This was written by one of my colleagues for a license holder experiencing the same issue as you:
Spammers have been more active lately in general, the dramatic shift is not really explainable and there isn’t really any correlation from reports we’ve received in the types of spam and their methods, it is likely just a new wave of spammers hitting your site over a short amount of time and likely received positive feedback from their spam going through signaling that your site is currently vulnerable to it.
If current spam counter measures are not performing as they were or you’re receiving a higher volume of attempted spam (based on your description it is most likely the latter) you will need to add more robust spam prevention solutions. The honeypot will only catch very simple automated spam, it is the bare minimum you can use to prevent spam and will only catch fully automated spam. With the recent uptick in spamming it has been common for these to beat reCAPTCHA and the honeypot usually meaning it is manually done in some way, so most automated tools will not be a catchall solution as spamming tactics become more advanced.
Here are few additional measures you can take ranging from less extreme to more extreme, usually a combination of a couple will stop most spam from being submitted:
Generate v2 invisible or checkbox reCAPTCHA keys for your site, install those on the Forms > Settings page, and add CAPTCHA fields to your forms.
- Enable the Akismet integration on the Forms > Settings page when Akismet is active. This will pass all entered data through Akismet’s spam filter. I see you already have Akismet installed, so if you’re currently using it I would recommend enabling the integration on the Forms > Settings page and if that is already active you should consider increasing the strictness of Akismet’s spam filtering.
- You could use the following third-party perk from Gravity Wiz to set up a list of blacklisted keywords using WordPress’ commenting blacklist if the spam has any sort of common keywords: https://gravitywiz.com/documentation/gravity-forms-blacklist/
- Especially if the spam is coming from a foreign country most of the time, you could use Cloudflare to set up more nuanced firewall rules at a server level to stop the spammers from reaching the site entirely.
- Require your users to log in before they can submit any forms.
I hope some of these issues will help prevent spam submissions on your site.