Disclosure: SpamShield is built by JMS Dev Lab, the publisher of this blog. I will mention it where relevant but this article is written to be useful regardless of what solution you choose.
I ran Moores Jewellers for 22 years. Across three Cork locations, a full online store, and more contact form messages than I can count, I have seen every flavour of spam that lands in a small business inbox. When I started building Shopify apps, I was surprised to find that the spam problem was even worse for online merchants than it ever was for us in the jewellery business.
The reason merchants struggle is not that they are missing something obvious. It is that most spam filters — including Shopify's built-in hCaptcha — are designed to catch bots. But the majority of Shopify contact form spam in 2026 is not sent by bots. It is sent by real people.
If you want to understand why CAPTCHA fails against this kind of spam, I have written a detailed technical explainer: Why reCAPTCHA Doesn't Stop Shopify Contact Form Spam (And What Does). This article takes a different angle — instead of the technical "why," let's look at the practical "what." Here are the five types of human-written spam that are most likely flooding your inbox right now, with real examples of each.
This is the most common type, and the one that probably accounts for the bulk of what you are receiving. SEO agencies — mostly operating out of South and Southeast Asia — employ teams of workers whose entire job is to fill out contact forms on business websites with cold sales pitches.
A typical message looks something like this:
"Hi, I came across your website and noticed you could be ranking higher on Google. Our agency specialises in affordable SEO packages that have helped businesses like yours get to page one. We offer backlink building, content writing, and technical SEO audits. Would you be interested in a free consultation? Packages start from $99/month."
The reason this gets through CAPTCHA is simple: a real person typed it. The reason it is so common is that SEO cold outreach via contact forms is cheap and can be automated at scale with human workers. At Moores Jewellers, we used to get five or six of these a day. Most Shopify stores I have spoken to get between twenty and eighty daily.
Why it is hard to stop manually: The messages are often well-written, personalised enough to mention your store name or niche, and use legitimate-looking email addresses. Email filters that catch "SEO services" get fooled when the sender writes "search engine optimisation" or "organic traffic" instead.
Second only to SEO pitches in volume. Freelance web developers and small agencies — again, primarily from lower-cost labour markets — send unsolicited redesign offers through contact forms at scale.
A typical message:
"Hello, I was browsing your store and I think your website design could be improved to increase conversions. I specialise in Shopify development and have worked with e-commerce stores in your industry. I can redesign your store for $500. Please let me know if you are interested."
What makes this particularly frustrating is that legitimate web developers and agencies do reach out through contact forms. So you cannot blanket-block anything that mentions "web design" or "Shopify development" without risking losing real enquiries. The spam version tends to be lower quality, more generic, and always includes a specific price quote in the first message — a pattern that real developers rarely follow.
This one caught us out at Moores Jewellers more than once. The message looks exactly like a legitimate bulk purchase enquiry.
"Hi, I am interested in purchasing your products in bulk for our retail chain. We have 12 locations across the UK and are looking for a reliable supplier. Could you send me your wholesale pricing and minimum order quantities? We are looking to place an initial order of 500 units."
This is a category of fraud rather than pure spam. The goal varies: sometimes it is a phishing attempt to get you to reply and then extract banking details or gift card payments. Sometimes it is testing whether your store is active before a more targeted attack. Occasionally it is advance-fee fraud — they send a fake cheque for more than the order value and ask you to wire back the difference before the cheque bounces.
The tell is usually the vagueness ("your products") combined with the specificity of the numbers ("500 units"). A real wholesale buyer knows what they want and usually reaches out through a business email, not a Gmail address.
If your Shopify store has a blog — and it should, for SEO — you will be receiving these. Link builders and content marketers send tens of thousands of contact form messages every month looking for sites that will publish their content or trade links.
"Hi, I love your blog and think your audience would enjoy a guest post from us. We write high-quality content in the e-commerce space and are looking for sites to collaborate with. We would write a 1,000-word article tailored to your readers. In return, we only ask for one do-follow link in the body of the article. Interested?"
These are almost never worth responding to. The "high-quality content" is usually AI-generated filler, the links are to clients with unrelated or spammy sites, and accepting them can actually hurt your own SEO by associating your domain with low-quality link networks. Google has been penalising this kind of link scheme for years.
Some of these come from legitimate-looking marketing agencies. The messages are often polite, professional, and well-formatted — making them particularly hard to filter on content quality alone.
Less common than the others, but when it arrives it comes in bursts. These messages try to recruit you into investment schemes, trading platforms, or cryptocurrency opportunities.
"Hello, I am a financial advisor specialising in cryptocurrency investments. I have helped hundreds of small business owners grow their savings using our proprietary trading platform. Last month, our members averaged 34% returns. I would love to discuss how we can help your business grow beyond your online store. Can we schedule a call?"
These are almost always scams. The "34% monthly returns" is a classic fraud signal. The goal is to get you on a call, build rapport, and eventually convince you to send money to a platform that will disappear with it. These do not tend to be high-volume — they are more targeted — but they are the most financially dangerous type on this list.
Standard advice will tell you to enable CAPTCHA, add a honeypot field, and use email filters. All of that is worth doing as a baseline. But none of it will stop the five types above because they are all sent by real humans who will happily solve a CAPTCHA, see your honeypot field (which is only hidden visually), and write messages that do not trigger obvious keyword filters.
What actually works against human-written spam is content analysis. The filter needs to read the message and determine whether it looks like a legitimate customer enquiry or a pitch. That requires a language model that understands context, not just keyword matching.
That is what I built SpamShield to do. It runs every contact form submission through a four-layer filter: behavioural signals, IP and email reputation, AI content classification, and disposable email detection. The AI layer is what catches the five types above — it reads the message and scores it based on whether the content looks like a customer enquiry or a sales pitch, regardless of how convincingly human the sender appears to be.
The 14-day trial is free, no credit card required. If it does not reduce your spam, you do not pay. Try SpamShield at spamshield.dev.
If you would rather not install another app, the most effective manual step is to create very specific email filters for each of these categories. Flag messages containing "affordable packages," "bulk order," "do-follow link," "guest post," "trading platform," and "wholesale pricing" alongside unusual sender domains. It will not catch everything, but it will make your inbox survivable while you evaluate longer-term solutions.