Conversion · 8 min read
Contact Form Spam Is Poisoning Your Smart Bidding
Summary
Bot form submissions fire your conversion tag, so Google bids toward the traffic that makes bots. Here is the fix ladder, cheapest real-lead cost first.
By Hyder Shah, Founder & CEO · Published July 13, 2026 · Updated July 13, 2026
Most people treat contact form spam as an annoyance. You delete the Cyrillic gibberish, you sigh, you move on. That framing is why it never gets fixed properly.
The real cost is not your inbox. It is your ad account. If a bot submission reaches your thank-you page, it fires your conversion tag, and Google Ads writes down that the click which produced it was a good click. Then it goes and buys more clicks that look exactly like it.
You are paying Google to find you more bots. That is the whole article. The rest is how to stop it without taxing every real lead on the way through.
How does form spam end up wasting your ad budget?
It wastes it twice: once for the click that produced the bot, and then again for every future click Smart Bidding buys because it believes that traffic converts. Google's own documentation describes Smart Bidding as strategies that use Google AI to optimize for conversions or conversion value in every auction, which it calls auction-time bidding. The only definition of a conversion it has is the one your tag sends it.
Read the Google Ads Smart Bidding documentation closely and the mechanism gets uncomfortable. Google lists the signals the system bids on: device, physical location, weekday and time of day, the actual search query, browser, operating system, and which ad version was shown. It adjusts bids toward whichever combinations of those signals historically converted.
So if your bots run on a headless Chrome build, from a cluster of data-center IPs, at 3am, on broad-match junk queries, Smart Bidding learns that this exact profile is your best-converting audience. It is not malfunctioning. It is doing precisely what you told it to do with the data you gave it.
Now scale that. Google recommends evaluating a Smart Bidding strategy over a window containing at least 30 conversions, and at least 50 for Target ROAS. A $2,500/mo Google Ads budget on a $150 CPA gives you roughly 16 conversions a month. If a third of those are bots, the algorithm is calibrating your target CPA on about 11 real data points and burning the rest of the budget chasing ghosts. Your reported CPA looks fine. Your booked-call count does not.
Are your bot submissions firing your conversion tag?
If your conversion action fires on a thank-you page load or a generic form-submit event, the answer is yes — 100% of bot submissions that reach that page count, and nothing in the Google Ads interface separates them from real ones. Three checks tell you how bad it is, and none of them takes more than twenty minutes.
- Reconcile the counts. Pull your Google Ads conversion count for the last 30 days, then count the actual inbound rows in your CRM or inbox for the same window. The gap is your spam. If Ads says 22 and your CRM has 14 real humans, you have a 36% poisoned signal.
- Segment conversions by hour of day. Real service-business leads cluster around business hours. A flat line across the night, or a spike at 2am to 4am, is a script on a cron job.
- Check for a GCLID. A paid click carries a gclid parameter. If your conversion tag is firing on submissions that never had one, something is hitting the form endpoint directly and skipping the ad entirely.
One caveat before you panic: not every fake-looking lead is a bot. Some of it is competitor sabotage, some is a scraper harvesting your endpoint, and some is a real human with a terrible query. The mechanical checks below tell them apart.
Which anti-spam fix costs you the fewest real leads?
Start with a honeypot field: it is free, it is invisible, it adds zero friction to a real lead, and it takes about ten minutes to add. Then layer Cloudflare Turnstile. Here is the whole ladder, ranked by what it costs you in real conversions — which is the only ranking that matters.
| Fix | Friction on a real lead | Cost | What it actually stops |
| Honeypot field | None — the field is hidden from humans | Free, ~10 min of dev | Naive bots that blindly fill every input in the DOM |
| Cloudflare Turnstile | None in non-interactive or invisible mode | Free plan: up to 20 widgets, unlimited challenges | Scripted and headless-browser submissions |
| reCAPTCHA v3 (score-based) | None — Google says it never interrupts users | Free tier | Anything scoring under your threshold (default 0.5) |
| Server-side validation + rate limit | None | Dev time only | Repeat submitters, junk payloads, direct endpoint hits |
| reCAPTCHA v2 checkbox | Every single real lead has to click it | Free tier | The same bots the invisible options already caught |
Verdict: honeypot first, Turnstile second, and never the checkbox. A honeypot is a form input hidden with CSS that no human ever sees. Humans leave it empty. Unsophisticated bots, which parse the DOM and fill everything, populate it. If it comes back with a value, you reject the submission server-side and never fire the tag. That kills the majority of drive-by spam for free.
