I want to share a real experience that happened to me recently - a sophisticated phishing attempt that specifically targeted me as a web developer and agency owner. I'm writing this because I suspect I'm far from the only one who's received these emails, and I nearly didn't spot it in time.
How It Started
It began with what looked like a completely normal contact form enquiry. Someone got in touch asking about improving their website. Polite, brief, nothing unusual - the kind of message any agency gets on a regular basis.
I replied asking the standard questions: what are you looking to build, do you have a budget, what platform are you on? They replied saying they were busy and preferred to communicate by email, and attached a "technical specification" document - shared as a Google Drive link rather than a direct attachment.
The Technical Specification: A Convincing Red Herring
The PDF was a detailed, multi-page WordPress performance optimisation specification. It covered caching configuration, CDN integration, image optimisation, browser caching headers, Redis object caching, Google PageSpeed targets - the works. It looked professional and technical enough to appear legitimate.
I had my suspicions and didn't click any links within it, but I did open the PDF in Google Drive. This turned out to be safe - it was a real Google Drive link and Google never asked me to log in, so no credentials were at risk. But that's not always how it works, and the PDF was clearly designed purely to establish credibility and keep me engaged.
Red flags I noticed in hindsight:
No company name, logo, or branding anywhere on the document
No actual budget figure despite having a dedicated "Budget and Deadlines" section
The spec could apply to any generic WordPress site - there was no specific URL, client name, or context
The email was sent from a free Gmail account rather than a domain email
The Email Headers Told a Story
When I checked the email headers, everything technically passed - SPF, DKIM, and DMARC all verified. This was a real Gmail account, not a spoofed address. But the headers also revealed the sender was in a UTC+2 timezone (Eastern Europe), which didn't match the profile of the business they were claiming to represent.
The Credential Harvest: The Real Sting
After a few exchanges - me providing feedback on the technical spec, asking for a site URL to review - the scammer sent the following message:
"Before we move forward, it would be helpful if you could take a quick look at the current setup from the admin side. You can access the environment here: https://wpengine.stage1-[clientdomain]/dev-admin/ - Please sign in using the Google authentication option. Once you've logged in, just send me the email address you used for authentication and your username, and I'll grant the appropriate access right away."
This is the attack. Let me break down exactly why this is so dangerous:
The Fake URL Trick
The link looks like a WP Engine staging URL at first glance - something along the lines of wpengine.stage1-[clientdomain].com/dev-admin/. But look more carefully. The actual domain is stage1-[clientdomain].com - which the scammer controls. The wpengine. part is just a subdomain, added purely to make it look like a legitimate WP Engine environment.
The Credential Request
They don't just want you to click and get phished passively - they explicitly ask you to log in via Google authentication and then email them your login details. This is brazen, but clever: if the fake login page captured your credentials silently, you might notice and change your password. By asking you to send them the email address you used, they're gathering confirmed, working credentials that they can immediately use to access your Google account - your Gmail, Google Drive, Google Workspace, everything.
Why Web Agencies Are Targeted
Think about what a web developer or agency owner does when a prospective client asks them to review a staging environment:
You click a link and log in - that's completely normal behaviour
You're used to being granted access to client systems
You're familiar with WP Engine, staging URLs, and Google authentication
You're busy and moving quickly between tasks
The scam is specifically engineered to exploit the normal workflow of a web professional. It's not a blunt "click here to win a prize" phishing attempt - it's a patient, multi-step social engineering campaign that builds credibility over several email exchanges before delivering the payload.
How to Spot This Scam
Here's what to look for:
At the initial enquiry stage:
Vague first contact with no specific brief ("I'd like to enquire about improving my website")
A rapid switch to "email only" communication - avoiding a phone call or video call
A technical specification document sent as a link rather than a direct attachment
Generic specs with no client-specific details, no company branding, no budget
A free Gmail address for what purports to be a business owner
Email headers showing a different timezone or country to where the business claims to be based
As the conversation progresses:
No actual website URL offered until they control where you're looking
An invitation to access a "staging" or "admin" environment
A URL that looks legitimate at a glance but uses a familiar brand name as a subdomain
Any request to send login credentials, usernames, or authentication details by email
What To Do If You Receive One of These
Do not click any links to "staging environments" or "admin areas" from unverified clients
Check the actual domain - not just the subdomain - of any URL before entering credentials
Never send authentication details by email, under any circumstances
Check email headers - free tools like MXToolbox can help you analyse them
Search the sender's name and email - these scam operations often target multiple agencies simultaneously and there may already be reports online
Report it - mark it as phishing in your email client and report it to Action Fraud (https://www.reportfraud.police.uk/) if you're in the UK
If You've Already Fallen for This Scam
First: don't panic, but do act quickly. Here's what you need to know.
Changing your Google password is not enough. This is the instinctive first move, and whilst you should absolutely do it, it won't fully protect you - and here's why.
When you logged in via the fake "Google authentication" prompt, you didn't just hand over your password. You authorised a third-party application to access your Google account via OAuth - Google's API-based sign-in system. That means the scammer's app may have been granted persistent access to your Gmail, Drive, Contacts, or other Google services, and that access continues to work even after you change your password.
Step 1: Revoke Third-Party App Access
This is the critical step most people miss. Go to:
https://myaccount.google.com/connections
This page lists every third-party application that has been granted access to your Google account. Look for anything you don't recognise - particularly anything recently added. Click on it and remove access immediately. This severs the OAuth connection and prevents the scammer's application from making any further API calls against your account, regardless of what credentials they hold.
Step 2: Change Your Google Password
Do this after revoking app access, not instead of it. Use a strong, unique password you haven't used elsewhere.
Step 3: Enable Two-Factor Authentication
If you don't already have it enabled, now is the time. Go to https://myaccount.google.com/security and set up 2FA using an authenticator app (Google Authenticator, Authy, etc.) rather than SMS if possible.
Step 4: Review Your Gmail for Suspicious Activity
Check your Sent folder for emails you didn't send, and look at your filter and forwarding rules (Settings > See all settings > Filters and Forwarded Addresses). Attackers with account access sometimes set up silent forwarding rules to continue receiving your emails even after access is revoked.
Step 5: Notify Your Clients
If your Gmail or Google Workspace account contains client data, communications, or project files, consider letting affected clients know. As a web agency, you're likely subject to obligations around data breaches - if personal data may have been exposed, you may need to report it to the ICO within 72 hours.
The Broader Pattern
This particular scam is part of a known and growing pattern sometimes referred to as Business Email Compromise (BEC) targeting freelancers and agencies. The goal isn't always immediate financial theft - sometimes it's account takeover, which can then be used to launch further attacks on your clients, your contacts, or your business.
I got lucky - my instincts kicked in before I clicked anything harmful. But the scam is well-constructed enough that on a busy day, it could easily slip through.
Share this post with any developers, designers, or agency owners you know. The more people are aware of this pattern, the harder it becomes for the scammers to operate.