness is genuinely one of the better defenses available. Most of these attacks succeed not because they’re technically unbeatable but because they catch people in a normal moment of their normal day, when their guard is down because it usually doesn’t need to be up.

Where we’re at with this problem

As of the posting of this blog, we’re still playing whack-a-mole. We’re still frustrated. And we’re still showing up every day trying to do right by the people we work with.

If you ever receive something claiming to be from our team that feels off, call us directly. We’d rather field that call a hundred times than have you give away personal information to one of these bad actors.

A few resources worth bookmarking

We’re not cybersecurity experts — we’re a marketing agency that just got an education we didn’t ask for. If you want to go deeper, these are genuinely useful starting points from sources that aren’t trying to sell you anything:

• FTC Cybersecurity for Small Business (ftc.gov) — Practical, plain-language guidance from the Federal Trade Commission covering phishing, ransomware, and data protection basics. Worth a read even if you think you know the basics.
• CISA Small Business Resources (cisa.gov) — Free tools, printable fact sheets, and no-cost vulnerability scanning from the Cybersecurity and Infrastructure Security Agency. The phishing avoidance and MFA fact sheet alone is worth downloading.
• SBA Cybersecurity Guide (sba.gov) — The Small Business Administration’s overview of common threats and where to start if you’re building a cybersecurity plan from scratch.