When the honeypot stops being enough — and against a determined scraper it will — add Cloudflare Turnstile, which Cloudflare describes as a smart CAPTCHA alternative that works without showing visitors a CAPTCHA. It ships three widget types: Managed, which decides whether to show a checkbox based on visitor risk; Non-interactive, where per the docs visitors never need to interact with the widget; and Invisible, where the widget is completely hidden from the visitor. Turnstile's free plan covers up to 20 widgets with unlimited challenges and 10 hostnames per widget, and Cloudflare lists it as WCAG 2.2 AAA compliant.
reCAPTCHA v3 is the third rung. It returns a score for each request without user friction, where per Google 1.0 is very likely a good interaction and 0.0 is very likely a bot, and Google suggests a default threshold of 0.5. The catch nobody mentions: v3 does nothing on its own. If you do not check the score server-side and block on it, you have installed a tracking script and stopped exactly zero bots.
Why is a visible checkbox CAPTCHA the worst option?
Because it charges 100% of your real leads a friction tax to stop a problem that only affects some of them — and every invisible option on the ladder above stops the same bots for free. Google itself makes this argument. Its reCAPTCHA v3 documentation sells the score-based approach on the grounds that it will never interrupt your users, so you can run it whenever you like without affecting conversion. Read the implied comparison in that sentence.
Your friction budget is thinner than you think. Zuko's form benchmarking database, covering over 93 million tracked sessions, puts the average form completion rate at 51.71%, with desktop users (54.48%) completing more often than mobile (47.53%). Roughly half the people who start your form already do not finish it. Adding a puzzle to the end of that gauntlet, on a phone, in a truck, is not a security decision — it is a revenue decision, and you are making it badly.
The same logic governs field count. We cover the trade-off in detail in form length and conversion rate, but the short version applies here too: every element you add between intent and submission has to earn its place. A checkbox CAPTCHA never does.
How do you clean the bad conversions out of Google Ads after the fact?
You retract them. Google's Ads API supports a RETRACTION conversion adjustment, which removes a previously imported conversion — the sibling type, RESTATEMENT, changes a conversion's value instead. But here is the part that decides whether you can use it at all: to retract a conversion you have to identify it, and Google requires either an order ID or a matched pair of GCLID and conversion timestamp.
Which means the retraction is won or lost months earlier, in your form markup. If your form never captured the GCLID and never stamped a unique submission ID, there is no handle to grab. The spam conversion sits in your account permanently, training your bids, and no amount of clicking in the interface will remove it.
Google's conversion adjustment documentation also notes you should wait 4 to 6 hours after creating a conversion action before adjusting its conversions, or the upload throws a TOO_RECENT_CONVERSION_ACTION error. In practice, batch your retractions weekly rather than firing them one at a time.
While you are in the account, pair this with a hard look at where the junk clicks came from. Search-term poisoning and form spam usually travel together, and a tightened negative keyword strategy removes the source instead of the symptom. If bidding is already running on autopilot, our take on bid strategy automation explains what the algorithm can and cannot compensate for.
How do you tell a bot submission from a bad-but-real lead?
Judge the metadata, not the message. Score every submission against five mechanical checks and flag anything that fails two or more — a bot typically fails three or four, while a real-but-unqualified lead passes all five and simply has a bad answer in the message box.
- Honeypot value present. The hidden field came back populated. A human cannot see it, so a human cannot fill it.
- No GCLID and no referrer. The submission arrived without any trace of how it got to your page. Direct POSTs to the form endpoint look exactly like this.
