DigitalBlake

← All Articles

Identity Is Not Legitimacy: Vetting a Sales Lead Is an Arms Race

Posted: By Blake Cerecero

In a companion piece I laid out an idea for rating sales leads by identity: check the domain, the website, and the person behind the email, score each, and rank the real leads above the junk. However, that’s not the whole story. To zoom out further, you really need to do a comparison of identity against the legitimacy of the submission.

A lead can show up with a real name and a real email, even one lifted straight off a company’s team page, and pass every identity check while only meaning to bog your sales team down. The checks confirm the data is real. They say nothing about whether the submission is genuine. Once I started pulling that thread, every clever fix I came up with did the same frustrating thing. It made the attack more expensive without ever shutting it down. What follows is my attempt to track the current state of lead legitimacy.

What you can do at the form, and why AI erodes it

Capture-side bot checks help, mostly against traditional bots

The standard toolkit still has value: a honeypot field, form-fill timing, behavioral scoring like reCAPTCHA v3 or Cloudflare Turnstile, IP reputation and submission velocity. A well-built honeypot field reportedly catches the large majority of dumb bots at zero cost to the user, and pairing it with a timing check pushes that higher (OpenReplay, WorkOS). Those are vendor estimates rather than peer-reviewed numbers, but the shape is right. Keep these on.

The problem is what they assume. They assume the bot is in a hurry and behaves like a script. An AI agent can take its time, move a mouse on a natural-looking path, and spoof a browser fingerprint well enough to score as human, which is why people now describe behavioral CAPTCHA as losing ground (UNU, BroadChannel). These checks earn their keep against the cheap, high-volume bots. A motivated adversary with AI walks right past them.

A cleverer, AI-era honeypot

This next trick was my favorite, until I read up on it. Instead of a math question any AI solves instantly, hide a field that asks a complex, unrelated natural-language question a human will never see. A bot parsing the page may answer it and out itself, especially if you also watch the clock: a person cannot read and answer a hidden question in under two seconds, but an LLM agent does.

This is real and tested, just not novel. It is essentially Palisade Research’s LLM Agent Honeypot, which combines prompt-injection traps with response-time analysis and, over a few months, fingerprinted live AI agents out of millions of attempts. Cloudflare’s AI Labyrinth industrializes the hidden-link version of the same idea. The honest limit is the one you would guess: hardened agents already filter out fields with suspicious styling and skip them, and a 2025 paper on LLMs polluting online research recommends prompt injections only as hidden honeypot questions for exactly that reason. All it really buys you is a higher cost to the attacker.

One trap to avoid: do not scatter hidden “stop” instructions across your visible page to shoo AI away. Modern models increasingly treat hidden injected text as inert, and search engines read hidden-text-that-differs-from-what-users-see as classic black-hat cloaking and penalize it (Search Engine Land, Auth0). Keep this to a single honeypot field on the form and keep it off your content pages.

The accessibility tension, the same arms race in miniature

This part has a real irony to it. A field that is only hidden visually is still announced to screen readers, which both hurts assistive-technology users and risks a false positive if one fills it. The accessible fix is the standard one: aria-hidden="true" plus tabindex="-1" and autocomplete="off", with a realistic field name and off-screen CSS instead of display:none (FormShield, CSS-Tricks).

But those very attributes are the fingerprint a DOM-aware bot uses to recognize the honeypot and skip it. The reason it generalizes: a modern bot emulates a real browser and reads the same accessibility and visibility semantics a screen reader does. The honest affordance that tells assistive tech “skip this” is the same signal that tells a sophisticated agent “skip this.” You cannot be correct for one without flagging yourself to the other. What still carries weight is the timing check and varied, realistic field names. The hiding itself does almost none of the work.

Why a verification step doesn’t settle it

Email verification falls to AI

The intuitive next move is to make the lead confirm they are who they say. Send a confirmation email, or a marketing email engineered to get them to click. It feels like proof a human is on the other end, and a few years ago it was. That stopped being true once there was infrastructure that gives an AI agent its own inbox specifically so it can receive that email, parse the link or code, and complete the flow on its own (AgentMail, OpenMail). Double opt-in was built to filter automation, and agents now walk straight through it.

Phone and SMS is a stronger indicator, but a gate that backfires

A phone number is harder to come by than an email, though not by much. Disposable and virtual numbers, “rented” tenured numbers, and SIM farms all exist, and commoditized OTP bots read the code out of the text and submit it for you (Authgear, Stytch). The low-friction way to use a phone number is passively: look up its line type and country and reject out-of-region or non-fixed VoIP numbers like Google Voice before you ever send anything, then make only the suspicious submissions do an actual code step so you do not crater conversion on real buyers (Twilio Lookup).

Treat a passed code as a soft positive that the person controls a real, in-region number. Do not let it harden into a throw-it-out gate. It adds friction, an AI can complete it, and worst of all it opens a brand-new attack surface: SMS pumping, also called toll fraud, where bots feed your form premium-rate numbers they control and run up your messaging bill, with one cut going to them. It is a real and expensive problem; Twitter reportedly lost around 60 million dollars a year to it before cutting SMS two-factor entirely (Twilio, Group-IB). The step you added to stop spam becomes a thing spammers exploit to cost you money.

The one place the layers reinforce each other

One move actually pays off, and it only works because of the companion article. Identity and verification are each easy to fool on their own. Stack them together and they get much harder to beat. Identity alone proves a matching real person appears to exist, but anyone can type that name and email. Verification alone proves the submitter controls some inbox or number, but it could be a throwaway they own. The intersection is the part that is genuinely hard to fake: passing both means controlling the actual contact method of a real person whose public footprint, their LinkedIn, the company site, the role the domain implies, corroborates them. That is close to actually being them.

So gate it. Use the identity score from the companion piece as the trigger, and only spend a verification step on leads that already clear the identity threshold. You get two things for that. A verification pass is only meaningful once identity says the person looks real and corroborated. And gating the send closes off the SMS-pumping problem from the last section, because a bot spraying premium-rate numbers never reaches the send, since it never clears identity in the first place.

None of this is a new invention, to be clear. It is risk-based step-up verification, where you only spend the expensive check on cases that warrant it, plus the cross-reference-everything logic that fraud and KYC teams have leaned on for years to catch synthetic identities, and it is productized by the likes of Prove and Entrust. The mechanism is borrowed wholesale. The only fresh part is pointing it at sales-lead scoring and using the identity score itself as the gate.

I will not oversell it. It does nothing for the legitimate buyer using a personal email, who has no corporate footprint to match against. And a determined actor who genuinely controls a matching person’s inbox, including that real person deciding to waste your time, still passes. Call it the keystone, the strongest single signal you can assemble, and leave it there. It will still let some bad leads through.

The leading edge

Everything above is solid current practice, but it is not where the front of this has moved. Detection itself got much better. Device intelligence at billion-device scale now ships with explicit authorized-AI-agent detection, and behavioral biometrics ask a sharper question than any honeypot can: do you move like a real person, in your typing cadence and mouse path? Paired with persistent device fingerprinting, these catch coordinated abuse that sails past an OTP. But notice they are still guessing from behavior, which is the exact game the rest of this article says you slowly lose.

The real shift is to stop guessing and ask for a signature. Web Bot Auth, an IETF draft built on signed HTTP requests, has an agent prove its identity with a published cryptographic key instead of leaving you to infer it, so a site can allow, rate-limit, or deny per identity rather than per guess. It is already backed by Cloudflare, Akamai, Amazon’s agent browser, and Google, which shipped a dedicated Google-Agent identity in March 2026. Running alongside it, proof-of-personhood and “know your agent” work bind an agent back to an accountable, verified human. The whole question flips from “human or bot?” to “which verified human is this agent acting for, and is it allowed to do this?”

I will be honest about the limit. This is mostly draft and preview in mid-2026, and it does nothing for an anonymous spammer who simply will not present a signature on your public lead form. But it is the first approach that stops depending on out-detecting an adversary who keeps getting better. If this arms race has a durable exit, it runs through verifiable identity. A cleverer trap will not get you there.

The arms race as a scoring pipeline

No single layer blocks a determined adversary, and that is the point. Stack them and each one contributes a signal, and those signals roll up into one number the sales team can sort by, the same way the identity checks did in the companion piece. Nothing here hard-rejects except the obvious traditional bots. A determined human or AI still gets a number, just a low one, while a real buyer floats to the top.

   Form submission  (name, email, maybe phone)
        |
        v
   Layer 1 - Capture-side bot checks                -> traditional-bot score
   honeypot, fill timing, reCAPTCHA v3, IP velocity
        |
        v
   Layer 2 - Prompt-injection honeypot + timing     -> AI-bot signal
   a hidden question only a page parser would answer
        |
        v
   Layer 3 - Identity checks (companion article)    -> identity score 0 to 10
   domain age, website match, person footprint
        |
        v
   Gate - is the identity score above threshold?
        |                         |
       no                        yes
        |                         |
        v                         v
   skip verification         Layer 4 - Verification   -> control signal
   no SMS-pump exposure      gated email / SMS,
        |                    line-type + region filter
        |                         |
        |                         v
        |                 identity x control = keystone
        |                         |
        +------------+------------+
                     |
                     v
   + durable signals over time
     (post-submission engagement, domain history)
                     |
                     v
   Legitimacy score 0 to 10   ->   a dial sales sorts by
                     |
                     v
   Sales team works the highest scores first

The gate matters: spending the verification step only on leads that already clear the identity threshold is what keeps the SMS-pumping attack surface closed and keeps friction off real buyers. Everything else just nudges the score up or down.

Where that leaves us

Identity is the part you can actually deliver. Legitimacy is an arms race that never fully resolves. Anything you can verify at the exact moment of submission can be faked or auto-completed by an adversary with AI, and the more I dug, the more every “gotcha” turned into a toll booth the determined ones simply pay.

The signals that hold up are the ones that are expensive to fake at scale and that play out over time. Matching the email to an aged, reputable company domain, because spinning up a website takes an afternoon and building a credible history takes years. Genuine engagement after the fact: real opens, return visits, an actual reply and a conversation. And human judgment on the leads that sit on the line. None of those are instant, which is exactly why they are harder to spoof.

So rank your real leads with the identity checks, keep the traditional-bot defenses on for what they do catch, and accept that proving good-faith intent is something you manage over time. The form is the wrong place to expect a final answer. If you want the upstream half of this, scoring and ranking the leads that are real, that is the companion article.

References

Bot detection, honeypots, and CAPTCHA decay:

Prompt-injection honeypots and hidden-prompt cloaking:

Email verification defeated by agents:

Phone and SMS verification, line-type filtering, and SMS pumping:

Risk-based verification and the leading edge:

Looking for a senior developer? I'm open to new opportunities (opens in a new tab) or send an email .

Related Posts

An Idea for Better Rating of Sales Leads in the Age of AI

LLMs made spam and bot leads hard to spot with traditional filters. Here is an idea: score every sales lead on the sales side with AI checks on domain age, the website behind the email, and the person submitting it, then rank by quality so the sales team spends time where it pays off.