If your organisation publishes a whistleblowing email address on public-facing platforms, you may eventually experience spam, phishing attempts, or automated bot attacks. We completely understand how frustrating this can be—unfortunately, this is a common challenge for all organisations offering open reporting channels.

Spammers continuously scan the internet, scrape published email addresses, and send mass unsolicited messages. Whistleblowing emails are especially vulnerable because they are often displayed on:

• Corporate websites

• Employee handbooks (PDFs, portals, shared drives)

• Whistleblowing portals

• Social media or public intranet pages

• Procurement or supplier platforms

The good news: there are practical steps we can take immediately, and additional measures if the problem persists.

1. Immediate Measures to Reduce Spam

These actions help limit exposure to bots, prevent scraping, and introduce protective barriers—without reducing accessibility for legitimate whistleblowers.

1.1. Protect Publicly Displayed Email Text From Bots and AI Scrapers

Ensure that every instance of your whistleblowing email is shielded from automated scraping.

Recommended strategies:

• Disable text copying

• Use JavaScript or server-side rendering to hide or obfuscate the email

• Prevent AI crawlers from indexing the email (robots.txt, meta tags)

This prevents simple crawlers and scraping scripts from collecting the address.

1.2. Use a “Click to Reveal Email” Button

Instead of displaying the address in plain text, place it behind an action such as:

• [Click to reveal email]

• [Show contact]

This method is human-friendly but limits automated harvesting.

1.3. Obfuscate the Email Address Everywhere Else

Where email must still appear in documentation or public materials, replace:

yourcompany@ethics.email

with:

yourcompany {at} ethics.email

or similar variations:

• yourcompany [at] ethics [dot] email

• yourcompany (at) ethics(dot)email

Humans understand it easily; mass spam scrapers do not.

1.4. Replace Email Addresses With a Secure Web Form

This is one of the most effective long-term solutions.

Recommended approach:

• Create a dedicated reporting page on the whistleblowing portal

• Enable CAPTCHA or reCAPTCHA

• Replace the email on your pages with a protected “Report a concern” button linking to this page

This ensures whistleblowers can still report confidentially, while bots cannot submit directly to your mailbox.

2. Additional Measures If Spam Continues

If the first set of measures is not sufficient, stronger controls can be implemented.

2.1. Enforce Human Verification on Portal Load

Each time someone opens the whistleblowing page:

• Show a CAPTCHA

• Add a human verification step before allowing access

This reduces automated submissions and prevents bots from harvesting updated contact details.

2.2. Remove the Email Address From All External Sources

This includes:

• Websites

• Supplier platforms

• Public PDFs

• Social media

• Job ads

• Company handbooks (digital copies only)

Keep the whistleblowing email only on the protected portal.

2.3. Introduce Email Confirmation Before Report Registration

This workflow ensures that only genuine senders can submit a report.

Process:

1. The sender submits their message or form

2. They receive a confirmation email

3. They must click a link to verify they are a human

4. Only after confirmation is the message registered and processed

This significantly reduces automated spam.

3. Final Step: Change or Disable the Public Email Address

If all measures above are insufficient (rare), the last resort is to:

1. Disable the compromised email address, and

2. Replace it with a new protected address, ensuring all steps (1–7) are applied immediately to the new address.

This completely resets exposure and blocks existing spam flows.

Summary Table