Spam submissions are annoying—and they’re not going away.
But the fight against spam is tricky, especially for lawyer website design. The more aggressively you filter, the more you risk blocking or irritating real clients. On the other hand, too much spam can suffocate your small staff and stop you from growing your business.
So how do you know what’s just annoying and what’s a problem when it comes to spam?
In this article, we’ll explain why some spam is normal, when to intervene, and how to do it smartly without hurting your user experience.
Some spam is inevitable–and that’s okay
Look, all websites with a contact form are going to receive spam. This includes law firms, retail shops, nonprofits—everyone.
One or two spam submissions a day? Annoying, but not a huge problem.
The key question: Are your anti-spam efforts costing you leads from real clients?
Let’s rephrase.
Over-filtering can turn real people away—especially people who are stressed, in a hurry, or not tech-savvy. It’s tricky, at first glance, to tell who is a spammer and who can’t spell very well.
Here’s the answer: If spam is minimal and manageable, it may be better to leave it alone.
When spam is a problem
- Are you receiving 10+ spam inquiries per day?
- Are spam messages interfering with your CRM or intake workflow?
- Is your team missing real leads because of the noise?
It is time to take action when spam is preventing you from serving real clients. Do a SWOT analysis.
If your team is spending hours sorting through inquiries, that’s a red flag! If your CRM is clogged up with bots and bad actors, something needs to give.
Every firm is different in this respect. Some offices have the capacity to handle the nitty-gritty sorting. Others don’t even have a contact form because they get mostly referrals. Some firms are drowning in spam inquiries while trying to get their business off the ground—and it’s frustrating.
How to combat spam
Here are our four best tips to combat spam on your law firm’s website.
1. CAPTCHA or reCAPTCHA
This is the most common solution. A CAPTCHA is a quick test that proves a visitor is human.
You’ve probably seen the image puzzle or checkbox (“I’m not a robot”) CAPTCHAs on the web. Google’s reCAPTCHA v3 is invisible—good user experience, but less aggressive.
Pro: CAPTCHAs are easy to install and pretty effective.
Con: Older CAPTCHAs can frustrate real users.
Your best option is to work with a developer to select the right option for your specific website. Opt for the least intrusive option that still works.
2. Honeypot fields
A honeypot is a hidden field in your form.
Humans? They don’t see the field so they don’t fill it out.
Bots, on the other hand, tend to fill out every single field.
If the honeypot field is filled in on a form, it flags the entry as spam and you can safely disregard it. Pretty neat, huh? Honeypot fields are a simple, elegant, and user-friendly solution. They’re a good first step that you can implement immediately.
Again, ask your developer to implement this for you.
3. IP and email blacklists
Blacklists are sort of like vaccines. If you know exactly what’s making you sick, you can inoculate yourself against that exact enemy.
If you get spam from the same email address, the same IP address, or the same region, block them directly.
You can set up a manual block with many website form tools and CRMs. You can also use third-party services or plugins that maintain automatic blacklists.
Be strategic about this sort of approach. You don’t want to accidentally repel real business.
Pro: Blacklists are effective for persistent nuisance senders.
Con: Blacklists won’t stop new bots or one-off spam.
4. Geoblocking (use with caution!)
Geoblocking limits form submissions to a certain geographic region.
This is a good fit for firms that only serve clients in one country (e.g., U.S. only). If that’s you, then you might consider proactively blocking submissions from other parts of the world.
Pro: Geoblocking can dramatically cut spam.
Con: It can also block legitimate users who are traveling or using VPNs.
Use geoblocking as a last resort or in extreme spam situations.
Tip: Consider a “soft geoblock” that flags foreign submissions instead of blocking them outright.
Don’t set and forget
Spam control isn’t a one-time fix, unfortunately—it’s a process. Spammers gonna spam!
After you implement a change, be sure to monitor your form submissions daily for the first few weeks. Ask yourself, Are real leads still coming through? Are users reporting issues with the form? Use this data to tweak your approach.
A developer or web specialist (like us!) can help fine-tune your website security to balance protection and usability.
Review and next steps
The goal isn’t zero spam—it’s fewer distractions without losing real leads.
Some spam is just part of having an active website…but if spam is disrupting your business, take action to defend your bottom line. Start with simple fixes like honeypots or invisible CAPTCHA, and scale your tools only if needed.
And remember: Every form field, setting, or block you add should make life easier for both your firm and your future clients.
Bring us all your questions during a free consultation.