Back to Cross-Market Dashboard
INTERNAL RESEARCH BRIEFFebruary 25, 2026

How Bogus Leads Get Delivered
Through Performance Max

The Problem

CRITICAL

Multiple Closet Factory locations report the same issue: lead forms are being submitted with real people's contact information, but when sales reps call, the person on the other end has no idea why they're being contacted. They never filled out a form. They've never heard of Closet Factory. They aren't in the market for closet systems.

These aren't junk leads with fake names and 555 phone numbers. The names, phone numbers, and email addresses belong to real people. The data matches. The people are just confused — and sometimes upset — when they get the call.

This is a documented, industry-wide problem tied directly to how Performance Max campaigns operate. It is not unique to Closet Factory, but the way the accounts are configured is making it worse.

How the Fraud Works

CRITICAL

The fraud chain has four steps: MFA sites host ads → Bot networks click the ads → Bots submit forms using stolen real-person data → Google's algorithm learns to send more of the same traffic.

Performance Max runs ads across Google's entire network — Search, Display, YouTube, Gmail, and Discovery. Google controls where the ads appear. The advertiser has no ability to exclude specific placements. A significant share of PMax ad impressions land on the Google Display Network, which is where the fraud is concentrated.

Criminals build low-quality websites designed specifically to host Google ads and collect revenue share from clicks. The industry calls these MFA sites — Made For Advertising. They look like real websites but exist solely to generate ad revenue. Spider AF's 2025 research found that MFA activity directly affects PMax and Display campaign flows.

Bot Conversion Rate
1.29%
vs. 2.54% for valid traffic — across 324 companies studied by Spider AF

Scammers program bot networks to visit these MFA sites and click on the ads that appear there. To avoid detection, the bots route traffic through residential and cellphone proxies so each click comes from a unique IP address. They use anti-fingerprinting techniques to make the clicks appear to come from real devices and real browsers. The advertiser pays Google for each click. The scammer receives a share of that payment.

Here is the critical step. If bots only clicked ads and never converted, Google's fraud detection systems might eventually flag the pattern and shut down the scam sites. So the bots are programmed to also submit fake conversions after clicking — form fills, account sign-ups, page views — to make the traffic look legitimate.

To pass form validation and appear credible, the bots pull from databases of real people's contact information. These databases come from data breaches, scraped public records, and data sold on the dark web. This is why the leads look real. The names, phones, and emails belong to actual people. Those people just never submitted anything.

Real-World Evidence

WARNING

89 Fake Leads in 5 Days

Source [3]

One advertiser posted on Google's own support forum in January 2025 describing exactly this scenario. They received 89 leads in five days after restarting a PMax campaign. Every single one was a real person who had never heard of the company. One of those leads told the sales rep that he was aware his personal information had been compromised previously, and that multiple companies had been calling him from forms he never filled out. That same phone number appeared three times in the CRM with different names, all created within 30 minutes, auto-routed to three different sales offices.

CAPTCHA Bypass Confirmed

Source [4]

A separate advertiser on Reddit in August 2025 reported the same pattern — real people's data, nobody remembers submitting anything. Their forms had dropdown fields and reCAPTCHA v3. The bots got through anyway. The time zones captured on the form submissions didn't even match the geographic targeting area of the campaign.

Why Bots Use Real Data

Source [5]

A web developer explained the economics: bots fill out forms with real people's information because fake data gets filtered out. Using real names, real phone numbers, and real emails from breached databases makes the submissions pass validation. The people whose data is used are victims of prior data theft — they have no idea their information is being weaponized this way.

The Algorithm Feedback Loop

CRITICAL

This is where the damage compounds. PMax optimizes for conversions. When bots submit fake conversions, Google's algorithm interprets that as a signal that this type of traffic converts well. It then sends more of the same traffic. More fraud produces more fake conversions, which trains the algorithm to chase more fraud.

The algorithm doesn't know the difference between a real homeowner filling out a form and a bot using stolen data. It only sees: this traffic converted. Send more like it.

Spider AF's 2025 Ad Fraud White Paper found that invalid clicks convert at roughly 1.29% compared to 2.54% for valid traffic across a study of 324 companies — confirming that fraudulent traffic drags down true performance even when it appears to be "converting."

