What is click fraud / How do click bots work?
Last updated: June 23, 2023
The rise of click bots has made it harder to trust open and click data – or conduct marketing activities securely. Bots made up 42.4% of Internet activity in 2021, up from 40.6% in 2020.
That makes it more difficult for marketers and publishers to analyze their campaigns, create actionable audience segments or accurately report ROI to their advertisers.
This has major costs for businesses: A study by the University of Baltimore estimated that bot-driven ad fraud alone cost companies more than $35 billion in 2020. So publishers and marketers need to understand click fraud, identify the signs of click fraud, and learn how to minimize the impact of click fraud on their marketing efforts.
Upgrade your privacy game: Watch the webinar with our VP who shares crucial security insights:
What is click fraud? How do click bots work?
Basically, click fraud takes place when a click bot clicks a link on a website or in an email and “pretends” to access the promoted website, ad or app. This tricks the sender into thinking that someone is genuinely interacting with their business when that isn’t the case.
Keep in mind: not all click bots are bad.Many of the fake clicks registered in email reports come from authentic security products, which organizations use to prevent spam and fraud among their systems and employees.
However, some click fraud is maliciously motivated. For instance, a website owner might drive fraudulent clicks of the pay-per-click ads displayed on their own site. Or someone might create fake websites and apps for the purpose of selling real ads to companies, who believe they’re paying for exposure on a reputable site.
What is the cost of click fraud? How much does click fraud cost companies?
Per our research, up to 65 percent of non-human traffic can go undetected. This takes a serious toll on not just your email marketing, but your your overall marketing activities, cybersecurity and reputation. Some of the most harmful effects include:
- Distorted marketing data: Non-human traffic inflates open, click and click-through rates, which left unnoticed can incentivize teams to stick with unsuccessful campaigns.
- Worse deliverability: Click bots can add thousands of real email addresses to a company’s email list in seconds, which can harm the company’s standing with ISPs and, in turn, its deliverability.
- Undermined advertising efforts: Click fraud makes paid advertising less effective. This takes place when a competitor clicks on a company’s display ads via a bot farm, making the ad placement more experience, or when a bad actor sells ad space on “ghost websites” that are only visited by bots.
- Misleading or fake leads: Click bots also spam lead and contact forms with false information, sometimes with the contact information of real people.
- Altered marketing automation campaigns: Excessive clicks on emails can disrupt trigger-based activations and throw off A/B test results.
How can I tell if my website is being targeted by click bots?
The sooner you spot unusual activity, the more quickly you can stop non-human traffic from harming your website. Watch out for deviations from the norm that can’t be attributed to a new promotion, content piece or development, as any unexplained increases in traffic usually stem from non-human traffic. Check your email marketing platform for irregularities, including:
- Abnormally high pageviews: This is the first place to look, since click bots can click through pages much more quickly than any human. Look at traffic spikes occurring over a very short period of time.
- Abnormally high bounce rates: Bounces refer to users who visit one page, then immediately click out of the site. An unexpected bump in bounce rates suggests that click bots are being directed at a single page.
- Surges in traffic from unexpected locations: Click bot attacks tend to originate from a single location, often in other countries, so look out for a rush of visitors from far-flung locations.
- Fake conversions: Form submissions from fake-looking email addresses or domains are another sign that click bots are clicking through your website.
- Surprisingly high or low time on site: Most people, regardless of their interest level, won’t spend four hours or .0004 seconds on a single page. Any session duration that doesn’t reflect typical human behavior is a symptom of non-human traffic.
How can I tell if my emails are being targeted by click bots?
Fortunately, many Email Service Providers (ESPs) and advertisers have implemented rules that automatically identify and negate suspicious clicks. Some (including Omeda!) automatically remove them from all email and website traffic reports, then compile data about non-human traffic into a single report. This way, users can see where fake clicks are coming from, block the sending address, and better evaluate their email marketing success.
So what’s considered a suspicious click? While there’s no silver bullet for spotting and removing click bots, here are some indicators we look out for at Omeda:
How can I prevent bots from accessing my website?
Now that you’ve learned how to spot signs of click bots, you’re probably wondering how to keep them off of your site entirely. You can’t keep every click bot at bay, but through basic security measures, you can limit your website’s exposure to click fraud. Some steps include:
- Closely monitor your API connections: If you use API connections to share data to and from your website, they could be vulnerable to click bot attacks. Make sure you’re always using the most recent version of your API and remove outdated connections from your site.
- Investigate traffic sources and watch out for traffic spikes: As mentioned, irregular traffic surges, especially from unexpected locations, are a strong indicator of click bot activity. Regularly monitor your website traffic so you can spot potential click bot attacks and block any offending IP addresses.
- Block old Internet browser: TechRepublic recommends requiring visitors to use the latest version of their Internet browsers, as click bots often use outdated browsers to skirt security protocols.
- Pay attention to data breaches: Finally, stay tuned to news about data breaches, as they often lead to a spike in click bot activity and click fraud.
How can I prevent bots from accessing my emails?
Click bots don’t come from a single source, so there’s no single way to keep them from accessing your emails. (And that’s fine – some click bot activity is normal and even expected.) By adding layers of security to your website and subscription forms, you can lower their impact on your email marketing metrics. Here’s where to start:
- Add a hidden field or stealth link to your form: This is essentially a hidden registration field that is only visible to bots. So when you review your new email subscription reports, you can easily identify which new entries entered the value for that form, identify them as click bots, and remove them from your list. Implement this by using HTML to add the extra field to your form, then style it out of the regular audience’s view with CSS. Stealth links work the same way, except that offending bots will click a link that’s not visible to human users.
- Clean your lists regularly: Email addresses signed up during a click bot attack will not open or click your message. This lowers the percentage of engaged users in your subscriber list, and increases the risk that you’ll experience deliverability issues. So if a recipient hasn’t engaged with your emails in the past six months, remove them from your list. (Good hygiene is the key to any healthy list.)
- Know your audience: If you own a local media site, it’d be unusual to have a sudden influx of email subscribers originating from foreign IP addresses. So if that occurs, chances are that they’re bots – and you can delete them from your list. To mitigate click fraud, compare new subscribers against the demographics of your known marketing segments and look out for any irregularities.
Subscribe to our newsletter
Sign up to get our latest articles sent directly to your inbox.