Phishing Emails Impersonating Squarespace Partners

There are no compliance setups, license key verifications, or audit fees required for Squarespace sites.

We want to make website owners aware of an ongoing phishing scam that is actively targeting Squarespace users by impersonating legitimate Squarespace Partners, designers, and agencies.

This scam has escalated in volume and sophistication. We’ve heard from many businesses and individuals after they receive alarming emails about their Squarespace site, including non-clients.

How the scam operates

Attackers are sending fake emails designed to impersonate Squarespace Partners or agencies. These messages:

• Use names similar to real agencies or individuals

• Come from look-alike domains or free email accounts (such as Gmail)

• Claim urgent action is required to avoid site suspension, restrictions, or loss of access

False claims in the phishing emails

These emails typically assert that your site requires one or more of the following actions or items. None of these are required for Squarespace websites:

• “Compliance setup” or “compliance review” or “compliance audit”

• “Squarespace compliance license key”

• “License verification”

• “Technical audit” initiated by email

• “Security configuration changes” required to prevent suspension

The emails may include copied logos, screenshots, signatures, or language designed to look official and credible.

Common wording used in the fake emails

The following examples reflect wording commonly reported in phishing emails targeting Squarespace users:

• “Squarespace has completed an internal review of your website and identified compliance issues requiring action.”

• “Your website is not fully aligned with the latest Squarespace platform requirements.”

• “A compliance setup is required to avoid service interruption or suspension.”

• “Reply ‘YES’ to proceed so I can begin the compliance configuration.”

• “Failure to complete this process may result in temporary or permanent downtime.”

• “Squarespace EAA/AAA/AAT compliance required”

Squarespace does not use this language, does not run these processes, and these messages are not legitimate.

Squarespace has confirmed that:

• There is no known security breach of its platform or partners

• These emails are phishing attempts designed to extract payments, credentials, or access

Squarespace publishes official guidance on identifying and reporting suspicious emails:

• Security tips for protecting your account

• I received a suspicious email. Is it from Squarespace?

What Squarespace and partners do not do

To be absolutely clear, neither Squarespace nor legitimate Squarespace Partners or agencies will do the following:

• Squarespace does not conduct “compliance audits” or “internal reviews” of your site

• Squarespace does not issue “compliance keys” or “license keys”

• Squarespace does not ask users to reply “YES” to begin a process

• Legitimate Squarespace Partners do not contact clients from free email addresses

• Legitimate agencies do not initiate compliance, license, or audit requests on Squarespace’s behalf

• Legitimate agencies do not ask for urgent payment or admin access via unsolicited email

If an email claims otherwise, it should be treated as fraudulent.

How to protect yourself

If you receive an email like this:

• Check the sender carefully. Look for subtle misspellings, extra characters, or incorrect domains.

• Do not reply, pay, or click links. Even responding can confirm your email address to scammers.

• Never share login credentials or grant site permissions. Squarespace will never request this via email.

• Do not publish your email address publicly. Use Squarespace forms with Google reCAPTCHA enabled to reduce automated scraping and scam outreach.

• Be skeptical of first-contact cold outreach. Unsolicited emails offering audits, fixes, or urgent issues — especially from free email accounts — are a common scam pattern.

• Enable two-factor authentication (2FA). Use 2FA on your Squarespace, email, and Google accounts.

• Verify directly. If an email references your website or designer, contact them using known, trusted contact details — not the information in the email.

• For broader guidance on identifying phishing scams and protecting yourself, see the Federal Trade Commission’s resource on how to recognize and avoid phishing.

If you already responded or paid

• Change your Squarespace and email passwords immediately

• Contact your payment provider as soon as possible

• Revoke any admin or third-party access you granted

• Report the email

Report the email

• Mark it as phishing or spam in your email provider (for example, Gmail)

• Report it to Squarespace if applicable

• Report the scam to the appropriate authority:

  • United States: Federal Trade Commission

  • United Kingdom: National Cyber Security Centre

  • Canada: Canadian Anti-Fraud Centre

  • Other countries: Your national consumer protection or cybercrime authority

Our commitment

We take security and trust seriously. We use modern email authentication standards (SPF, DKIM, and DMARC) and do not conduct unsolicited audits, compliance checks, or payment requests via email. These protections help prevent others from impersonating our domain; they do not prevent scammers from contacting you from unrelated email addresses.

If you ever receive a message that references your site and you’re unsure whether it’s legitimate, contact us directly. We’re happy to verify it with you.

This page is provided for general security awareness and does not constitute a guarantee against third-party fraud.