Honeypot numbers in lead lists: how to detect them

Honeypot numbers are planted traps that trigger TCPA lawsuits the moment you dial. Learn how they work, how to find them, and how to scrub them before your next call.

LeadCompliant Team
25 min read
In This Article

Last updated 2026-07-09

Analyst reviewing a phone number lead list with a magnifying glass at a desk
Analyst reviewing a phone number lead list with a magnifying glass at a desk

TL;DR

Honeypot numbers are phone numbers planted inside lead lists to catch telemarketers breaking the TCPA or DNC rules. Calling one can trigger a lawsuit with statutory damages of $500 to $1,500 per call under 47 U.S.C. § 227. Catching them takes layered scrubbing: DNC checks, litigator databases, carrier line-type data, and behavioral red flags in the lead itself.

What is a honeypot number and why does it end up in your lead list?

A honeypot number is a phone number with no real consumer behind it. It exists for one purpose: to document that your company called it, then use that call as the basis for a TCPA complaint or lawsuit. Some are run by professional litigants who submit numbers to data brokers. Others are seeded by class-action attorneys who buy leads the same way your list vendor does, insert phone numbers tied to their clients or themselves, and wait.

The term borrows from cybersecurity, where a honeypot is a fake system set up to attract and log attackers. The mechanics here are identical. You call, the other end logs the timestamp, caller ID, and call recording, and you've handed opposing counsel exactly what they need to file under 47 U.S.C. § 227 [1].

List vendors rarely screen for these. They're pulling data from dozens of sources, and a honeypot number looks like a valid lead. It has a name, sometimes an address, maybe even a fake email. The phone number is real and active. That's what makes it dangerous.

Some honeypot numbers are also registered on the National Do Not Call Registry [2], which stacks a second violation on top of the first. Others aren't on the DNC at all, which surprises people who think DNC scrubbing is enough. It isn't. DNC scrubbing catches one category of violation. Honeypots are a different animal.

How do professional TCPA litigants use honeypot numbers to sue?

The business model is simple. A TCPA plaintiff (sometimes called a 'serial plaintiff' in court filings) keeps a portfolio of phone numbers. They sign up for lead gen offers, fill out web forms with these numbers, or have attorneys feed numbers into data broker pipelines. Then they wait for calls.

Under 47 U.S.C. § 227(b)(3), a person who receives an unsolicited call to a number on the DNC or an autodialed call without consent can sue for $500 per violation, or up to $1,500 per violation if the court finds the violation was willful [1]. There's no cap per lawsuit. Twenty calls to the same honeypot number is $10,000 to $30,000 in exposure before attorneys' fees.

Some plaintiffs operate at scale. Federal courts have named individual litigants who filed dozens or hundreds of TCPA cases. Stoops v. Wells Fargo (W.D. Pa. 2016) [3] documented the pattern in detail. In Stoops, the court denied class certification partly because the plaintiff admitted she only bought phones to sue companies under the TCPA, but individual damages still applied.

The real threat for a small outbound team isn't a class action. It's a demand letter for a few thousand dollars per call, priced so that settling is cheaper than litigating. Most of these never see a courtroom. That's the point.

The TCPA creates strict liability for certain violations. You don't have to know the number was a honeypot to owe damages. Intent doesn't save you.

What are the signs a phone number in your list might be a honeypot?

No single flag is definitive. You're hunting for clusters of signals that together make a number suspicious enough to suppress.

The lead record looks synthetic. Real consumer leads have normal entropy: slightly misspelled addresses, common email domains, varied first names. Honeypot leads sometimes have suspiciously clean data, or the opposite, obviously fake names paired with real addresses. A lead named 'Test Consumer' with a working mobile number is obvious. A lead named 'James Williams' at a real Phoenix street address with a Google Voice number tied to a litigant is harder to spot.

The number is tied to known litigants. Several commercial databases pull plaintiff phone numbers from TCPA court filings. These are real services compliance teams pay for. The numbers in them showed up in prior lawsuits, so calling one is extra risky. The plaintiff has already proven they'll sue.

