Keep an eye out for scam emails, appearing to come from Squarespace

Why This Matters

If you’ve ever had your morning coffee interrupted by an alarming email from “Squarespace” threatening to close your account, you’re not alone. Over the past year, I’ve seen a sharp rise in scam emails mimicking Squarespace notifications and invoices. Despite looking almost pixel-perfect, these counterfeits actively attempt to steal your login credentials, sensitive business data, and cause headaches long after the caffeine wears off.

The stakes are real: I've worked with clients whose website content was locked after a scammer hijacked their login. For small businesses and independent designers using Squarespace, a compromised account can mean lost bookings, corrupted site content, and that frantic bout of customer support emails you never wanted to write. That’s far from an ideal morning for anyone.

Tolerating scam emails wastes hours each month, clogs up support channels, and puts both your reputation and your income at risk. To protect your livelihood and peace of mind, here's a breakdown on how to spot, avoid, and report these fakes before they do any harm.

Common Pitfalls

You might think scam emails stand out like a sore thumb, riddled with spelling mistakes and suspicious links. Sadly, those days are gone. Today’s phishing attempts are slick, laden with the same fonts, footers, and button styles you see in genuine Squarespace updates. This sophistication means many designers and business owners fall for tactics like these:

• Trusting any email with a Squarespace or Pixelhaze logo
• Clicking urgent links without checking the destination
• Forwarding suspicious emails to colleagues instead of the right security team
• Assuming familiarity with Squarespace’s real notification addresses

I've lost count of the times someone on our team has said, “This email looked exactly like last month’s billing reminder. I only noticed the reply address was a few letters off.” A single slip in attention is all it takes.

If you recognise yourself in any of these habits, you're in good company. But with a little discipline and a few system upgrades, you can build the habit of spotting a scam before any damage is done.

Step-by-Step Fix

Step 1 – Properly Vet the Sender’s Address

Before you do anything else, get into the habit of scrutinising the sender’s email address. Focus on the full address, not the display name or logo. Genuine Squarespace notifications will only ever come from a small set of official addresses, such as:

• no-reply@squarespace.com or noreply@squarespace.com (site notifications and reminders)
• no-reply@squarespace.info (form submissions from your site)
• messaging-bounce@opensrs.org (domain notifications)
• research@squarespace.com (survey requests)
• services@squarespace.com (Squarespace 5 billing)

You may also receive authentic Pixelhaze support from anything ending in @pixelhaze.co.uk. Any other addresses, especially those with extra letters, dashes or suspect domains like @secure-square.space, should be treated as suspicious.

Step 2 – Examine the Message Tone and Content

The best scammers know how to mimic language, but they still slip up. Watch for:

• Vague greetings (“Dear Customer”) instead of your actual name
• Demands for urgent action (“Verify your account now or lose access”)
• Requests for sensitive data like passwords, bank details, or identity proof
• Threats about a “compromised account” or legal action, usually accompanied by strange urgency

Remember, Squarespace and Pixelhaze will never ask for confidential information by email. Not even if the signature line sparkles with authentic titles and logos. If you see such a demand, consider that a major red flag.

Step 3 – Check Links Before You Click

Hover, don’t click. That’s rule one. Scam links sometimes mimic normal buttons, such as “Log in to your account,” but their real address is usually anything but. A scammer might link to:

• www.sqaurespace-support.com/login
• www.squareespace.com (a single typo you might miss)
• Masked URLs that send you to a completely unrelated landing page, sometimes with clever redirects

A legitimate Squarespace email will only ever take you to www.squarespace.com or an official, trustworthy subdomain like email.squarespace.com. If you’re not certain, manually type the official address in your browser instead.

Step 4 – Never Download Mystery Attachments

Most genuine Squarespace notifications, billing emails, or support messages avoid attachments altogether. Receiving a file, especially one ending in .html or .exe, from a sender claiming to offer urgent updates or “recovery tools,” is a clear sign to delete. Opening that file could compromise not just your Squarespace account, but your entire device.

