The Scams Targeting Your Business Right Now (And How to Spot Them)
Scams targeting business owners have gotten a lot more sophisticated.
They used to be easy to spot because they looked wrong. Bad grammar, weird sender addresses, obvious pressure tactics. That is still out there, but it is not the version you need to worry about anymore.
The ones circulating right now look right. They come from real platforms, real domains, and real-looking emails.
The goal is the same as it has always been, get you to act before you think. Here are the four we are seeing hit businesses hardest, and what to do about each one.
1. The Meta Business Suite Partner Request Scam
This one is particularly nasty because it does not look like a scam at all. You get a notification that someone has requested access to your Meta Business Suite. The email comes from @business.facebook.com, which is a real Meta domain. The formatting looks exactly like every other Meta notification you have ever received. There is a button that says View Request.
If you approve it without looking closely at who is actually making the request, you have just handed a stranger the keys to everything connected to your Meta account. Your Facebook business page, your Instagram, your ad accounts, your pixel data, your payment methods. All of it. The scammers have been creating fake Business Manager accounts with names that sound like legitimate agencies or Meta partners, sending genuine partner requests through Meta's own system, and waiting for someone to click without reading.
What typically happens next is one of two things. They drain your ad budget running their own campaigns on your dime, or they lock you out entirely and hold your account hostage.
WHAT TO DO:
Never approve a partner request you did not specifically request. If a real agency or vendor needs access, you should be expecting it and know exactly who they are.
Go to Meta Business Suite, then Settings, then Partners. Review who has access right now. If you see anyone you do not recognize, remove them immediately.
Turn on two-factor authentication for every admin account connected to your Business Manager. Not just yours.
If you receive one of these requests and are not sure, do not approve it. Forward it to us before you do anything.
2. The Fake Google / SEO Agency Cold Email
Your inbox probably already has a few of these. An email arrives telling you that your website has serious SEO problems, your Google ranking is at risk, or your Google Business Profile is about to be removed. Sometimes it comes as a cold call instead, with someone claiming to be from Google or an authorized Google partner.
For the record: Google does not cold call businesses about their listings. If there is a genuine issue with your Google Business Profile, it shows up as an alert inside your account dashboard or as an email sent to the address tied to that account. That is it. Any call or email that creates urgency around your listing or your rankings from someone you did not reach out to first is not Google, regardless of what they say.
The cold email version often looks surprisingly thorough. There will be references to your site, screenshots of tools that look professional, and a list of problems that need urgent attention. Most of the time the sender has never actually looked at your website. It is a copy-paste email sent to thousands of businesses with your domain name dropped in. The problems listed may not even apply to your site.
WHAT TO DO:
If you receive a cold call or email about your Google listing or SEO, do not engage. Check your actual Google Business Profile dashboard yourself by going directly to business.google.com.
Any legitimate SEO agency will have a real website, verifiable reviews, and named people you can look up. No website and no verifiable presence is a red flag.
If you are genuinely unsure whether your SEO or listing has a problem, ask someone you already trust, like us, rather than responding to the person raising the alarm.
3. The Domain Renewal and Copyright Threat Scam
Two different scams, same mechanic. Both create a sense of urgency around something important to your business, and both bet on you acting before you verify.
The domain renewal version sends you an official-looking notice that your domain is about to expire and needs to be renewed immediately through their service. The catch is that the email does not come from whoever actually holds your domain. It comes from a random third party hoping you do not notice. If you take the next step and log in, you have either given them your domain login details, money to scammers, or both.
The copyright version tells you that an image on your website is being used without authorization and threatens legal action unless you click a link or download something immediately. That link or file is the point. The copyright claim is just the pressure.
Both of these are easy to shut down the moment you know the basics about your own business. If your domain is registered with GoDaddy and you receive an urgent renewal notice from 123easydomain.com, you already know it is fake. Delete it, mark it as spam, and move on. The same logic applies to your hosting, your email provider, and any other tools your business runs on. Know who they are, so you immediately recognize when someone else is pretending to be them.
WHAT TO DO:
Write down the basics: who your domain is registered with, who hosts your website, and who provides your email. Any urgent notice about these services that does not come from those specific providers is a scam.
Never click a link in an urgent email. Go directly to the provider's website yourself and log in there to check your account status.
Never download an attachment from a copyright claim email. No legitimate copyright holder requires you to download anything to resolve a dispute.
4. The AI Voice Cloning Scam
This one is new enough that most business owners have not heard of it yet, which is exactly why it is worth knowing about now.
AI tools can now clone someone's voice from as little as three seconds of audio. Video content, podcast appearances, social media clips, anything publicly available is enough. Scammers use this to call employees or business owners pretending to be someone they trust: a boss, a lawyer, an accountant, a business partner. The voice sounds real because it essentially is.
The script is usually some version of: there is an urgent situation, a wire transfer needs to happen right now, details will follow by email, do not mention this to anyone else yet. The urgency is manufactured. The instruction to keep it quiet is deliberate. By the time anyone verifies, the money is gone. The average loss per voice cloning scam is $15,000.
The tell is not the voice anymore. The tell is the request itself. Any unexpected, urgent request involving money or access, arriving by phone from someone you know, should be verified by hanging up and calling that person back directly on a number you already have for them. Not a number they just gave you.
WHAT TO DO:
Establish a verification habit with anyone who handles finances or account access in your business. Any urgent phone request involving money gets confirmed through a second channel before action is taken.
Be aware of how much voice content you and your team have publicly available. It is not a reason to stop creating content, but it is worth knowing this is where the raw material comes from.
If something feels off about a call, trust that instinct. Hang up and call back. A real person with a real urgent need will understand a two-minute verification delay.
The Basics That Protect You Across All of Them
These four scams look different on the surface but they all rely on the same thing: catching you before you slow down to think. The defences are largely the same across the board.
Hover before you click.
On a desktop, hovering your mouse over any link shows you where it actually goes before you click it. If the destination looks unfamiliar or wrong, do not click it. Go to the site directly yourself instead.
Know your own tools.
Know who your domain is registered with, who hosts your website, and who provides your email. Any urgent communication about these services from a provider you do not recognize is automatically suspect. This one piece of knowledge eliminates a huge category of scams instantly.
Use a password manager.
If you are using the same password across multiple accounts, one breach anywhere puts everything at risk. It does not even have to be your fault. A company you have an account with gets hacked, that password is now in the wild, and if it matches what you use elsewhere, those accounts are exposed too. A password manager generates strong, unique passwords for every account, stores them securely, and alerts you when a password has been compromised. We use and recommend NordPass.
Two-factor authentication on everything.
Passwords alone are not enough anymore. Turn on two-factor authentication for every account that matters to your business. An authentication app is more secure than SMS. If you are not using one yet, start there.
When in doubt, forward it to us.
Seriously. If something lands in your inbox and you are not sure whether it is legitimate, forward it before you do anything else. It takes 30 seconds and it has saved more than one client from a very bad day. We are happy to take a look.
The Bottom Line
The scams that work today are not the ones that look fake. They are the ones that look exactly like the real thing.
The only reliable defence is the habit of slowing down for anything unexpected, anything urgent, and anything that asks you to give access or move money before you have had a chance to verify.
One moment of hesitation is the difference. Build that pause into how your business operates and most of these fall apart before they go anywhere.
