Attempts at Defrauding Sites via Form Spamming

by | Aug 27, 2021

It’s a feeling like no other when someone reaches out to you through your website’s form and shows interest.  It is equally and oppositely a disappointing annoyance when your inbox is flooded with a bunch of phony SPAM submissions.

But beyond annoyance, there are real dangers to your business from form spamming that could cost you a lot of money. In this article, we’re going to show you how spam formers might try to defraud your site, and some of the best ways to protect yourself.


What is Form Spamming?

We’re not just talking about a random, mistaken submission on your webform, we’re talking about a malicious, targeted attack on your website.

Spam form is what happens when ill-meaning people (often called “Bad Actors”) submit erroneous information through the forms on your website to benefit themselves.

This is for a number of nefarious reasons, but it’s never a positive thing.


Why Would Someone Do This?

The reason form spamming exists is simple but sad: ill-meaning people are trying to make money or get something from others.

So any and every way that a Bad Actor can exploit you, they will, and a popular way is form spamming.

Maybe they’ll try to find security holes in your site’s forms so they can hijack them and send SPAM messages. Or, if you have a form on your site that publishes their messages (like public blog post replies), they might use it to publish phony public messages with links to try to increase their SEO or sell their products.

The reason form spamming is still a problem is that sadly, it sactually works. Even with online security being as advanced as it is, Bad Actors are making revenue off of lying, cheating, and stealing, and they’re trying to use your website to do it.


Form Spamming and Affiliate Marketers

It’s sad, but there are people out there who are going to try use form spamming to rip you off as an affiliate marketer.

The way they do this is with bots that are programmed to find lead forms on web pages and fill them out. This triggers a “conversion” for them as an affiliate, which technically means you owe them revenue for it.

The issue is the conversion isn’t legitimate, so if you pay out on this conversion, you’re essentially just giving money away to a fraudster that cheated you.

But it can get way worse– and can be much more expensive. See, the form spammers are getting more sophisticated, and the bots they’re using are advanced enough to fill in real names, real phone numbers, and real email addresses.

Since these form fills look legitimate, you’ll likely reach out to these people since (as far as you know) they showed interest. The problem is, a bot filled out your form with their information, and they have no earthly idea who you are.

If you contact them with an offer without their permission, you’re now in violation of TCPA regulations and can face up to $1,500 in fines if the person files a complaint.

You need a way to protect your affiliate marketing efforts against form spamming, or it could end up costing you a lot of money.


How to Protect Against Form Spam

There are quite a few ways to protect against form spam, and it depends on the type you’re experiencing. Here are a few tried and true methods to get you started. You can employ each of these methods all at once for stronger bot protection.



You’ve likely heard of CAPTCHA (or at the very least, had to fill one out). They’re essentially puzzles that are crafted so that only humans can solve them. They work by requiring inputs that bots can’t do easily or accurately.

CAPTCHA is a type of tool, not a single brand, so there are various kinds of CAPTCHA solutions available that all attempt to vex and confound bots.

There are some downsides to CAPTCHA. Firstly, sometimes people are just plain annoyed by them because they’re an extra step in completing online tasks. Secondly, bots are getting smarter every day, and not all CAPTCHAs are unbeatable.

Having a CAPTCHA in place typically can’t hurt anything, and can be a good “catch-all” for bot traffic protection.


Trick the Bots – Hidden Field Method

Most form software allows the creation of hidden fields. This is often for marketing attribution such as a Google Click ID, but we’re going to use it to trap some bots.

Create a hidden field on your form, and call it ‘Bot Test’. If you set it up correctly, it will be invisible to humans, but bots will be able to see it.

When you receive a form submission, and the hidden ‘Bot Test’ field has a response in it, you’ll know that you’re dealing with a bot.

Out-Tech Bad Actors

There are myriad technological ways to protect yourself that require a deeper knowledge of how websites work. They’re definitely worth mentioning if you’re being plagued by form spamming, but we’ll only go into a high level of detail. Try at your own risk.

Check for IFrames – almost 100% of forms submitted via iFrame are fraudulent.

Use Geolocation – Only allow traffic from specific countries such as the US and Canada

Use Cookies – Cookies can be used to block multiple form submissions

Filter Proxies/VPNs – There are ways to vet IP addresses that spammers typically use (data centers) and block them


TCPA Compliance Software That Will Protect You

Don’t risk TCPA compliance software that will let you down when it matters most. Get protection that will hold up in court.

The sad fact is that we haven’t found a foolproof way to stop form spamming altogether. Not only is it a threat to your data, but you don’t want to find yourself in legal trouble because someone was trying to scam you.

Don’t leave yourself unprotected: have proof of every form fill on your site.

How in the world could you do that?

It’s simple.

Validiform is proven software that captures, validates, and saves consent from your website’s visitors (in a format readable by a human).

It automatically captures consent, and will also include insights as to when and how the form was filled out. If any issues arise, you can use the data from Validiform to protect yourself from TCPA complaints.

Don’t take unnecessary risks. Get Validiform today.