Step 5 – Know How (and Where) to Report

If you come across an email that’s even slightly dubious, take these steps:

1. Forward the entire email to Squarespace’s security team at reportphishing@squarespace.com
2. Delete the original from your inbox and trash
3. Resist the urge to forward it to colleagues or me. While I enjoy a good puzzle, I prefer to help you learn best practices rather than spending my days sorting through scam emails.

Squarespace’s reporting team can investigate and, in many cases, block future attempts before they reach a wider audience. This small action can protect others who might be targeted next.

Step 6 – Safeguard Your Login Habits

Scammers thrive on shortcuts. Avoid saving your Squarespace login credentials in browsers or on sticky notes. Activate two-factor authentication, change passwords every few months, and monitor your account activity using the official dashboard. Building safe habits pays off, especially when pressure mounts and shortcuts become tempting.

What Most People Miss

Most guides on phishing focus on the obvious culprits: spammy grammar, wild threats, logos that look like they were saved and re-uploaded through a potato. What many people overlook is that successful scammers are patient copycats. They study authentic Squarespace emails, mimic style and phrasing, and even time their messages to coincide with real product updates or billing cycles.

Letting your guard down because you’re familiar with Squarespace’s look and feel is the most common mistake. Treat every unexpected email as a potential risk, no matter how convincing. Maintaining a healthy level of scepticism (without venturing into conspiracy territory) helps keep you safe.

Another common issue is not knowing exactly who else in your business received the same scam. I’ve seen entire teams click on the same fake invoice, each thinking they were the only target. Taking thirty seconds for a group check—in Slack, Teams, or even just by asking in the office—can prevent further damage.

The Bigger Picture

Adopting a security-first mindset lays the groundwork for a culture of confidence and due diligence across your business or freelance practice. When you consistently double-check every sender, ignore spurious download requests, and report the fakes, you set a strong example.

Here's what this means in plain language:

• Your site content and customer credentials remain safe, so you avoid awkward “we’ve been compromised” emails.
• You save hours not having to clean up after a breach or explain yourself in support chats.
• Your clients or colleagues learn from your approach, lowering the risk across your entire network.
• People come to you for help because you consistently get it right, not because you’re fearful.

There’s genuine satisfaction in forwarding a textbook scam email to the right people and preventing that particular fraudster from succeeding. Every little win counts, and with time, these add up.

Wrap-Up

Online scams are getting slicker. With a clear process for checking sender addresses, scrutinising content, double-checking links, avoiding attachments, and reporting promptly, you make scam detection second nature.

Be purposeful in your routines. Treat your inbox habits as part of the “business hygiene” needed to keep everything running smoothly.

If you’re supporting other designers, managing a small business, or simply want fewer emergencies in your day, add this system to your toolkit and share it with your team.

Want practical systems like this? Join Pixelhaze Academy for free at https://www.pixelhaze.academy/membership.

FAQs

How can I verify if an email is genuinely from Squarespace?
Double-check the sender’s email domain. If it isn’t one of Squarespace’s approved addresses ending in @squarespace.com, @squarespace.info, or @pixelhaze.co.uk, treat it as suspicious.

What should I do if I receive a suspicious email?
Forward the message (unaltered) to Squarespace’s security team at reportphishing@squarespace.com, then delete it from your inbox.

What are some classic signs of a phishing attempt?
Watch for requests for personal information, urgent warnings about your account, misspellings or awkward URLs, and links that lead anywhere other than the official Squarespace site.

Is it safe to forward the scammy email to my web designer or colleagues?
No. Always forward phishing emails straight to the dedicated security address. Distributing them internally increases the risk that someone clicks out of curiosity or panic.

Can attachments in scam emails be dangerous even if I don’t open them?
Attachments cannot harm you until opened, but it is best not to leave anything to chance. Never open or forward them. Just delete after reporting.

Jargon Buster

Phishing: Fraudulent activity that tries to trick you into sharing private information, usually via email.

Spoof message: An email or notification created to look like it’s from a genuine sender, but it is a fake.

URL: Uniform Resource Locator. This refers to a website address.

HTML attachments: Files included in emails (usually ending in .html) that can contain malicious code.

Author: Elwyn Davies, Pixelhaze Academy founder, small business survivor, and veteran of more digital dramas than I care to count. Still teaching, still learning, and still deleting scam emails faster than the scammers can send them.