The number appears on a litigator list separately from the federal registry. The federal DNC registry [2] covers numbers consumers registered. Litigator databases are a different product. Some vendors sell both. Most teams only buy the federal registry scrub, which is the minimum required by 16 C.F.R. § 310.4(b)(1)(iii) under the FTC's Telemarketing Sales Rule [4]. That minimum is not enough.

The carrier data looks off. Numbers that are VoIP, Google Voice, or heavily ported can be a signal. Not dispositive on their own, since plenty of real consumers use VoIP, but combined with other flags, carrier type matters. Carrier and line-type lookups tell you whether a number has a stable history or bounces around.

The number's age doesn't match the lead source. A lead came in last Tuesday, but the phone number first showed up in a data broker database three years ago under a different name. That mismatch is worth flagging.

The form fill looks bot-like. If you generate leads through web forms, honeypot detection at the form level (rather than the number level) matters. Unusually fast form completion, submission from a VPN IP, or a timestamp pattern that matches bulk submission tools all suggest the lead wasn't a real consumer expressing interest.

TCPA honeypot call: key numbers Statutory figures every outbound team should know before dialing 500 Damages per call (standard violation) 1,500 Damages per call (willful violation) 31 Max days DNC data can be before a 15 Approx. cost to scrub one number (all layers, Source: 47 U.S.C. § 227 (U.S. Congress); 16 C.F.R. § 310.4 (FTC Telemarketing Sales Rule)

Does DNC scrubbing catch honeypot numbers?

Sometimes, but not reliably. The National Do Not Call Registry [2] holds numbers real consumers registered to stop telemarketing calls. A honeypot operator may or may not register their number there. Many don't bother, because DNC listing isn't required to trigger a TCPA suit based on an autodialed call or prerecorded message to a cell phone. Those claims arise under a different subsection, 47 U.S.C. § 227(b), not the DNC provisions under § 227(c) [1].

So a number can be a honeypot, completely absent from the federal DNC registry, and still support a valid TCPA lawsuit if you autodialed it without prior express written consent.

If you want to know how to get the do not call list and understand what it actually covers, the FTC runs the official access portal for telemarketers [9]. Using it is a legal obligation if you're making telemarketing calls. Treating it as your only defense is a mistake.

The do not call list covers one slice of the risk. Honeypots sit across a much wider area.

What tools and databases actually identify honeypot and litigator numbers?

Several categories of tools exist. None is perfect. Used together, they cut your exposure hard.

Federal DNC scrubbing. Required by law. Telemarketers must access the registry under the FTC's Telemarketing Sales Rule framework [4]. This is table stakes, not a honeypot solution.

Litigator databases. Companies like Blacklist Alliance, TCPA Litigator List, and a few others keep databases of phone numbers tied to known TCPA plaintiffs, built from court records and demand letters. These are the closest thing to a purpose-built honeypot detection tool. They aren't free, pricing varies by volume, and no vendor I'm aware of publishes auditable methodology for how they add or age out numbers. Use them, but know the limits.

Phone validation and carrier lookup APIs. Services that return the carrier, line type (mobile, VoIP, landline), and porting history for a number. Twilio Lookup, Numverify, and similar APIs give you this. A number ported multiple times, or currently hosted on a VoIP platform often linked to litigation (certain prefixes are well known in compliance circles), is worth suppressing or reviewing by hand.

Identity verification layers. Cross-check the name and address on the lead against the phone number using identity resolution APIs (Whitepages Pro, Melissa, and the like). If the phone number has attached to five different names in two years, that's a flag.

Web form honeypots (a different thing entirely). At the lead generation stage, you can add hidden form fields that real users never fill but bots and bulk submitters do. If a field invisible to humans gets filled, flag the submission. This catches some lead fraud before numbers ever enter your system.

LeadCompliant's free number checker flags DNC status as a starting point. Their compliance kit walks through stacking these tools into a pre-call scrubbing workflow. A documented process matters if you ever face a dispute, because showing you had a systematic scrubbing procedure bears on whether a violation was willful.

