Bot Call Mitigation Strategies

Overview

Clients with publicly listed phone numbers on their websites frequently experience bot/spam call volume that disrupts normal business operations. The core challenge is filtering automated calls without blocking legitimate customer inquiries — a false positive is a lost lead.

This article documents the problem pattern, known mitigation approaches, and open research items surfaced during client work.

The Problem Pattern

Bot calls typically present as:
- Silent or dead-air calls (no voice on the other end)
- High frequency (potentially every 30–60 minutes at peak)
- Originating from scraped website phone numbers

The phone number is likely harvested directly from the website. Bots may be probing for live numbers, conducting phishing attempts, or performing robocall campaigns. The behavior is distinct from web form spam and requires a separate mitigation track.

Client example: ^[1] reported a significant increase in silent bot calls in early 2026, attributed to their phone number being publicly listed on their Hibu-hosted site. The issue was flagged as a priority item ahead of their new site launch. See ^[2].

Mitigation Approaches

1. Website-Side: Phone Number Obfuscation / Click-to-Call Only

Rendering the phone number as a non-scrapable element (e.g., click-to-call button, image, or JavaScript-rendered text) reduces automated harvesting. Bots that scrape static HTML cannot extract the number.

Trade-off: Reduces accessibility; some users prefer to copy/paste a number.

2. Website-Side: reCAPTCHA on Contact Forms

Adding Google reCAPTCHA (v2 "I'm not a robot" or v3 invisible) to web forms prevents bots from submitting contact requests that might trigger callback workflows. This does not directly address inbound bot calls but reduces form-originated spam.

Already standard practice on Asymmetric-built sites.

3. Carrier-Level: Spam Call Filtering

Most mobile carriers (and some VoIP providers) offer spam/robocall filtering at the network level. Options include:
- AT&T ActiveArmor, Verizon Call Filter, T-Mobile Scam Shield — free tiers available
- Third-party apps: Nomorobo, Hiya, RoboKiller

Trade-off: Carrier filters can occasionally flag legitimate business calls as spam. Client must evaluate false-positive risk.

4. Do Not Call Registry

Registering a business number with the FTC Do Not Call Registry may reduce some telemarketing volume but has limited effect on bot/phishing calls, which ignore the registry by nature.

Not recommended as a primary solution — and may create a false sense of protection.

5. VoIP/Phone System: Call Screening Rules

If the client uses a VoIP system (e.g., RingCentral, Google Voice, Grasshopper), call screening rules can be configured to:
- Require callers to press a key before connecting ("press 1 to reach us")
- Block calls from known spam number lists
- Route unrecognized numbers to voicemail first

Trade-off: Key-press prompts add friction for legitimate callers. Must be tested carefully.

6. WordPress Plugin: Bot Protection

For sites where the phone number is embedded in pages, WordPress security plugins (e.g., Wordfence, Cloudflare integration) can limit scraping bots from crawling the site and harvesting contact data.

Decision Criteria

When recommending a solution, weigh:

Default posture: Err toward preserving legitimate calls. Recommend layered, low-friction approaches (carrier filtering + website obfuscation) before aggressive blocking.

Open Research Items

The following were flagged as needing further investigation:

• [ ] Identify specific WordPress plugins that can mask or protect phone numbers from scraper bots
• [ ] Evaluate whether Cloudflare bot protection (available on Asymmetric-hosted sites) reduces phone number harvesting
• [ ] Confirm whether VoIP key-press screening is feasible for clients who rely heavily on inbound calls
• [ ] Document carrier-specific spam filtering options for common client phone providers

Related

• ^[3]
• ^[4]