If you own a small business with a phone number and a website, you are on lists. Lists of businesses to robocall about "problems with your Google listing." Lists of new LLCs to mail official-looking invoices. Lists of website owners to email about "critical SEO errors." The people running these operations aren't targeting you personally; they're running volume plays against every small business in the country, and they profit because a small percentage of busy owners pay without checking.
We build websites for small businesses every day, which means we hear about these scams constantly, usually right after a client almost fell for one. This post walks through the four we see most, how each one actually works, and the specific tell that gives each away. The mechanics are described plainly because understanding the con is the defense. Nothing here requires technical skill, just thirty seconds of skepticism at the right moment.
Scam 1: The "your website has problems" call
How it works
Your office phone rings. A recorded voice, or a high-pressure live caller, says something urgent: your Google listing is about to be removed, your website is not showing up in searches, your business is marked as closed, and you must act now to fix it. Press 1 to speak to a "Google specialist." The specialist then sells you a monthly "listing management" or "search placement" service, often a few hundred dollars a month, billed to a card, for work that is either never performed or that you could do free in minutes.
Some variants claim your site has security problems or compliance issues. The structure is identical: manufactured urgency about a problem you can't immediately verify, followed by a paid fix.
The tell
Google does not robocall businesses to sell placement, and nobody can sell guaranteed ranking. Google's own help documentation is blunt that it doesn't make unsolicited sales calls promising first-page placement; see the guidance in Google Business Profile Help about third parties misrepresenting a Google affiliation. Any caller claiming to be "with Google" and asking for payment is, at best, an unrelated reseller misrepresenting themselves, and at worst a straight thief. Additionally, telemarketing robocalls to numbers without consent are themselves illegal in most cases, which the FCC's consumer guidance covers; an operation that opens with an illegal call is not going to deliver legitimate marketing services.
What to do
Hang up. If you're worried something is actually wrong with your listing or site, check directly: search your business name, log into your own Google Business Profile, load your own website. Sixty seconds of looking beats any caller's claim.
Scam 2: The SEO spam email
How it works
An email arrives, often appearing hand-typed: "Hi, I was looking at your website and noticed it's not ranking for important keywords. I found 23 critical errors. We can get you on page 1 of Google. Can I send you a free audit?" Sometimes there's an attached "report" of alarming-looking jargon. The sender claims years of experience and a money-back guarantee.
These are bulk emails sent to millions of scraped addresses. The "errors" are either fabricated or trivial boilerplate the same for every recipient. Businesses that respond get pitched cheap monthly retainers, and what's delivered ranges from nothing, to spammy directory submissions, to link schemes that can actually get your site penalized, meaning you paid someone to make your search presence worse.
The tell
Nobody who can actually deliver page-one rankings cold-emails strangers at scale. Real search marketing talent is busy and expensive. Beyond that, the giveaway is that the email is generic: it names no specific page on your site, no specific keyword with data, no specific competitor. "23 critical errors" with no errors listed is a horoscope, not an audit. And any guarantee of a specific Google ranking is a red flag by itself; rankings aren't for sale and Google has said so for years in its search documentation, which also describes the link schemes these operators often use.
What to do
Delete it. If you genuinely want to know how your site is doing, ask whoever built it to walk you through Google Search Console data, real impressions and clicks from Google itself, free. That's the conversation we have with clients of our website and SEO service every month, with real numbers on the screen.
Scam 3: The lookalike invoice
How it works
A piece of mail, or an email, arrives formatted exactly like an invoice: itemized service, amount due, due date, remittance slip. Common flavors include "website listing service," "business directory renewal," "trademark publication," "annual report filing service," and domain-adjacent notices (which are common enough that we wrote a separate post on domain renewal letters). The amounts are calibrated to be payable without a second look, typically $50 to $300, right in the range a bookkeeper might process on autopilot.
Here's the mechanism that makes these quasi-legal rather than plain fraud: somewhere on the document, in small print, is a phrase like "this is a solicitation, not an invoice." You're not being billed for a service you bought; you're being offered a worthless service, packaged to look like a bill. If you pay, they may even technically "perform" it, listing you in a directory no human has ever visited.
The tell
You can't owe money to a company you've never done business with. The defense is procedural, not technical: keep a list of every vendor you actually pay for web, domain, listing, and filing services. It's usually short, five to ten names. Any "invoice" from a name not on the list gets verified before it gets paid, no exceptions, no matter how official the eagle logo looks. The Federal Trade Commission's guide Scams and Your Small Business lists fake invoices among the most common small business scams precisely because the bookkeeper-on-autopilot path works so often.
What to do
Don't pay, and tell whoever handles your payables about the pattern; the scam targets them, not you. If you already paid by card, dispute the charge. Report it through the FTC's fraud reporting site, which feeds law enforcement cases against these operations.
Scam 4: The Google Business Profile "verification" call
How it works
A caller says your Google Business Profile needs to be "verified" or "re-verified" immediately or it will be suspended or handed to someone else. They walk you through the process on the phone, and at the critical moment ask you to read back a code that was just texted or emailed to you.
That code is real, but it's not theirs, it's yours. The caller has initiated a verification or account-recovery attempt against your profile or email, and the code you read aloud is the key that lets them finish it. Hand it over and they can gain control of your business listing, or worse, the email account behind it. Hijacked profiles get held for ransom, redirected to competitors, or used to run scams against your customers under your name.
The tell
A verification code is a password, and no legitimate caller ever needs you to read one to them. Codes exist to prove that you, the person holding the phone or inbox, are taking an action. The entire scam collapses on one rule: never read a code to anyone who called you, ever, for any reason. Real verification happens inside your own Google account, on your own screen, on your own initiative, following the official steps in Google Business Profile Help.
What to do
Hang up, then log into your Business Profile yourself and confirm everything's normal. If a profile or email has already been taken over, use the platform's official recovery process immediately and change the password on the underlying email account first, since that's the root of the tree.
The pattern under all four
Strip the details away and every one of these scams is the same machine: manufactured urgency, about an asset you can't instantly verify, from a party who initiated the contact. That's the whole genome. So the universal defense is one habit: when anyone initiates contact about your website, listing, domain, or accounts, you end that interaction and verify through your own channels, your own logins, your own vendor list, your own web person. Legitimate problems survive a fifteen-minute delay. Scams almost never do, because urgency is the only thing holding them together.
It also helps enormously to have one accountable human who knows your web setup, what you own, where it's registered, who you actually pay, so that "let me check with my web person" is a real sentence and not a bluff. That's part of what clients use our Command Advisor service for, and frankly it's part of what any honest web vendor should do for you: be the call you make before money moves. Scammers hate businesses that have a person.
Want a web vendor that picks up the phone?
Omnyra builds done-with-you websites live on a call with you: first draft in 24 hours, live in 7 days guaranteed, tiers from $500, with pay-in-4 and Klarna available. You own your domain and your site with us, always, which on its own kills half the scams in this post. We're veteran-owned, based in Wilmington NC, and we've built 1,500+ small business sites in the last 90 days.
Book a call or see pricing. And if you got one of those calls this week, forward us the details when we talk. We collect them.