Tool CategoryWhat It CatchesWhat It MissesRough Cost
Federal DNC registryDNC-registered numbersLitigator-only numbers, autodialer claims~$75/area for access [4]
Litigator databasesKnown plaintiff numbersNew litigants, uncatalogued numbers$100-$500+/mo
Carrier/line-type APIsVoIP, ported, reassigned numbersNumbers on stable carriers used as honeypots$0.005-$0.01/lookup
Identity resolutionName/address/phone mismatchesSophisticated synthetic identities$0.02-$0.10/lookup
Reassigned numbers databaseNumbers reassigned to new consumersN/A (FCC-mandated source) [6]$0.005/query

What is the Reassigned Numbers Database and does it help here?

The FCC's Reassigned Numbers Database (RND) [6] is a related but different tool. When a consumer cancels a number and the carrier hands it to someone new, calling that new person with an autodialer violates the TCPA if your consent was tied to the old subscriber. The FCC stood up the RND in 2021 because this scenario was generating a flood of litigation.

Querying the RND tells you whether a number has been reassigned since a specific date. The FCC's rule at 47 C.F.R. § 64.1200(a)(8) gives you a safe harbor if you query the RND and it shows no reassignment [6]. That safe harbor doesn't erase all honeypot risk, but it kills the 'wrong number' category of suits, which overlaps with honeypot scenarios where a litigant grabs a freshly reassigned number.

The RND is run by Somos and reached through authorized database providers [11]. Querying costs about $0.005 per number as of the most recent FCC rate setting, though that can change. If you call mobile numbers at any volume, make it part of your pre-call workflow.

For what reassigned-number liability looks like in practice, the cash app tcpa class action settlement and credit one tcpa settlement cases both involved consent and number hygiene failures that compounded over large call volumes.

How should you build a pre-call scrubbing workflow that actually works?

The goal is a documented, repeatable process you run on every list before any dialer touches it. Here's what that looks like on the ground.

First, when a new list lands, quarantine it. Don't dial anything until scrubbing is done. Sounds obvious. Under call center pressure it often doesn't happen.

Second, run every number through the federal DNC registry. This is legally required under the TSR [4] and it's non-negotiable. Do it within 31 days of the call date, because your safe harbor for relying on the registry requires that your data be no older than 31 days per 16 C.F.R. § 310.4(b)(3)(iv).

Third, run against a litigator database. Automate this API call so it fires in the same pipeline as DNC scrubbing. Log the result and timestamp.

Fourth, run a carrier/line-type lookup. Flag every VoIP number for extra review. Don't auto-suppress them (real consumers use VoIP), but route them to manual review or add a consent verification step before dialing.

Fifth, query the Reassigned Numbers Database if you're calling mobile numbers with an autodialer or prerecorded message [6].

Sixth, cross-reference against your own internal suppression list. Every number that ever asked to opt out, complained, or showed up in a demand letter you've received should be suppressed for good. That list needs to survive vendor changes and CRM migrations.

Seventh, document everything. The date each list arrived, the date scrubbing ran, which databases you checked, how many numbers you suppressed and why. If a demand letter shows up eighteen months from now, this paper trail is your main evidence that any violation was not willful.

For teams doing cold calling at scale, this workflow adds maybe a few cents per number. Skipping it costs $500 to $1,500 per violating call.

Can you sue a list vendor for selling you a list containing honeypot numbers?

In theory, yes. In practice, it's messy and rarely worth building your defense around.

Most list vendor contracts carry broad indemnification limits and representations that the data is 'to the best of their knowledge' compliant, which is a very soft warranty. If you can prove the vendor knew a number was a honeypot and sold it anyway, you might have a fraud or breach of contract claim. But proving that is hard, the vendor's contract probably caps their liability at the cost of the data, and meanwhile you still owe the TCPA plaintiff.

The TCPA puts liability on the caller, not the list source [1]. Your vendor didn't make the call. You did. Courts have stayed consistent on this. A contract with a data vendor doesn't shield you from statutory liability to the person whose number you dialed.

The better move is vendor due diligence before you buy. Ask vendors exactly what TCPA scrubbing they perform. Get it in writing. Ask whether they keep a honeypot suppression list. Ask what happens when a buyer flags a problematic number. Vendors who can't answer these questions clearly are vendors to walk away from.

