A few months ago, a six-figure project landed in my inbox. The company was recognizable, the email signature looked legitimate, and the budget was exactly the kind of thing that makes a services business lean forward. By the third email, though, something felt off. The warning signs were there all along I just hadn’t been looking closely enough.
This kind of scenario plays out way more often than most agency owners realize. The FBI’s Internet Crime Complaint Center reported $2.77 billion in business email compromise losses in 2024 alone. Small service businesses are prime targets because our inboxes are public, our pipelines are hungry, and we’re wired to say yes to opportunity.
At best, you waste hours qualifying an inquiry that was never real. At worst, you hand over site access, client data, or unpaid trial work to someone who was never a buyer in the first place. The damage often shows up after they’re already gone. But here’s the thing: the red flags usually show up in the first few messages. You just have to know what to look for.
Start With the Email Domain
If someone claims to represent a recognizable brand but emails you from a free Gmail account or a lookalike domain with a subtle misspelling, extra hyphen, or altered extension, that’s your first signal to slow down. Real procurement departments don’t typically reach out from generic personal inboxes, and they definitely don’t use domains like “contact-acme-group.co” when the actual company is acme.com.
Do a quick independent check. Find the company’s real website, browse their LinkedIn page, check their staff directory. If the person contacting you doesn’t appear anywhere in the organization they claim to represent, that’s not a minor detail. It’s the signal.
Watch the Role Inconsistencies
Read through the entire email thread, not just individual messages. You’ll sometimes see one email come from a “Director of Digital,” the next from a “Head of Procurement,” and then someone else “managing vendor relationships.” Real employees at real companies don’t casually shift roles mid-conversation. That inconsistency often points to scripted messaging or multiple people cycling through the same inbox. It’s one of the clearest signs you’re not dealing with a single, accountable counterpart.
Access Before Agreement Is a Problem
In legitimate engagements, access follows process. Contracts get signed, scope gets defined, payment terms get agreed to, and only then do credentials and system access come into play. Suspicious inquiries often flip that order entirely. They’ll ask you to “take a quick look,” “review the site from the inside,” or “send a test login so we can confirm fit” before anything formal exists.
None of that reflects how real agency work flows. It’s either an attempt to extract free labor or gain access to your systems before there’s any accountability on their end.
Watch for Manipulation in Shared Documents
This one’s a newer pattern. Some “briefs” or shared documents include oddly placed instructions designed to manipulate how content gets processed, especially with AI tools. Phrases like “ignore previous instructions” or completely unrelated requests buried in contextless text are major red flags.
Even setting aside that angle, real briefs are structured around goals, constraints, audiences, anddeliverables. If a document feels engineered to confuse rather than clarify, trust your gut.
Urgency Without Justification Is a Pressure Tactic
A legitimate six-figure project doesn’t usually require action within hours. Real enterprise buyers don’t typically collapse timelines while also waving around large budgets. When urgency pairs with high value, it’s almost always a pressure tactic meant to reduce your ability to verify who you’re actually talking to.
The simplest guardrail here is consistency. Every new inquiry goes through the same intake process, regardless of how promising or attractive it looks on first pass.
The Bottom Line
Not every unusual inquiry is fraud. Real companies can be disorganized, and legitimate buyers sometimes communicate imperfectly. The key is pattern recognition, not overreaction.
In my experience, when two or more of these signals appear together, the safest move is to slow the process down. Require a discovery call, written scope, signed agreement, and deposit before any technical work begins. Real clients accept that structure without blinking. The rest usually disappear.
That filter costs nothing, and it’s saved me significant time and risk.
The inbox will keep filling. The opportunity will keep looking attractive. But learning to read people quickly isn’t about being cynical it’s about being smart enough to protect your energy for the clients who are actually worth it.
