Why Your New Website Attracts a Flood of Fake SEO Emails
Launch a new practice website and the spam starts within days. Here's why fake SEO and 'your site has errors' emails arrive so fast, and how to handle them safely.
- Security
- Phishing
You set up a new website for the practice, or simply refresh the old one, and within a few days a peculiar thing happens. The inbox starts filling with urgent-sounding emails: “Your website has critical SEO errors!”, “You’re invisible on Google!”, “We tried to call about your search ranking.” They keep coming. If it feels like your new site flipped a switch and summoned them, that is more or less exactly what happened.
It is one of the more dispiriting parts of getting online, and it lands hardest on busy practices that already have a full inbox of genuine client work. The good news is that the flood is normal, mostly harmless, and easy to manage once you understand what is driving it. The part that does deserve your attention is telling the harmless noise apart from the small number of messages that are genuinely trying to harm you.
Why it starts so fast
Three things happen the moment a new site goes live, and together they put your address on a lot of lists very quickly.
Your email is published and scraped. If your address appears anywhere on the site, in the footer, on a contact page, in the code behind the scenes, automated bots will find it. They crawl the web constantly looking for exactly this, and a clean, well-structured site is just as readable to a harvesting bot as it is to a customer.
Your new domain is harvested at registration. Registering a domain creates a public record, and there is a whole cottage industry built around collecting brand-new domains and selling the contact details on. This happens regardless of who built your site or where it is hosted.
Getting indexed adds you to the “fresh site” lists. Once Google and Bing pick your site up, you appear in the data that spam operators scrape to find new businesses to pitch. Ironically, the faster and cleaner your launch, the sooner you arrive on their radar.
None of this signals a security problem. Nothing has been hacked. Your address has simply become visible, and visibility is the whole point of having a website.
What these emails actually are
Most of the flood is a single genre: the unsolicited SEO pitch. The pattern barely changes. A scary hook about your rankings, a list of supposedly critical problems with your site, and an offer to fix it all for a monthly fee. They are a numbers game, sent in enormous volume by outfits hoping that a tiny fraction of recipients panic and reply.
You do not have to take our word for that. Google’s own guidance to site owners is refreshingly blunt about it: “Be wary of SEO firms and web consultants or agencies that email you out of the blue.” On the inflated promises these emails love to make, Google is equally clear: “No one can guarantee a #1 ranking on Google.” Anyone claiming a special relationship with Google, or “priority” submission access, is describing something that does not exist.
For context on the sheer scale of it, almost half of all email sent worldwide is spam. Statista’s tracking puts spam at roughly 47 percent of global email traffic across 2024. Your new inbox has simply joined a very large club.
Where annoying turns into dangerous
If every one of these messages were a clumsy SEO pitch, you could safely ignore the lot. The reason to stay alert is that the same channel, an inbox full of unsolicited mail you have started to tune out, is exactly where the genuinely harmful messages hide.
This matters more for an accountancy practice than for most businesses. You handle client money, set up suppliers, change bank details and field invoices all day, which makes you a deliberate target for invoice fraud and business email compromise. A criminal does not need to break into anything. They need you, tired and busy in the middle of the January self-assessment peak, to glance at one more “urgent” email and act on it without thinking.
The danger of a noisy inbox is not the noise itself. It is the way a constant stream of junk wears down your attention, so that a well-crafted fake invoice or a convincing login prompt slips through alongside the obvious rubbish. Volume is the camouflage.
How to handle the flood
A few sensible habits take most of the sting out of it.
Do not reply, and do not click unsubscribe. With low-grade bulk spam, any response confirms a live human is reading, which tends to attract more. Mark it as junk and move on.
Train your filter. Marking messages as junk teaches your mail system what you do not want to see. On a properly configured business mailbox, the bulk of this never reaches you in the first place, and good filtering at the mail-provider level does far more than fiddling with individual messages ever will.
Keep your real contact details on the website. It can be tempting to hide your email to dodge the bots, but for a profession that wins work on trust and approachability, visible contact details earn you more than the spam costs you. The better answer is to leave them on show and deal with the junk where it belongs, at the mailbox.
Report the genuinely malicious ones. If a message is clearly trying to deceive you rather than just sell to you, forward it to the National Cyber Security Centre’s Suspicious Email Reporting Service at report@phishing.gov.uk. It is free and quick, and it works: the NCSC has received more than seven million reports through the service, leading to tens of thousands of scams being taken down. If your team is on Microsoft 365, there is also a built-in report button that sends suspicious mail to both the NCSC and your own IT support in one click.
A simple rule for the whole team
The single habit worth instilling across the practice is this: anything that asks you to move money, change bank details, or log in, gets verified independently before you act, no matter how routine it looks. Call the supplier or client back on a number you already hold, never one from the email. Treat urgency and secrecy as warning signs rather than reasons to hurry. A little of this discipline, backed by proper staff awareness and phishing training, neutralises the dangerous emails while the harmless ones simply pile up in the junk folder where they belong.
If you would like a calm, jargon-free look at how well your practice is set up to filter the noise and catch the genuine threats, that is exactly the kind of thing a free Practice IT Health Check covers, alongside the wider question of your cyber security and Cyber Essentials posture. The fake SEO emails are an irritation. Making sure nothing dangerous is hiding among them is the part that is genuinely worth your time.
Frequently asked questions
Are these SEO emails actually from Google?
No. Google does not email you out of the blue about your rankings, and it has no 'priority submit' or special-access service that these senders often claim. Google's own advice to site owners is to be wary of anyone who emails you unsolicited about your search performance. Treat any message claiming to be from Google about your ranking as spam until proven otherwise.
Is it safe to reply or click unsubscribe?
Better not to. With low-grade bulk spam, replying or clicking unsubscribe simply confirms that a real person reads the inbox, which can lead to more, not less. Mark the message as junk and delete it. Genuine, reputable mailing lists honour unsubscribe requests, but the senders behind fake SEO spam generally are not genuine or reputable.
How did they get our address so quickly?
Mostly by scraping. Bots harvest any email address published on your website, and newly registered domains are collected from public registration data the moment they appear. Once your site is indexed by search engines, you also land on lists of fresh domains that spammers target. None of it means your systems have been breached.
When should we report one of these emails?
If a message is plainly junk, deleting it is enough. If it looks like a genuine attempt to deceive you, an invoice, a login prompt, a request to change bank details, forward it to the National Cyber Security Centre at report@phishing.gov.uk before deleting. It is free, takes a minute, and helps get malicious sites taken down.
Want this checked for your own practice?
Book a free Practice IT Health Check, a plain-English, no-obligation review of where your IT stands.
Book your free Health Check