Form submission spam is on the rise. On this page, you can find information about common scams that you might receive on your website's forms, as well as what you should do about it.
What is form spam, and how is it done?
Spammers often use software programs called "bots" or "scrapers" to jump from one website to another website, searching each website for form elements on each website. When the bot finds a form element, it pastes in a payload and automatically submits the forms.
These fraudulent submissions frequently use abusive language, advertisements, links to sites riddled with malware, and phishing websites set up by the scammers in an attempt to steal your personal or business information. It's safe to assume that all spam has some sort of nefarious intent behind it.
- Do not click any links or attachments
- Do not reply to the sender
- Do not flag the message as spam.
- Do ignore the message
- Do forward to us if you are unsure about legitimacy
Do not flag the message as spam. All form submissions are delivered via the same email address. By flagging the message as spam, you will be telling your spam filters that emails from are spam — this would include legitimate submissions, like leads.
What can be done to prevent form spam?
You've probably heard of reCAPTCHA, which was developed by Google in an effort to stop spam attempts. A reCAPTCHA attempts to block fraudulent form submissions by verifying that a submitter is actually a human. Unfortunately, as the web evolves to stop spam from being distributed, scammers will reinforce their software to evade detection.
reCAPTCHAs can be easily solved through the use of browser extensions or software. Sometimes, scam companies will outsource the work of solving reCAPTCHAs overseas to remote teams who get paid for the number of reCAPTCHAs that they solve.
We enable the latest version of reCAPTCHA on all websites we develop, which helps largely to prevent form submission scams. However, some attempts do slip through the cracks by using the aforementioned methods to evade reCAPTCHAs.
While there are often solutions to help capture spam and fraudulent form submissions, these are expensive and/or incompatible with Webflow, the CMS we use to build your site. We are currently working on methods to stop and reduce spam sent through forms on our Webflow sites, and hope to have a solution built by the end of Q1 2023.
What are some common web form scams I might encounter on my site?
Since the scammers are likely using our site to jump to your site through our Portfolio page, we receive some of the same spam that you do. Additionally, we encourage every client to forward suspicious form submissions to us, so we can catalog them on this page.
1. Copyright Infringement Scam
If you've received a fishy looking message about "copyright infringement," it's likely that you've received one of the most common email scams in 2022.
In this email scam, the subject poses as a high ranking executive at a well-recognized company like Intuit or Slack. As you might be able to tell by looking at the way the email is worded, its goal is to get you emotional, scare you, and rush you into clicking the link.
Do not click the link.
If you did, you'd download a malicious file allowing a hacker to gain control of your device. After that, the hacker could hold your information hostage and demand a ransom for it, gain access to your other accounts, or inject viruses that can infect your machine and/or spread to your contacts' devices.
Here is an example of a fraudulent form submission we received. Each email is different, but follows the same general format.
While the above variation has been circulating more recently, a previous variation was a more casually worded message from a woman named "Mel" or with a name containing "Mel" who claimed to be an illustrator or photographer, threatening to sue you using inflammatory language.
We haven't seen this one in a long time (since May 2021) but it's still important to remember it in case it begins to recirculate.
Below is a variation of that version.
For Carbon Creative Clients: We do not use copyrighted images when building your site. All assets are curated from Pexels or Unsplash, where they are provided royalty free for commercial use, or licensed from our own Adobe Stock account where we have obtained the necessary licenses to use them commercially.
2. Domain Expiring Notice
These tend to get stopped by reCAPTCHA, but in the event they do not, here's what one looks like:
This one is pretty self explanatory – the email doesn't make sense as a whole (there's mention of an "e-book" in this one??) and the whole purpose is to make you hastily click a link because you're worried about your domain expiring.
Official notices of domain expiry will come from your registrar, the place where you registered or purchased your domain. Common examples of registrars are GoDaddy, 1&1 IONOS, Namecheap, and Google Domains. If you have any questions about your domain, send us an email and we'll be happy to help you turn on auto-renewal or find out when your domain expires.
Stay tuned to this page for future updates regarding new internet scams, so you can stay vigilant and protect yourself from fraud online.
Last updated Wednesday, December 15th at 5:40 p.m.