Why PMax Is Uniquely Vulnerable

WARNING

Other campaign types give advertisers some control. Standard Search campaigns let you choose keywords, set match types, add negative keywords, and exclude placements. PMax removes most of those controls. Google decides where the ads appear, who sees them, and how the budget is allocated across networks.

1
No placement control — PMax forces ads onto Display Network sites including MFA sites. The advertiser cannot opt out of specific placements or the Display Network entirely.
2
Opaque reporting — Until recently, PMax provided almost no visibility into where ads were shown. Google's 2025 update added some Search Partner placement reporting, but Display placement transparency remains limited.
3
Conversion-based optimization with no quality filter — PMax optimizes toward whatever you tell it is a conversion. If your conversion tracking counts page views, YouTube follow-on views, engagement events, and form fills all as "conversions," the algorithm has dozens of lightweight signals that bots can easily fake.
4
CAPTCHA is not sufficient — Multiple advertisers confirm that reCAPTCHA v3 does not stop these bots. The bot networks are sophisticated enough to solve or bypass standard CAPTCHA implementations.

Why Closet Factory's Setup Makes It Worse

CRITICAL

This connects directly to the conversion tracking findings from the cross-market audit. The four corporate Closet Factory markets track between 10 and 41 conversion actions, with 8 to 9 marked as Primary. Many of these are lightweight actions — page views, engagement, YouTube follow-on views, get directions — that bots can trigger easily.

Every additional conversion action is another entry point for bots to fake a conversion and look legitimate to Google's algorithm. The more actions you track, the more noise in the signal, and the harder it is for the algorithm to distinguish real prospects from bot traffic.

Corporate MarketsBoston (Outside Agency)
Conversion Actions10–41 actions2 actions
Primary Actions8–9 marked Primary2 marked Primary
PMax CPL$130–$280$81
Lightweight SignalsPage views, YouTube views, engagement, get directionsForm submit + phone call only
Bot Attack SurfaceWide — dozens of entry pointsNarrow — only real lead actions
Boston PMax CPL
$81
Lowest in the network — with only 2 clean conversion actions

What Can Be Done

SOLUTION

The fix is upstream: clean the conversion tracking, feed real sales data back to Google, and consider adding a fraud detection layer between Google and the lead forms.

1
Clean up conversion tracking — Reduce Primary conversion actions to only the ones that represent a real lead: a completed form submission and a phone call of meaningful duration. Remove page views, engagement, YouTube follow-on views, and get directions from Primary status. This narrows the attack surface and gives the algorithm a cleaner signal to optimize against.
2
Feed offline conversion data back to Google — When a lead becomes a booked appointment or a sale, that data should flow back into Google Ads. This teaches the algorithm what a real conversion looks like downstream, not just at the form-fill level. Google calls this Enhanced Conversions for Leads.
3
Consider a click fraud detection service — Tools like ClickCease, Lunio, TrafficGuard, or Spider AF sit between Google and your landing pages. They identify bot traffic in real time and block it before it can submit a form. This has a secondary benefit: when only real conversions get through, the algorithm retrains itself to target real humans instead of bot traffic.
4
Audit PMax placement reports — Review the automatic placements report regularly. Look for sites with high impressions and zero or suspiciously high conversion rates. While PMax limits exclusion options, flagging patterns helps build the case for structural changes.
5
Add form-level fraud detection — Beyond CAPTCHA, tools like ActiveProspect's TrustedForm can verify that a real human on a real device actually filled out the form, and flag submissions that don't pass verification.

The Bottom Line

INFO

The people your locations are calling are real victims of data theft, not prospects. The forms were submitted by bot networks using stolen contact information. This is not a Closet Factory problem specifically — it is an industry-wide vulnerability in how Performance Max interacts with the Google Display Network.

Closet Factory's bloated conversion tracking setup across the corporate markets is making it worse by giving bots more signals to exploit and giving the algorithm more noise to learn from.

The fix is upstream: clean the conversion tracking, feed real sales data back to Google, and consider adding a fraud detection layer between Google and the lead forms. Boston already proved this works — 2 conversion actions, $81 PMax CPL, lowest in the network.

Closet Factory — Internal Research Brief — February 25, 2026

Prepared by Gravity Well Marketing using Manus AI

Back to Cross-Market Dashboard