Clients with publicly listed phone numbers on their websites frequently experience bot/spam call volume that disrupts normal business operations. The core challenge is filtering automated calls without blocking legitimate customer inquiries — a false positive is a lost lead.
This article documents the problem pattern, known mitigation approaches, and open research items surfaced during client work.
Bot calls typically present as:
- Silent or dead-air calls (no voice on the other end)
- High frequency (potentially every 30–60 minutes at peak)
- Originating from scraped website phone numbers
The phone number is likely harvested directly from the website. Bots may be probing for live numbers, conducting phishing attempts, or performing robocall campaigns. The behavior is distinct from web form spam and requires a separate mitigation track.
Client example: [1] reported a significant increase in silent bot calls in early 2026, attributed to their phone number being publicly listed on their Hibu-hosted site. The issue was flagged as a priority item ahead of their new site launch. See [2].
Rendering the phone number as a non-scrapable element (e.g., click-to-call button, image, or JavaScript-rendered text) reduces automated harvesting. Bots that scrape static HTML cannot extract the number.
Trade-off: Reduces accessibility; some users prefer to copy/paste a number.
Adding Google reCAPTCHA (v2 "I'm not a robot" or v3 invisible) to web forms prevents bots from submitting contact requests that might trigger callback workflows. This does not directly address inbound bot calls but reduces form-originated spam.
Already standard practice on Asymmetric-built sites.
Most mobile carriers (and some VoIP providers) offer spam/robocall filtering at the network level. Options include:
- AT&T ActiveArmor, Verizon Call Filter, T-Mobile Scam Shield — free tiers available
- Third-party apps: Nomorobo, Hiya, RoboKiller
Trade-off: Carrier filters can occasionally flag legitimate business calls as spam. Client must evaluate false-positive risk.
Registering a business number with the FTC Do Not Call Registry may reduce some telemarketing volume but has limited effect on bot/phishing calls, which ignore the registry by nature.
Not recommended as a primary solution — and may create a false sense of protection.
If the client uses a VoIP system (e.g., RingCentral, Google Voice, Grasshopper), call screening rules can be configured to:
- Require callers to press a key before connecting ("press 1 to reach us")
- Block calls from known spam number lists
- Route unrecognized numbers to voicemail first
Trade-off: Key-press prompts add friction for legitimate callers. Must be tested carefully.
For sites where the phone number is embedded in pages, WordPress security plugins (e.g., Wordfence, Cloudflare integration) can limit scraping bots from crawling the site and harvesting contact data.
When recommending a solution, weigh:
| Factor | Consideration |
|---|---|
| Call volume severity | Is it a nuisance or operationally disruptive? |
| Business type | High inbound lead volume = higher cost of false positives |
| Phone infrastructure | Carrier vs. VoIP determines available controls |
| Client risk tolerance | Prefer to miss a bot call or risk missing a real lead? |
Default posture: Err toward preserving legitimate calls. Recommend layered, low-friction approaches (carrier filtering + website obfuscation) before aggressive blocking.
The following were flagged as needing further investigation: