How to block spammers and bots with reCAPTCHA forms

The internet as we know it is a blessing and a curse.

It has connected businesses to even more people and helped software companies develop solutions that can automate time-consuming tasks. 

Hackers and spammers, however, leverage the vast expanse of the internet to anonymously launch malicious programs that can steal information and bombard you with unwanted messages, all while covering up their tracks. 

This threat can be particularly problematic when you’re using data-collection tools, such as online forms and surveys, that are shared widely for people to fill out.

Adding reCAPTCHA to your forms will prevent malevolent spambots from infiltrating your Jotform account and the email inbox that’s tied to it. More important, this subtle security feature lets form respondents know their information is secure and less likely to be compromised by spammers.  

How to block spammers and bots with reCAPTCHA forms Image-1

Think of it as a security guard who allows people to access a building when they can furnish valid credentials, such as an ID badge or preset code. 

reCAPTCHA, in a similar fashion, allows people to submit a form once they solve a challenge that proves they’re a real person and not malware. 

Google Invisible reCAPTCHA takes this security feature to the next level by working discreetly while a form is filled out and presenting a human verification challenge only if bot-like actions are detected. 

The concept behind reCAPTCHA may seem simple, but there’s a lot going on behind the scenes to ensure your online data-collection tools are fortified against spammers and their arsenal of pesky bots. 

We’ll help get you up to speed by answering a few questions that may come to mind:

  • What’s the difference between reCAPTCHA, No CAPTCHA reCAPTCHA, and Google Invisible reCAPTCHA?
  • How does reCAPTCHA work?

What’s the difference between reCAPTCHA, No CAPTCHA reCAPTCHA, and Google Invisible reCAPTCHA?

For starters, the concept itself dates as far back as 2000 when it was known only as CAPTCHA, an acronym for Completely Automated Public Turing test to Tell Computers and Humans Apart. 

At that time, Yahoo used a software program that required people to type letters, numbers, or words that appeared in a distorted image. This was effective because bots couldn’t read the information, pass the verification challenge, and successfully sign up for an email account. 

Luis von Ahn, who developed CAPTCHA for Yahoo, later started a company called reCAPTCHA. 

Google acquired reCAPTCHA in 2009 and has taken steps to improve the security service as bots become even more sophisticated. Google’s efforts have led two subsequent iterations of reCAPTCHA: No CAPTCHA reCAPTCHA and Google Invisible reCAPTCHA. 

  • No CAPTCHA reCAPTCHA asks people to verify they aren’t a bot by clicking on a checkbox. If the security service detects bot-like behaviors, a challenge will appear and ask people to select images that meet specific criteria. 
How to block spammers and bots with reCAPTCHA forms Image-2
  • Google Invisible reCAPTCHA is a more inconspicuous version of NoCAPTCHA reCAPTCHA that works in the background while people are filling in their information. Since there’s an option to hide the “I’m not a robot” checkbox, most people won’t even know that the security service is working to determine whether they are a human or a bot. Regardless of whether the checkbox is invisible or not, a human verification challenge will appear only if the security service detects unusual bot-like behaviors, actions, or activities. That means most people can go about their business, share information, or make requests without ever noticing or interacting with the security service.  

How does reCAPTCHA work?

Google is typically mum about what happens under the hood but has provided some general insights on how reCAPTCHA works. 

As an online form is filled out, the reCAPTCHA system likely analyzes a number of variables, such as where a web page is being accessed, what the user previously viewed on the web, and cursor movements on the web page, to weigh whether a real person or a bot is present. 

When suspicious activity is detected, the grid-like identity verification challenge — with nine to 16 square-sized images — confirms whether a form is being filled out by a real person or not. In many cases, people are asked to select only those images that have specific objects in them. 

The results are then compared to selections made by other people who took the same image challenge. If everything matches up, those people who solved the image challenge can pass through and go about their business. 

This challenge is effective because bots still find it hard to pick objects from images and match them to specific, written descriptions. 

Unlike NoCAPTCHA reCAPTCHA, Google Invisible reCAPTCHA generates a score based on its security risk assessment that ranges from 0 for abusive traffic to 1 for good website traffic. 

Businesses that sign up for Google’s reCAPTCHA service and place it on their website can not only analyze these findings but also impose customized security measures once scores reach a certain threshold. That means you could, for instance, require two-factor authentication or email verification to access an online account. 


Spammers can cause a huge headache for businesses that must filter through unsolicited and often anonymous messages sent by spambots. In many cases, businesses dedicate thousands of dollars and set aside hours of work to not only troubleshoot the issue but also implement new safeguards.  

We’re accustomed to locking our doors and windows and turning on the alarm before heading out to ensure that intruders don’t break into our homes or businesses. 

Why not protect your forms from malicious spammers who can wreak havoc on your inbox, take valuable time away from important work, and ultimately harm your business? 

You already use passwords and security questions to safeguard your online accounts, but what are you using to protect your data-collection tools? 

No CAPTCHA reCAPTCHA technology adds a crucial layer of security to your forms without creating a hassle for the people who need to reach you. 

Google Invisible reCAPTCHA makes the process even more seamless by presenting an image challenge only when suspicious bot-like activities or behaviors are detected. 

Incorporate No CAPTCHA reCAPTCHA and Google Invisible reCAPTCHA into your forms today and see how you can easily steer clear of those spambots. 

Darin is a content marketer who's passionate about disrupting perceptions, solving problems, and helping people be more productive. Outside of the office, he is a rush-hour straphanger, adventure seeker, coffee drinker, and frequent traveler.

Send Comment:

Jotform Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Podo Comment Be the first to comment.