A friend of mine got a call last year from a “web design company” offering her a site for $199. Full custom build, they said, ready in a week. She almost said yes. Then she asked for their portfolio, and the links they sent didn’t work — the sites had been taken down, or never existed at all.
She got lucky. A lot of people don’t ask that second question.
A Scheme That’s Been Running for Decades
This isn’t a rare, isolated con. In 2018, the FTC won a $4.6 million judgment against a group of nine linked companies operating across the US and Canada, all running the same basic play: tricking small businesses into paying for website design, hosting, and SEO services they’d never actually ordered. It was part of a larger federal sweep called Operation Main Street, aimed squarely at scams that target small business owners specifically — the people least likely to have a lawyer on retainer or the time to fight back.
AARP dug into a related version of this scheme: cheap “starter” web design kits, sold for as little as $50. The pitch sounds harmless. The catch is what happens after.
Take the case of a man AARP calls Simmons. He bought one of these starter kits, expecting a basic site and not much else. Before the site had even gone live, his phone started ringing — web developer after web developer, each one opening with some version of the same line: “How’s your business coming along?” He couldn’t figure out how they’d all found him so fast, or why they all seemed to know he had a website in progress. The answer turned out to be simple and a little grim: the original kit seller had sold his contact information to other operators, who then paid as much as $200 apiece for the lead. “If you pay $50 for a kit, that is the teaser rate,” an FTC official later explained. “After that, you will be bombarded with telemarketing calls and online solicitations.” Simmons ended up with nothing usable for his money and a phone that wouldn’t stop ringing. His own conclusion, later, was blunt: he’d been scammed, and his advice to anyone else was simply not to do it.
His story wasn’t unique. Investigators reviewing roughly three dozen similar complaints found the average victim lost close to $17,000. One woman, ironically a former Medicaid fraud investigator, was out $35,000. The largest single loss on record was $67,000, from a disabled veteran.
I’ll say the obvious part out loud: these numbers skew toward older business owners, people less immersed in digital red flags because they didn’t grow up parsing them. That’s not a coincidence. It’s the target market.
The Psychology Behind the Cheap Hook
None of this works through brute force. It works through a very specific, very deliberate sequence.
Step one is the price. $50, $199, sometimes “free for 30 days.” Cheap enough that saying yes feels low-risk, almost not worth thinking hard about. Step two is urgency — a limited-time discount, a “we only take three new clients this month” line, something that discourages you from taking the proposal and comparing it against three others. Step three is the follow-up avalanche: once you’ve handed over contact details, the offers for “essential” add-ons never really stop. SEO, maintenance, a “premium” upgrade you apparently need to actually rank on Google.
Each step alone looks reasonable. Stacked together, they’re a funnel built to bypass the exact questions a careful buyer would normally ask.
The Tells That Are Usually Right There in Plain Sight
Here’s the good news: this particular scam is not subtle once you know where to look.
Fake credibility badges are the biggest giveaway. A real “Top Ranked Agency” seal links directly to the organization that issued it — you can click through and verify. A fake one is just an image, floating there, going nowhere. Same logic applies to client logos. If an agency’s homepage proudly displays Jaguar or Cartier as a client, that claim is either backed by a live project link or a verifiable case study — or it’s a stock logo grabbed to look impressive, and a quick reverse image search usually confirms which one.
Team photos are another tell. Stock photography where every “employee” looks a little too polished, a little too generically corporate, shows up instantly under a reverse image search. And domain age matters more than people realize — a company claiming a decade of award-winning work, running on a domain registered three weeks ago, is not a coincidence worth ignoring.
None of these checks take more than a few minutes. That’s the frustrating part. Most of the AARP cases could have been avoided with one reverse image search and one WHOIS lookup.
Why a Five-Star Rating Isn’t Proof of Anything
Here’s the part that catches even careful buyers off guard: checking reviews doesn’t fully solve the problem anymore, because reviews themselves have become part of the con.
It got common enough that the FTC finally built a rule specifically around it. As of October 2024, businesses are legally barred from buying, selling, or writing fake reviews and testimonials — including ones generated by AI, which the Commission specifically flagged as making the problem worse, since a bot can now produce convincing five-star praise for a business that doesn’t do a single thing it claims. Companies can also no longer pay someone to leave a review only if it’s positive, or quietly bury the negative ones. Violations now carry real financial teeth, upwards of $51,000 per instance. In December 2025, the FTC sent its first round of warning letters under the rule to ten companies, signaling this isn’t just a rule sitting unused on the books.
That’s worth knowing, because a wall of glowing five-star reviews used to be a decent shortcut for “this business is legitimate.” It no longer automatically is. A scam operation with a fresh domain can just as easily have a fresh batch of purchased reviews sitting next to it.
And here’s the part regulators themselves are candid about: even with the new rule, this remains a game of whack-a-mole. Shut one operator down, and a near-identical one reopens under a new name within weeks, often with the same script, the same pricing, sometimes the same stock photos recycled from the last shutdown. Consumer protection lawyers describe exactly this cycle — enforcement wins a case, and a fresh entity pops up almost immediately to take its place. Regulators can’t out-pace that on their own. Which is really the whole argument for doing your own five minutes of checking rather than assuming someone else has already done it for you.
Why Reputation Is the One Thing You Can’t Fake
Here’s what actually separates a legitimate studio from an operation built to disappear after a few billing cycles: a real track record is expensive to fabricate and easy to verify, in that order.
An agency that’s put in the work to earn recognition from established, independent bodies — the kind of award winning web design that shows up in public rankings, press coverage, and juried industry lists — has something a scam operation structurally cannot replicate: a paper trail that predates the sales call. You can look up the award. You can find the write-up. You can see the studio’s actual client work, live, on the internet, not a screenshot that conveniently can’t be traced back to a real URL.
That’s the whole difference, really. A scam needs you to trust it in the moment, based on nothing but what it tells you about itself. A studio with real recognition doesn’t need you to take its word for anything — the evidence exists independently, outside its own marketing, put there by people who don’t stand to profit from your decision.
Reputation, in other words, isn’t just a nice-to-have. It’s the one asset a fraudulent operation can’t manufacture on a three-week-old domain, because it takes years, real projects, and outside validation to build — and precisely because it’s slow and expensive to earn, it’s the thing genuinely good agencies protect the hardest. They’re not going to risk a track record they spent a decade building over one shady contract.
What This Means When You’re Actually Hiring
None of this requires becoming paranoid about every agency that emails you. It requires about ten minutes of due diligence before you sign anything:
- Click every badge. If a “Top Ranked Agency” seal doesn’t link to the organization that issued it, treat that as your answer.
- Reverse-search the team photos and client logos. A stock photo or a borrowed brand name shows up in seconds.
- Check the domain’s age. A studio claiming a decade of award-winning work on a domain registered weeks ago is a contradiction worth taking seriously.
- Ask for live links, not screenshots. Two or three real client sites you can actually visit tell you more than any portfolio page.
- Treat reviews as a starting point, not a verdict. A flood of five-star praise with no independent coverage anywhere else is worth a second look, not automatic trust.
If a “recognized” agency can’t point you to something you can independently verify — an award listing on someone else’s website, a press mention, a portfolio you can click into — that absence is the message.
The honest truth is that good work and real recognition are slow to fake and easy to check. Everything else is a shortcut somebody’s hoping you won’t take the ten minutes to notice.
