What is Survey Phishing and How to avoid it?
Survey Phishing is a fraudulent method of gathering sensitive information such as usernames, passwords, and credit card details using deceptive emails, phone, text messages, or websites, all on your surveys.
If your survey shows “Blocked due to Phishing or Abusive” (or respondents can’t open the link), our security system has detected patterns commonly used in phishing, scams, or abusive content. This article explains the most common triggers, how to systematically locate the exact text or setting causing the block, and what to do if everything looks legitimate but the block persists.
What this block means (and why it happens)
The block is a protective measure to prevent surveys from collecting sensitive data deceptively or sending harmful content. Detection can be triggered by survey questions, welcome/thank-you pages, email/SMS invite text, embedded links, or even certain combinations of words that resemble credential collection or urgent payment requests.
Common content triggers to check first
Most legitimate surveys are blocked due to wording that unintentionally resembles phishing. Review your survey and message templates for the items below.
- Credential or account-access language: “login”, “sign in”, “password”, “OTP”, “verification code”, “2FA”, “security code”, “confirm your account”
- Financial/payment language: “bank”, “card number”, “CVV”, “wire”, “refund”, “invoice”, “payment required”, “urgent payment”
- Highly sensitive identifiers: national ID, passport number, medical record/file number, full date of birth combined with other identifiers
- Requests for contact details without context: phone number, personal email, home address (especially if the survey doesn’t explain why it’s needed)
- Threatening/urgent phrasing: “your account will be closed”, “immediate action required”, “final notice”
- Suspicious links or link text: shortened URLs, mismatched domains, “click here to verify”, or links to file downloads
- Impersonation cues: claiming to be a bank, government agency, or another brand without clear authorization
- Abusive or hateful language (even if quoted as an example)
Where the trigger can live (not just in questions)
Customers often review only the questions, but the trigger may be elsewhere. Make sure you check every place text can appear to respondents.
- Survey title and description
- Welcome page and instructions
- Every question (including hidden fields, variables, and answer choices)
- Thank You page text
- Email/SMS/WhatsApp invite messages and subject lines
- Reminder messages and automation templates
- Embedded links, button labels, and image alt text
- Custom variables/merge tags that insert dynamic text (e.g., names, IDs, account references)
Also make sure to avoid the words listed below.
Words not to use in the Survey Name, Welcome and Thank You pages.
"skype",
"sky***pe",
"hotmail",
"h-o-t-m-a-i-l",
"hotm***l",
"outlook",
"outl**k",
"o**ut**look",
"login",
"verify",
"verifxx",
"signup",
"sign in to",
"e-m-a-i-l",
"log**in",
"ver**y",
"v***fy",
"gmail",
"gma**il",
"yahoo"
Words not to use in the Question Text of your Survey
"credentials",
"credential",
"password",
"pass word",
"p a s s w o r d",
"p.a.s.s.w.o.r.d",
"fjalëkalim",
"pasahitza",
"пароль",
"lozinka",
"парола",
"contrasenya",
"lozinka",
"heslo",
"adgangskode",
"wachtwoord",
"parool",
"salasana",
Note: Please confirm you haven't used any of these words in your survey. Even after changing these words to something else, if you still face Phishing issues, don't hesitate to contact our support team.
How to rewrite legitimate research questions to avoid false positives
If your survey is academic (e.g., teacher support and student performance), you can usually keep the intent while removing phishing-like phrasing. Avoid language that resembles account verification, identity checks, or urgent actions.
- Instead of: “Enter your email/password to continue” → Use: “This survey does not require any login. Please proceed to the next question.”
- Instead of: “Verify your identity with OTP” → Use: “Do not share verification codes. This survey will not request OTPs.”
- Instead of: “Provide your ID/medical file number” → Use: “Do not provide government IDs or medical record numbers. If you need participant tracking, use an anonymous code you generate yourself.”
- Instead of: “Click here to confirm” (with a link) → Use: “For study information, visit: example.edu/research (typed as plain text), or include a verified institutional contact email.”
If you must collect sensitive information
Surveys that request sensitive data are more likely to be blocked, especially if the purpose is unclear. If collection is necessary, reduce risk by collecting the minimum required and clearly explaining why it’s needed.
- Collect only what you need (data minimization). Avoid national IDs, full card details, passwords, OTPs, or medical record numbers.
- Add a short justification near the question (e.g., “We use your email only to send the participation certificate”).
- Include legitimacy signals: institutional name, department, official website, and a contact email on the same domain.
- Prefer anonymous identifiers (participant codes) over real-world identifiers.
- If applicable, mention ethics approval/IRB reference and data handling policy in plain language.
Step-by-step: systematically find the exact trigger
Use a controlled approach to isolate the specific word, phrase, or element causing the block. This reduces guesswork and prevents unnecessary edits to legitimate academic or research surveys.
- Confirm the scope of the block: check whether the block appears when previewing, publishing, or when respondents open the public link.
- Copy all survey text into a single document (title, welcome text, questions, answer options, descriptions, thank-you text, and any message templates).
- Search for high-risk keywords (examples above). If found, rewrite them in neutral research language (see examples below).
- Temporarily remove all external links (or replace with plain text domains) and retest. Links are a frequent trigger.
- Test by elimination: duplicate the survey and remove half the content (e.g., later pages/questions). Publish/preview to see if the block persists. Repeat by halving again until you narrow it down to a single page/question/template.
- Once narrowed, check that item for: (a) credential/payment wording, (b) sensitive data requests, (c) urgent/threatening tone, (d) suspicious link text, (e) hidden fields or variables.
- Reintroduce content gradually: add back one element at a time (a single question or a single paragraph) and retest after each change to confirm the exact trigger.
- After edits, refresh your browser and retest using an incognito/private window to avoid cached error states.
Feel free to reach us at [email protected] in case of any queries or concerns.
Here's wishing you a safe surveying experience!
