AI-Generated Fake Leads: Why They Look Completely Real and How to Stop Them

Lead quality Form spam Phishing PPC
← All posts

The new breed of fake lead

If you run lead-gen campaigns, you have probably seen the old kind of form spam: gibberish names, mismatched fields, an email address that is obviously junk. Easy to spot, easy to filter.

The new kind is different. The enquiry reads like a real customer wrote it. The company name is a genuine registered business. The phone number is a valid UK format. The email passes validation. The message is coherent, on-topic for your industry, and often mentions a plausible job. The only tell, if you look closely, is a link: a "booking link", a "project brief", a "site survey document" the sender wants you to open.

That link is the whole point. Everything else in the submission exists to get a busy salesperson to click it.

These started appearing in my clients' accounts in noticeable volume once cheap large language models made it trivial to generate convincing, industry-specific enquiry text at scale. They sail past every basic filter, waste sales time, and quietly poison your conversion data. This post covers what is actually going on, why the usual defences miss it, and the small set of fixes that remove most of it.

What is actually going on

These are conversational, AI-assisted spam bots, sometimes with low-grade human operators behind them. The realistic company names are the tell: they scrape Companies House and business directories, then fill your form with legitimate-looking details wrapped around a payload.

The payload varies, but it is usually one of three plays:

  • Phishing. The link leads to a credential harvest or malware. Sales teams that respond to every lead are the ideal audience, because clicking links from "prospects" is literally their job.
  • Link injection. If your form feeds a CRM or CMS, their URL is now sitting inside your systems where staff will see it, and in some setups where search engines might.
  • Reverse lead scams. They harvest your reply and sell it on as a "qualified enquiry" to someone in your own industry.

And if you are advertising, you are a preferred target. Bots crawl Google and Microsoft ad landing pages specifically, because ad spend signals two things: you have money, and you respond to every lead that comes in.

Why your filters miss them

Everything the classic anti-spam checks look for is absent:

  • No gibberish and no mismatched fields, so server-side validation passes.
  • Valid-format email addresses on real domains, so format and MX checks pass.
  • Submissions arrive at human-plausible speed, so naive rate limiting never triggers.
  • Traffic comes through residential proxies, so IP blocklists and datacentre filters miss it.

You cannot filter these on content quality, because the content is good. You have to catch the behaviour instead: the things a bot does that a human never would, and the things a human does that a bot cannot fake cheaply.

The fixes, in order of effort against payoff

1. Cloudflare Turnstile on the form

Turnstile is the modern, invisible alternative to reCAPTCHA: no puzzles for real users, free to use, and it verifies the browser is real before the form will submit. It is the single most effective fix for the least effort, and it is a ten-minute job for whoever manages your site. If you are already deep in Google's ecosystem, reCAPTCHA v3 is the equivalent option.

2. A honeypot field, built properly

A honeypot is a form field that real users never see but bots fill in, because bots read the raw HTML rather than rendering the page. Any submission with that field populated gets binned. It costs nothing and catches a surprising amount, but the details matter, so it gets its own section below.

3. Server-side URL detection

Flag or quarantine any submission containing a URL in the name, company or message fields. Genuine enquiries almost never paste links into a contact form. For the fake-booking-link pattern, this one check catches the payload itself, and it is a few lines of code on the server.

4. Email hygiene checks

Block disposable email domains and validate MX records server-side. This will not stop the sophisticated operations, which use real domains, but it cheaply removes the lower tier.

5. Time-on-page and interaction checks

Record when the page loaded and reject submissions completed in under a few seconds, or with no mouse or scroll activity at all. Humans take time to read and type; most bots do not bother pretending.

6. Cloudflare WAF or Bot Management

If the volume justifies it, firewall rules can challenge traffic from known bot networks and datacentre IP ranges before your landing page even loads. This is the heavier option, worth it for high-spend accounts under sustained attack rather than as a first move.

The honeypot, done properly

Most honeypot advice gets the details wrong, and the details are the difference between catching bots and either missing them or, worse, silently binning real customers.

Naming: make the bot bite

Bots are primed to fill fields with tempting, common names: name, email, phone, url, website, company. The easiest approach is to add a decoy with a plausible secondary name like website2, contact_url or homepage. Bots scanning for URL fields, exactly the ones dropping fake booking links, will fill it.

Hiding it: layer the signals

Do not use type="hidden". Sophisticated bots skip hidden inputs because they know they are traps. Use a normal text field and remove it visually with CSS:

<div class="field-x7" aria-hidden="true">
  <label for="website2">Website</label>
  <input type="text" id="website2" name="website2"
         tabindex="-1" autocomplete="off">
</div>
.field-x7 {
  position: absolute;
  left: -9999px;
  height: 0;
  width: 0;
  overflow: hidden;
}

Each detail is doing a job:

  • Off-screen positioning rather than display: none. Some bots specifically avoid fields styled with display: none or visibility: hidden because those scream honeypot. Absolute positioning off-screen is less suspicious to them and equally invisible to users.
  • tabindex="-1" so keyboard users never tab into it by accident.
  • autocomplete="off" so browser autofill does not populate it for a real user, which would bin a genuine lead.
  • aria-hidden="true" so screen readers skip it. This one matters: without it, a blind user fills in the field and gets silently rejected.
  • A neutral wrapper class. Do not call it .honeypot or .hp-field. A bot can be told to skip anything whose class mentions honey. Pick something arbitrary.

The server-side check

If the decoy field comes back non-empty, reject or quarantine the submission. Do this on the server, never in JavaScript: a bot that ignores your JS sails straight through a client-side check.

Do not tell the bot it failed

Return the normal "thanks, we'll be in touch" response to flagged submissions. Show an error and the operator learns there is a trap and adapts. Silent quarantine into a junk folder is ideal; someone can eyeball it occasionally for false positives.

Pair it with a timestamp. Drop a server-generated timestamp into the form when the page loads and reject anything submitted in under about three seconds. It catches the bots smart enough to leave decoy fields alone.

The PPC side: stop paying to train on junk

The durable fix lives on your website, but if you are running paid traffic there are two things to do in the ad accounts in parallel.

Check where the fake leads are coming from. Pull the submissions and see whether they correlate with a specific campaign, network or placement. Spikes on Display, Search Partners or the Microsoft Audience Network are a common spam vector, and excluding the offending placement can cut the volume immediately.

Exclude them from your conversion data. If fake submissions are firing your lead conversion, they are polluting the signal your bidding optimises on. Smart Bidding does not know the lead was fake; it just sees a conversion and goes looking for more traffic like it. Remove them, or over time your budget is actively steered toward the bots.

Where to start

Turnstile plus a server-side URL filter is most of the fix for very little development cost. Add the honeypot and timestamp check if you want belt and braces. Then clean up the ad account side so your bidding is not learning from junk.

None of this requires new tools or a subscription. It is a few hours of developer time and some hygiene in the ad accounts, and it turns a daily drain on your sales team back into a form that mostly rings true.

Drowning in leads that ring false?

I audit lead quality as part of tracking and account audits: where the junk enters, what it is doing to your conversion data, and the exact changes to brief your developer with. One-off project, written report, no retainer.

Get in Touch