Agency insights
Thoughts and lessons on client selection, burnout, pricing, and modernising legacy accounts, from someone who's run a Google Ads for years.
Published April 2025. Last updated April 2025.
Spam leads are a real problem. If you’re running Google Ads—especially Performance Max campaigns—you’re probably paying for junk leads.
Most people turn to tools like CAPTCHA to slow down the spam. But there’s another approach starting to get attention: two-factor authentication (2FA). It’s not widely used on contact forms yet, but it can help reduce spam leads.
That said, it comes with some real downsides. But first...
2FA adds an extra step before someone can complete a form. You’ve probably seen it when logging into your bank—you enter your email or phone number, and then get a code to confirm your identity.
This helps cut spam because bots and low-effort human spammers:
But it also comes with some drawbacks...
2FA makes your form more secure—but also harder to use. People will tolerate 2FA to access their bank or change a Google Ads budget, but it’s a big ask for a simple enquiry.
You will lose real leads:
Here’s a risk that’s easy to overlook.
Spammers often use real contact details leaked in data breaches. If you send a 2FA code to that number or address, you’re contacting someone who never asked to hear from you.
Even though you have good intentions, they might:
That hurts your sender reputation. More of your messages end up in spam folders—or don’t get delivered at all. If it happens too often, your ISP or SMS provider might suspend your account.
In some countries, sending unwanted emails or texts is actually illegal. Maybe I’m being too cautious, but some people get pretty tetchy when they think their info’s been misused.
Let’s say someone fills out your form using a leaked—but real—phone number or email address. Your 2FA system kicks in and sends a code.
If it happens once, no big deal (maybe). But if a spammer does it 50 times...
And there is another risk. To some scammers, your contact form isn’t a way to reach you—it’s an ATM.
SMS pumping is a scam where bad actors trigger floods of fake verification messages to premium-rate numbers they own. Each one earns them a small payout, and the cost lands on you. If your form sends codes automatically, they can rack up a serious bill before you even know what’s happening.
Adding 2FA might make sense in specific situations:
If you’re going to use 2FA, here are a few ways to reduce the risks. Some are a bit technical—I won’t go into the weeds, but feel free to contact me if you want help.
If 2FA feels like overkill, here are some lighter options:
My go-to solution is a clean, two-step form. It blocks most spam without hurting conversions.
You can see it in action here: pete-bowen.com/contact
Thoughts and lessons on client selection, burnout, pricing, and modernising legacy accounts, from someone who's run a Google Ads for years.
Understand what happens after someone clicks your advert. Subjects include offline conversions, CRM integration, attribution, auditability and marketing instrumentation.
Articles about marketing, engineering, AI and problem solving that don't fit neatly into the other topics. These are some of the ideas and experiences that have shaped how I think.
Learn how to use Google Ads to generate profitable leads. Subjects include campaign strategy, bidding, targeting, optimisation and the challenges of running lead generation campaigns.
Things I've learned about high-converting landing pages. Subjects include copywriting, page structure, forms, trust, conversion rate optimisation and user experience.
Understand why some leads become customers while others don't. Subjects include diagnosing poor leads, qualification, filtering junk leads and improving the feedback you send to Google Ads.
What happens after a lead has been generated determines if Google Ads is profitable. Subjects include first contact, follow-up, quoting, lead nurturing and turning more enquiries into customers.