The do not call telemarketer list requirements and related FTC rules [9] give you a framework for what a legitimate vendor should be able to demonstrate.

What does a demand letter for calling a honeypot look like, and what should you do?

The typical demand letter names specific call dates and times, your caller ID, often a call recording, and the statutory citation (47 U.S.C. § 227) [1]. It demands a settlement payment, usually a few hundred to a few thousand dollars per call, with a deadline of two to four weeks. The letter almost always comes from an attorney.

Don't ignore it. Don't call the plaintiff directly. Don't make any admissions in writing.

Get a TCPA attorney involved right away. This is one area where the cost of early legal counsel is low against the risk of mishandling it. A good TCPA defense attorney will assess whether the plaintiff is a known serial litigant (many are well known to the defense bar), whether the call records support or undercut the claim, whether consent documentation exists, and whether your scrubbing creates a defense.

Clean documentation of your scrubbing process gives you bargaining room in settlement talks. Nothing documented, and your options shrink fast.

The FCC's enforcement bureau also takes consumer complaints [10], and some plaintiffs file FCC complaints alongside demand letters. These are separate tracks and need separate responses.

Nothing in this article is legal advice. If you get a demand letter, talk to a licensed TCPA attorney. The facts of your specific situation set your actual exposure and options.

How do honeypot numbers relate to mobile phone DNC rules specifically?

Mobile phones carry two layers of TCPA protection that landlines don't. First, 47 U.S.C. § 227(b)(1)(A) bans autodialed or prerecorded calls to cell phones without prior express consent, regardless of DNC status [1]. Second, cell phone numbers can go on the federal DNC registry, adding a § 227(c) claim on top.

This matters for honeypots because a litigant using a mobile number as a honeypot can assert both types of claims from a single call. One call, two violation theories, $500 to $1,500 each, stacked.

The FCC has addressed mobile number protections in several orders, including its 2015 Declaratory Ruling and Order (FCC 15-72) [5], which clarified what counts as an autodialer and widened the practical scope of § 227(b). The D.C. Circuit modified that ruling in ACA International v. FCC (2018) [7], and the Supreme Court addressed it again in Facebook v. Duguid (2021) [8], which narrowed the autodialer definition. The mobile phone risk stays substantial even after Facebook v. Duguid for systems that use random or sequential number generation.

For teams focused on the mobile phone do not call list side of compliance, the takeaway is plain: mobile numbers deserve stricter scrubbing and consent documentation than landlines, honeypot or not.

Are there any real court cases involving planted or honeypot-style numbers?

The word 'honeypot' isn't a legal term of art, so you won't find it in case captions. But the pattern shows up over and over in TCPA litigation.

Stoops v. Wells Fargo Bank (W.D. Pa. 2016) [3] is the clearest judicial recognition of the practice. The plaintiff admitted in deposition that she bought cell phones specifically to receive calls from financial institutions and sue them under the TCPA. The court denied class certification because her interests weren't typical of a real class, but declined to toss the individual claims outright. TCPA defense practice cites the case constantly as an example of serial plaintiff behavior.

A growing set of district court cases has dealt with plaintiffs who submitted web forms using phone numbers they controlled, purely to generate calls they could sue over. Courts have split on whether this counts as consent (because the plaintiff submitted the form) or whether the plaintiff can still recover damages.

The consent question is genuinely unsettled for manufactured leads. Some courts have found that a plaintiff who fills out a web form with their own number to attract calls has implicitly consented to those calls. Others have found the opposite. Until there's a circuit-level consensus, you can't rely on 'they submitted the form' as a complete defense.

Text message marketing campaigns have their own version of this problem. For SMS-specific risks, the text message marketing rules under the TCPA apply the same statutory framework to outbound texts as to calls, which means honeypot numbers in SMS lists carry identical per-message exposure.

What's the honest bottom line on how much protection scrubbing actually gives you?

No scrubbing process wipes out all honeypot risk. A sophisticated litigant with a fresh number, no prior court record, and a valid-looking synthetic identity will slip past every current automated check. That's the honest answer.

What scrubbing does is clear the easy cases, document your good-faith effort, and set up an argument against willfulness if you do get sued. A $500 per-call violation is already bad. A $1,500 per-call willful violation is three times worse. Courts have pointed to documented compliance programs as evidence cutting against willfulness, even when a violation still happened.