- Sub-second fill time. Stamp a hidden timestamp when the form renders and compare it at submit. Nobody types a name, email, phone and message in under a second.
- Repeated user agent or IP across submissions. Three quote requests from the same fingerprint in ninety seconds is a script, not a homeowner.
- Nonsense field content. A URL in the name field, a message body that is only a link, a phone number of 1234567890.
The distinction matters because you treat them differently. A bot gets blocked before the tag fires. A bad-but-real lead still gets a reply, still counts as a conversion, and instead tells you your targeting or your offer is off — which is a paid ads problem, not a security one.
This is especially loud in trades where the ad click is expensive. An HVAC or roofing account paying $60 to $200 a click cannot afford a bidding model trained on garbage, and a law firm paying more than that per click really cannot.
What should your form send to the CRM to make spam obvious?
Six hidden values, none of them visible to the person filling in the form. Capture them on render, submit them with the payload, and store them on the CRM record — they cost nothing, and they are the difference between being able to retract a bad conversion later and being stuck with it forever.
| Hidden field | Why it exists | What it unlocks |
| gclid | The Google Ads click identifier from the landing URL | Retraction eligibility; ties the lead back to a click |
| submission_id | A UUID stamped at render | Serves as the order ID Google needs to identify a conversion |
| form_render_ts | Timestamp when the form painted | Fill-time check for sub-second submissions |
| page_url and referrer | Where they were and where they came from | Separates paid, organic, and direct endpoint hits |
| honeypot | The invisible decoy input | Populated means bot, full stop |
| verification_score | Turnstile or reCAPTCHA v3 result, verified server-side | The block decision, made before the tag fires |
Two rules on top of that. First, never fire the conversion tag client-side on submit. Fire it after your server accepts the submission, so a rejected bot never reaches the tag at all. Second, validate server-side regardless of what the browser said — anything enforced only in JavaScript is a suggestion, and a bot posting straight to your endpoint never runs your JavaScript.
This is plumbing, not strategy, and it is why so many agencies skip it. A dashboard full of conversions looks like a win. Nobody is inspecting the payloads behind it.
If your conversion count and your booked-call count have quietly stopped matching, that gap is where your budget is going. We will trace it end to end — tag firing conditions, form payload, search terms, bid strategy — in a free audit, and if the answer is a honeypot and thirty minutes of work, we will tell you that instead of selling you a retainer. Get my free audit.
Where does this fit in your stack?
If you're running a US service business, the playbook in this post pairs with our full services lineup and applies cleanly across our supported industries and US locations. If you want help implementing it, book a free strategy call — we'll review your current setup and prioritize the next three moves.
For the deeper engagement details, see our website design service. New to the terminology here? Our SEO & marketing glossary defines every acronym in this post.
Want this built for your vertical? See SEO for HVAC Companies, SEO for Law Firms, SEO for Roofing Contractors.
What are the most common questions about this topic?
Common questions readers send us about this topic.
Does contact form spam affect Google Ads performance?
Yes, badly, if bot submissions fire your conversion tag. Google describes Smart Bidding as optimizing for conversions in every auction, using signals like device, location, time of day, browser and the actual search query. Feed it bot conversions and it learns to bid toward whatever traffic profile produced those bots. Your reported cost per conversion stays flat while your real booked-call count falls, which is the worst possible failure mode because it looks like success.
Is a honeypot field better than reCAPTCHA?
It is the better first move, not a total replacement. A honeypot is a hidden form input that humans never see and never fill, so unsophisticated bots that populate every field in the DOM expose themselves. It is free, invisible, adds zero friction, and takes minutes to add. Its ceiling is real: a bot built specifically for your site will skip it. When that happens, add Cloudflare Turnstile behind the honeypot rather than swapping one for the other.
What is Cloudflare Turnstile and is it free?
