I want to share a real experience that happened to me recently - a sophisticated phishing attempt that specifically targeted me as a web developer and agency owner. I'm writing this because I suspect I'm far from the only one who's received these emails, and I nearly didn't spot it in time.
How It Started
It began with what looked like a completely normal contact form enquiry. Someone got in touch asking about improving their website. Polite, brief, nothing unusual - the kind of message any agency gets on a regular basis.
I replied asking the standard questions: what are you looking to build, do you have a budget, what platform are you on? They replied saying they were busy and preferred to communicate by email, and attached a "technical specification" document - shared as a Google Drive link rather than a direct attachment.
The Technical Specification: A Convincing Red Herring
The PDF was a detailed, multi-page WordPress performance optimisation specification. It covered caching configuration, CDN integration, image optimisation, browser caching headers, Redis object caching, Google PageSpeed targets - the works. It looked professional and technical enough to appear legitimate.
I had my suspicions and didn't click any links within it, but I did open the PDF in Google Drive. This turned out to be safe - it was a real Google Drive link and Google never asked me to log in, so no credentials were at risk. But that's not always how it works, and the PDF was clearly designed purely to establish credibility and keep me engaged.
Red flags I noticed in hindsight:
No company name, logo, or branding anywhere on the document
No actual budget figure despite having a dedicated "Budget and Deadlines" section
The spec could apply to any generic WordPress site - there was no specific URL, client name, or context
The email was sent from a free Gmail account rather than a domain email
The Email Headers Told a Story
When I checked the email headers, everything technically passed - SPF, DKIM, and DMARC all verified. This was a real Gmail account, not a spoofed address. But the headers also revealed the sender was in a UTC+2 timezone (Eastern Europe), which didn't match the profile of the business they were claiming to represent.
The Credential Harvest: The Real Sting
After a few exchanges - me providing feedback on the technical spec, asking for a site URL to review - the scammer sent the following message:
"Before we move forward, it would be helpful if you could take a quick look at the current setup from the admin side. You can access the environment here: https://wpengine.stage1-[clientdomain]/dev-admin/ - Please sign in using the Google authentication option. Once you've logged in, just send me the email address you used for authentication and your username, and I'll grant the appropriate access right away."
This is the attack. Let me break down exactly why this is so dangerous:
The Fake URL Trick
The link looks like a WP Engine staging URL at first glance - something along the lines of wpengine.stage1-[clientdomain].com/dev-admin/. But look more carefully. The actual domain is stage1-[clientdomain].com - which the scammer controls. The wpengine. part is just a subdomain, added purely to make it look like a legitimate WP Engine environment.
The Credential Request
They don't just want you to click and get phished passively - they explicitly ask you to log in via Google authentication and then email them your login details. This is brazen, but clever: if the fake login page captured your credentials silently, you might notice and change your password. By asking you to send them the email address you used, they're gathering confirmed, working credentials that they can immediately use to access your Google account - your Gmail, Google Drive, Google Workspace, everything.
Why Web Agencies Are Targeted
Think about what a web developer or agency owner does when a prospective client asks them to review a staging environment:
You click a link and log in - that's completely normal behaviour
You're used to being granted access to client systems
You're familiar with WP Engine, staging URLs, and Google authentication
You're busy and moving quickly between tasks
The scam is specifically engineered to exploit the normal workflow of a web professional. It's not a blunt "click here to win a prize" phishing attempt - it's a patient, multi-step social engineering campaign that builds credibility over several email exchanges before delivering the payload.
How to Spot This Scam
Here's what to look for:
At the initial enquiry stage:
Vague first contact with no specific brief ("I'd like to enquire about improving my website")
A rapid switch to "email only" communication - avoiding a phone call or video call
A technical specification document sent as a link rather than a direct attachment
Generic specs with no client-specific details, no company branding, no budget
A free Gmail address for what purports to be a business owner
Email headers showing a different timezone or country to where the business claims to be based
As the conversation progresses:
No actual website URL offered until they control where you're looking
An invitation to access a "staging" or "admin" environment
A URL that looks legitimate at a glance but uses a familiar brand name as a subdomain
Any request to send login credentials, usernames, or authentication details by email
What To Do If You Receive One of These
Do not click any links to "staging environments" or "admin areas" from unverified clients
Check the actual domain - not just the subdomain - of any URL before entering credentials
Never send authentication details by email, under any circumstances
Check email headers - free tools like MXToolbox can help you analyse them
Search the sender's name and email - these scam operations often target multiple agencies simultaneously and there may already be reports online
Report it - mark it as phishing in your email client and report it to Action Fraud (actionfraud.police.uk) if you're in the UK
The Broader Pattern
This particular scam is part of a known and growing pattern sometimes referred to as Business Email Compromise (BEC) targeting freelancers and agencies. The goal isn't always immediate financial theft - sometimes it's account takeover, which can then be used to launch further attacks on your clients, your contacts, or your business.
I got lucky - my instincts kicked in before I clicked anything harmful. But the scam is well-constructed enough that on a busy day, it could easily slip through.
Share this post with any developers, designers, or agency owners you know. The more people are aware of this pattern, the harder it becomes for the scammers to operate.