The FCC's enforcement posture, documented in its enforcement bureau actions [10], has consistently treated companies with no compliance program differently from companies that ran a program but made an error. That distinction doesn't erase liability, but it shapes settlement dynamics and, in egregious cases, whether the FCC pursues its own enforcement action.

LeadCompliant's free tools give you the DNC checking piece. Add a litigator database and the Reassigned Numbers Database on top, and you cover the three most common sources of honeypot exposure. Pair that with form-level fraud detection at lead intake, and you've built a reasonable, defensible program.

For teams new to all this, the cold call compliance basics are a sensible place to start before getting into list hygiene specifics.

Frequently asked questions

What exactly is a honeypot phone number?

A honeypot number is a phone number deliberately placed in lead lists or data broker pipelines to catch outbound callers breaking the TCPA or DNC rules. There's usually no genuine consumer behind it. The owner logs your call, documents the timestamp and caller ID, and uses that record to file a lawsuit or demand letter claiming statutory damages of $500 to $1,500 per call under 47 U.S.C. § 227.

Can a honeypot number be on the National Do Not Call Registry?

Yes, but it doesn't have to be. Many honeypot operators don't bother registering because DNC status isn't required to sue under the autodialer or prerecorded-message provisions of 47 U.S.C. § 227(b). Those claims apply to cell phones regardless of DNC registration. Relying only on DNC scrubbing to protect against honeypots leaves you exposed.

How do professional TCPA litigants get their numbers into lead lists?

Common methods include submitting web forms with controlled phone numbers on lead generation sites, selling numbers to data brokers under synthetic identities, and having attorneys feed numbers into financial services or home services lead pipelines. The numbers look like real leads. They're active, they answer, and they log every call. Some litigants keep dozens of numbers running at once.

Is it illegal to maintain a honeypot number to catch TCPA violators?

Federal courts have not found the practice inherently illegal, though some have found that a plaintiff who submitted a web form with their own number may have consented to the resulting calls. The consent argument wins in some courts and loses in others. The practice is legal enough that serial litigants keep doing it openly. Courts sometimes deny class certification to these plaintiffs but still allow individual damages claims.

What is a litigator database and how is it different from the federal DNC list?

The federal DNC registry holds numbers consumers registered to stop telemarketing. A litigator database holds numbers tied to known TCPA plaintiffs, built from court filings and demand letters. They don't overlap much. A litigant's number might not be on the DNC at all. Commercial litigator databases from vendors like Blacklist Alliance or TCPA Litigator List are the main tool for this specific risk category.

How often do I need to re-scrub a lead list?

For DNC compliance, the FTC's Telemarketing Sales Rule requires that your DNC data be no older than 31 days at the time of the call, per 16 C.F.R. § 310.4(b)(3)(iv). For litigator databases, most vendors recommend monthly or quarterly refreshes. For any list you'll dial over a long campaign, plan to re-scrub at least monthly, because numbers change status and new litigants appear constantly.

Does the FCC's Reassigned Numbers Database help with honeypots?

Partially. The RND, run by Somos under FCC rules at 47 C.F.R. § 64.1200(a)(8), tells you if a number was reassigned to a new subscriber after the date you collected consent. Some honeypot operators acquire freshly reassigned numbers. Querying the RND before calling provides an FCC safe harbor for reassigned-number claims, which overlaps with but doesn't fully cover the honeypot risk category.

Can I sue my list vendor if they sold me a list with honeypot numbers?

You may have a contract or fraud claim against the vendor, but it's unlikely to protect you from TCPA liability to the plaintiff. The TCPA puts liability on the caller. Most vendor contracts also heavily cap their liability. Vendor due diligence before purchase, including written representations about their scrubbing practices, is worth more than suing a vendor after the fact.

What red flags in a lead record suggest a honeypot?

No single flag is definitive, but clusters of these are worth suppressing: VoIP or frequently ported numbers, name and address mismatches against the phone number in identity databases, the number appearing in prior TCPA court records, unusually clean or oddly formatted lead data, form submissions from VPN IPs or with bot-like completion speeds, and phone numbers that surface under multiple different names across data broker sources.

