Scam Solicitations on Web Contact Forms - Solutions?

  • 1 March 2023
  • 8 replies

Userlevel 6
Badge +1

This topic is tangential to Smokeball but it is law practice management / tech related.

The Problem:
I have used contact forms on our website for years to allow visitors to “request a consult”. In the last couple of years we have received an increasing number of scam consult requests. They have in common:

  • Phone numbers that do not work;
  • Unusual verbiage or stilted phrasing which suggests to me that the writer is speaking english as a second language; and,
  • Scope of work related to large machinery/equipment/boat purchase or sale.

Universally, these requests have a premise which sounds too good to be true but require them to quickly make a trust deposit by EFT and they request trust account information immediately. Previously I have screened these by asking for a valid driver’s license and working phone number. A recent scammer actually sent back what appeared to be a picture valid driver’s license but there were a number of characteristics which on close inspection did not seem genuine.

Does Your firm have this problem?

Possible Solutions?
I am contemplating methods to retain the usefulness of the web contact forms while mitigating the risk and waste of time cause by increasingly sophisticated scammers. I am considering using “geoblocking” to block IP traffic from certain countries. However, this does not prevent traffic which uses a VPN Tunnel.

Does your firm have a solution?

8 replies

Userlevel 6

Fantastic question @JKibler! I’m going to tag @atharkhan in here because he’s quite extraordinary in the digital/technical space.  

Userlevel 6

Oh and a quick follow up question. @JKibler what is your site/contact form built on? It’s likely the answer will change depending on what you’re using. 

Userlevel 4
Badge +1

Oh and a quick follow up question. @JKibler what is your site/contact form built on? It’s likely the answer will change depending on what you’re using. 

Exactly.  For example, on Wordpress, the Akismet plugin is your friend.  Basically, you need a challenge-response type of thing to verify that someone is human.   This is just going to cut down the bots.  Humans will still be able to to do this but you should see a huge reduction in volume.  

If it gets worse, you can do what I did -- set up a Google Voice number and have that “Call” button on the website.  I don’t think that was a great solution though. 

Userlevel 6
Badge +1

@Ben How to add a lead intake form to your website – Smokeball Support Hub

@atharkhan We do have a Wordpress site. However, I am not using contact forms.

I think I am going to try a geoblocking plugin for wordpress and see if that helps. Thank you both for sharing your thoughts!

Userlevel 6
Badge +1


There are apparently different methods to geo block IP addresses. For example:

  • For non-wordpress website hosted using CPanel there is an app called CHulk;
  • For WordPress you can use plugins such as WordPress or ip2location which require subscriptions to use ip/country index databases. I had some concern about this method possibly slowing down our site speed.
  • Other hosting firewall - we use GoDaddy business hosting with paid security add on. I found a geo-blocking feature which I was not aware of and enabled it. Hopefully that solves the problem. 
Userlevel 6

Glad to be able to help @JKibler. I will talk to the team here to see if there’s anything we can do at the intake form level to help filter out spam or suspicious domains. 

Here in the Community we use Akismet along with a keyword filter for some of the very common phrases that most spammers use. So I can recommend it as an option to consider alongside @atharkhan.

I’d consider Akismet for the following reasons: 

  1. It’s a machine learning model, so it is constantly learning to recognise new types of spam and new approaches. This will reduce the cat and mouse game of spammers changing their IP using a VPN to one you haven’t blocked for example
  1. It’s crowd sourced data so you’ll get the benefit of detection on any other platform that is using it. You won’t have to wait for a successful spam attempt to start changing your approach. 
  2. It pattern matches on multiple pieces of information including what’s inputted and -as far as I can tell, IP and email as well. This makes it much harder to find a way around the countermeasures. 

The one reason not to consider it: 

  1.  Initially we got a lot of false positives with real members being caught in the filter, it’s important to check through what has been detected as spam, especially as the model is trained to your specific data. 

It took us a little while to get it to work properly for our community, but it seems to be close to 100% accurate now and gets better with each detection/false positive that we flag for it to learn on. 

Now that I have said this, a spammer will get through and prove me wrong 😅

Edit: In previous communities I’ve also used Captcha/Recaptcha with an algorithm to increase the frequency of Turing Tests based on the volume of spam attacks. But I think this only really becomes useful when there’s a massive volume - we were getting hit by 50,000+ messages a day. 

Userlevel 6
Badge +1

@Ben Thanks for the information on Akismet. It appears that it could have been helpful when we were using Contact Forms 7 on our wordpress site but it is limited to preventing contact form submission on our site which is no longer the case.

Userlevel 6

You’re most welcome @JKibler. I’m sorry we don’t have a better solution for you just yet. 

I had a quick chat to the team here and shared this thread with them.

Beyond the beta which you I believe you have access too now, I can confirm there’s some significant updates in the works around our lead intake tool. They’re looking into more sophisticated countermeasures than the current Captcha (which is mostly good for stopping bots). I’ll circle back when I know more, but don’t have a timeline for when it’ll be ready yet.