Turnstile is what Cloudflare calls a smart CAPTCHA alternative that works without showing visitors a CAPTCHA. It offers Managed, Non-interactive and Invisible widget types; per Cloudflare's docs, visitors never need to interact with the non-interactive widget, and the invisible widget is completely hidden from the visitor. Cloudflare's plans page lists a free tier covering up to 20 widgets with unlimited challenges and 10 hostnames per widget, plus WCAG 2.2 AAA compliance.
How do I stop bots from submitting my contact form?
Work the ladder in order of what each step costs you in real leads. Add a honeypot field first, since it is free and invisible. Validate everything server-side, because a bot posting directly to your endpoint never runs your JavaScript. Rate-limit by IP. Then add Cloudflare Turnstile in invisible or non-interactive mode. Only fire your conversion tag after the server accepts a submission, so blocked bots never touch Google Ads.
Should I remove spam conversions from Google Ads?
Yes, and Google supports it: the Ads API has a RETRACTION conversion adjustment that removes a previously imported conversion. The constraint is identification. Google requires either an order ID or a matched GCLID and conversion timestamp to find the conversion you want retracted. If your form never captured a GCLID and never stamped a unique submission ID, you have no handle to retract with. Fix the form payload first, then retract.
Does reCAPTCHA hurt conversion rate?
The visible v2 checkbox adds friction to every real lead, which is the whole problem with it. Google's own reCAPTCHA v3 documentation pitches the score-based version on the grounds that it will never interrupt your users, so you can run it whenever you like without affecting conversion. Given that Zuko's benchmark of over 93 million form sessions puts average completion at 51.71%, roughly half your visitors already abandon. Do not add a puzzle to the survivors.
What score should I use as a reCAPTCHA v3 threshold?
Google's documentation says v3 returns a score where 1.0 is very likely a good interaction and 0.0 is very likely a bot, and that by default you can use a threshold of 0.5. Start there, but log every score for a few weeks before you enforce it. A threshold that blocks scores under 0.5 on a site whose real users mostly score 0.4 will quietly delete real leads, and you will never see the ones you lost.
Why should the conversion tag fire server-side instead of on submit?
Because a client-side tag fires the moment the browser posts the form, before anything has validated the submission. That means the bot's conversion is already in Google Ads by the time your spam filter sees it. Fire the tag only after your server accepts the submission and the honeypot, fill-time and verification-score checks all pass. Rejected submissions then never reach Google Ads at all, which beats retracting them later.
About the author
Hyder Shah
Founder & CEO, Foundgrove
Hyder Shah is the founder of Foundgrove, an SEO and GEO agency for US service businesses. See our editorial policy for how these guides are researched and reviewed.
Related reading
Other tactical pieces from the Foundgrove blog.
- Conversion · 10 min read
Form Length and Conversion Rate: How Many Fields Is Too Many?
Baymard found the average checkout runs 11.3 fields when 8 would do. Here's the 3-field primary form and 2-step qualifying pattern for service businesses.
Read the conversion playbook → - Paid Ads · 12 min read
Smart Bidding: Target CPA vs Target ROAS vs Max Conversions
Google says judge Smart Bidding over periods with 30+ conversions, 50 for Target ROAS. Here's how to pick the right strategy and set a real target.
Read the paid ads playbook → - Paid Ads · 11 min read
Negative Keywords Strategy for Service Businesses (2026)
Negative keywords are the cheapest efficiency lever in Google Ads. Here's the seed list, the audit cadence, and the close-variant trap that leaks budget.
Read the paid ads playbook → - Conversion · 7 min read
Jotform vs Typeform vs a Plain Form for Lead Capture
Typeform and Jotform both sell you a prettier form. For high-intent service leads, a plain native form beats both — and the embed breaks your tracking.
Read the conversion playbook → - Web Design · 11 min read
Website Launch Checklist: 22 Things That Break Day One
The launch failures that cost real money aren't visual: staging noindex, forms that email nobody, GA4 pageviews mistaken for conversions. Test each one.
Read the web design playbook →
Want help applying this to your business?
Book a free 30-minute call. We'll review your current acquisition stack and show you the three highest-leverage moves for your industry and state. Or read how our website design service works.