What should I do immediately if I receive a TCPA demand letter?

Don't ignore it, and don't contact the plaintiff directly. Engage a TCPA defense attorney promptly. Pull your call records, scrubbing documentation, and consent records for the number in question. Determine whether the plaintiff is a known serial litigant. Your documentation of pre-call scrubbing is your main bargaining chip in negotiations. The facts of each situation vary a lot, so this is genuinely a case for legal counsel, not a form response.

Do honeypot risks apply to SMS campaigns as well as phone calls?

Yes. The TCPA applies the same statutory framework to text messages as to calls. 47 U.S.C. § 227(b)(1)(A) covers autodialed texts to cell phones without consent, and the same $500 to $1,500 per-message damages apply. Honeypot numbers in SMS lead lists carry identical per-message exposure to honeypot numbers in call lists. Some litigants specifically target SMS campaigns because message logs are easier to document than call recordings.

Is there a way to completely eliminate honeypot risk?

No. A sophisticated litigant with a new number and no prior court record will pass current automated checks. What layered scrubbing does is clear the common cases, document good faith, and build the record you need to argue against willful-violation findings if you do get sued. The goal is a defensible program, not zero risk, which is an honest position any TCPA attorney will confirm.

How much does a proper pre-call scrubbing workflow cost per number?

Rough ranges: federal DNC access runs about $75 per area code per quarter plus per-query fees. Litigator database subscriptions run $100 to $500-plus per month depending on volume and vendor. Carrier lookup APIs run roughly $0.005 to $0.01 per number. Reassigned Numbers Database queries run about $0.005 per number under FCC rate setting. Total scrubbing cost usually lands between $0.02 and $0.15 per number, depending on the layers you use.

What documentation should I keep to defend against a honeypot-based TCPA claim?

Keep records of every scrubbing run: the date, which databases you queried, how many numbers you suppressed, and why. Keep consent records for each number you called. Keep lead source documentation showing when and how each number entered your system. Retain call logs. The evidentiary question in most TCPA cases comes down to whether you can show what you did and when, so documentation that survives CRM migrations and vendor changes is worth investing in.

Sources

  1. U.S. Congress, Telephone Consumer Protection Act, 47 U.S.C. § 227: Statutory damages of $500 per violation, up to $1,500 for willful violations, under 47 U.S.C. § 227(b)(3) and § 227(c)(5); autodialed calls to cell phones prohibited without prior express consent under § 227(b)(1)(A)
  2. FTC, National Do Not Call Registry: The National Do Not Call Registry is maintained by the FTC and allows consumers to register phone numbers to stop telemarketing calls
  3. Stoops v. Wells Fargo Bank, W.D. Pa. 2016, Case No. 2:15-cv-00039: Court found plaintiff purchased cell phones specifically to receive calls from financial institutions in order to sue under the TCPA; class certification denied but individual claims addressed
  4. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR at 16 C.F.R. § 310.4(b)(1)(iii) requires telemarketers to scrub against the DNC registry; § 310.4(b)(3)(iv) requires DNC data to be no older than 31 days at time of call
  5. ACA International v. FCC, D.C. Circuit Court of Appeals, No. 15-1211 (2018): D.C. Circuit vacated FCC's 2015 autodialer definition in part, modifying the scope of § 227(b) ATDS claims prior to the Supreme Court's Facebook v. Duguid decision
  6. Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court narrowed the TCPA autodialer definition, holding that a system must use random or sequential number generation to qualify as an ATDS under § 227(a)(1)
  7. FTC, Complying with the Telemarketing Sales Rule: FTC guidance on TSR compliance including DNC scrubbing obligations, seller and telemarketer liability, and recordkeeping requirements
  8. FCC, Consumer Complaint Center: FCC accepts consumer complaints about unwanted calls and texts separately from private TCPA litigation; complaints can trigger FCC enforcement investigations
  9. Somos, Reassigned Numbers Database operator information: Somos is the FCC-designated operator of the Reassigned Numbers Database; telemarketers access RND queries through authorized database providers

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit