Hook: Here’s exactly how to stop fake leads from your online forms—step by step. Pick your setup (Meta Instant Form, Landing Page with OTP, or Landing Page with validation) and follow the instructions.
Setup A: How to enable phone OTP on Meta Instant Forms (5 steps)
1) Create or edit your lead form
– Go to Ads Manager > Create > Leads > Instant Form (or edit an existing form).
– Choose the form type you normally use (e.g., Higher Intent is fine).
2) Add the phone number field
– Make Phone number a required field.
– Ensure the correct country format is applied for your audience.
3) Turn on OTP/Contact field verification for phone
– In the form builder, open Settings or the field-level options.
– Look for a setting labeled Verify phone, Contact field verification, or OTP. Toggle it ON for phone numbers.
– If available, set the verification to Required so the form only submits after a correct code is entered.
4) Add clear copy for users
– In the form intro or near the phone field, add: “We’ll text you a one-time code to confirm your number.”
5) Test the full flow
– In Ads Manager, use Preview to open the form on your phone and desktop.
– Enter a real phone number > receive code > enter code > submit.
– Confirm the lead arrives in your CRM with the verified phone number.
Setup B: How to add OTP to your landing page form (8 steps)
1) Pick an OTP provider
– Options: Twilio Verify, MessageBird Verify, AWS SNS/Pinpoint, Firebase Phone Auth.
– Create an account and get API credentials.
2) Validate the phone on the front end
– Use a library like libphonenumber to format and validate the number (e.g., E.164 format).
– Disable the “Send code” button until the number passes basic validation.
3) Build the Send Code endpoint (server)
– Endpoint: POST /otp/send
– Inputs: phone_number, country (optional)
– Actions:
– Generate a 6-digit code.
– Store a hashed version with a 5–10 minute TTL (e.g., Redis/DB) keyed by phone_number + session.
– Rate-limit by IP/phone (e.g., 1 request per 30–60 seconds, max 3–5 attempts per hour).
– Call your OTP provider to send the SMS.
– Response: success or error message for the UI.
4) Build the Verify Code endpoint (server)
– Endpoint: POST /otp/verify
– Inputs: phone_number, code
– Actions:
– Lookup hashed code, check match and TTL.
– On success, mark phone_verified = true (session flag or signed token returned to client).
– Invalidate used codes.
– Response: verified flag or a short-lived token you’ll require to submit the form.
5) Update your form UI
– Fields: Name, Email, Phone, OTP code input, Submit.
– Flow:
– User enters phone > clicks Send code.
– Show timer (e.g., “Resend in 30s”) and display the OTP input field.
– On code entry, call /otp/verify and show “Phone verified” if successful.
– Enable the Submit button only when phone_verified = true.
6) Secure the final submit (server)
– On form submit, verify the phone_verified flag/token server-side before accepting the lead.
– Reject submissions without a valid verification token.
7) Handle edge cases
– Allow resend after 30–60 seconds with a visible countdown.
– Limit wrong code attempts (e.g., lock after 5 tries, ask to resend).
– Optional fallback: offer a voice call OTP if SMS fails.
8) Test the end-to-end journey
– Real number: should receive code and submit successfully.
– Wrong code: blocked with a clear error.
– Expired code: prompt to resend.
– Multiple rapid attempts: rate-limit errors appear.
Setup C: How to reduce fake leads without OTP using real-time checks (7 steps)
1) Front-end validation for phone and email
– Phone: use libphonenumber for format and length.
– Email: basic syntax check (HTML5 email input or a proven validator).
2) Server-side hard checks (don’t rely only on the browser)
– Re-validate phone and email server-side.
– Block obvious fakes: repeated digits (e.g., 1111111111), known test values (test@test.com), and empty/invalid patterns.
3) Use email verification APIs
– Options: Kickbox, ZeroBounce, NeverBounce, Emailable.
– On submit, run a quick verify call for deliverability and disposable-domain detection.
– If undeliverable or disposable, reject or ask for a different email.
4) Use phone intelligence APIs (optional)
– Options: numverify, AbstractAPI, Twilio Lookup.
– Check line type (mobile vs. VoIP), country match, number validity.
– Reject invalid numbers and prompt for correction.
5) Block disposable and typo domains
– Maintain a list of disposable domains (regularly update) and suggest fixes for common typos (e.g., gmail.com vs. gmial.com).
– Show inline suggestions: “Did you mean gmail.com?”
6) Add friction for bots, not humans
– Add a hidden honeypot field and time-on-page check (reject forms submitted in <2–3 seconds).
– Use reCAPTCHA v3 or hCaptcha with server-side verification.
– Rate-limit by IP/device for rapid, repeated submissions.
7) De-duplicate and throttle
– Before saving, check if the same phone/email was submitted recently (e.g., last 24–72 hours).
– If duplicate, merge or flag instead of creating a new lead record.
Copy you can paste (for clarity and trust)
– Near phone field: “We’ll send a one-time code to confirm your number and keep spam away.”
– Near email field: “We verify email to make sure we can reach you.”
– Error examples:
– “That code is incorrect. Try again or resend a new code.”
– “We couldn’t verify this email. Please use a valid, non-disposable email.”
Test checklist (run this before going live)
– Meta Instant Form OTP:
– Preview on iOS and Android, verify code arrival and submission.
– Confirm CRM receives verified phone.
– Landing Page OTP:
– Valid number flow, wrong code, expired code, resend limit, voice fallback (if enabled).
– Server rejects submit without verified token.
– Validation-only setup:
– Block disposable email, suggest typo fixes, block obvious fake numbers, pass a real contact.
– CAPTCHA score/response is logged and validated server-side.
Quick implementation plan
– If you use Meta Instant Forms: 20–30 minutes to enable OTP and test.
– If you add OTP to a landing page: 2–6 hours to wire provider, endpoints, UI, and tests.
– If you add validation only: 1–3 hours to integrate libraries/APIs and rules.
Want help implementing any of these setups? Book a free consultation: https://kratos.marketing/kratos-consultation/
KEY STEPS RECAP
– Meta Instant Forms: Turn on phone OTP and test the submission flow.
– Landing Pages (OTP): Add send/verify endpoints, gate submit until verified, and rate-limit.
– Landing Pages (No OTP): Add real-time email/phone validation, anti-bot checks, and de-duplication.
