AdobeStock_161459243

Beware of Form Bots (+ Top Tips for Bot Detection)

July 21, 2021

To sustain consistent growth, businesses need to gain leads and add new customers. Affiliate marketing campaigns draw on networks of people to help promote a company’s goods and services. Sometimes, the merchant is the one bringing on the affiliates. At other times, they hire pre-existing affiliate networks to help build brand awareness.

Projections from Statista state that “U.S. affiliate marketing spend is due to reach 8.2 billion U.S. dollars by 2022, up from 5.4 billion recorded in 2017.” With so much money up for grabs, it is little wonder that bot fraud has become a common problem for affiliate campaigns.

Need to Know More about Affiliate Fraud? Download the 101 guide here!

One of the key tools used by fraudsters has long been the “bot.” You may be wondering: “What is a bot and what does it have to do with lead generation fraud?” More importantly, how can you detect and thwart bot fraud (and other forms of fraud)?

Get started with a free trial today to see exactly how much you could be losing  to ad fraud.

What Is a Bot?

The word “bot” is shorthand for “robot.” In the specific context of computing, it’s a way to refer to automated software programs that are built to carry out a specific task. Bots can be good or bad depending on what they’re made for.

An example of a good bot would be something like the web crawlers used by Google and other search engine providers to index websites for search engine results pages (SERPs).

Unfortunately, not all applications for bots are so harmless. There are bot programs specifically designed to enable lead generation fraud schemes that steal millions of dollars from companies all over the globe on a daily basis.

Learn More about Bots. Download the Bots 101 eBook now!

What Is Bot Traffic?

Bot traffic is website activity that can be attributed to an automated program of some kind. Although some bot traffic may be benign (like the aforementioned web crawlers), most of this traffic is part of one type of fraud scheme or another.

Some fraudsters use massive botnets (groups of bots running on malware-infected devices) to help hide their IP addresses and make it harder to find the source of bot traffic. Such botnets are also commonly used for distributed denial of service (DDoS) attacks.

How Bots Are Used for Lead Generation Fraud

The use of bot traffic in fraud schemes has evolved over the years. In the past, bot traffic would be used to inflate impressions on pages to give the appearance that an affiliate was directing a lot of traffic to a merchant’s site. When merchants wised up and started moving away from paying just for traffic (and flagging traffic that hit the site only to immediately leave as fraudulent), fraudsters started using new bots.

Instead of simply generating impressions, the new “form bots” would actively seek out forms on target websites, such as blog subscription forms, eBook downloads, and “contact us” forms. This would trigger a conversion and, from the perspective of a programmatic advertising platform, the “visitors” that fill out forms look more like “real” traffic than ones that bounce off the page milliseconds after landing on it.

Since the bot traffic “converted,” the advertising platform would determine that the traffic and leads are real—paying out money to the fraudster. This has been used as a strategy for click fraud designed to avoid getting flagged as fraud.

However, after many advertisers switched to a cost per lead (CPL) model, the use of bots to fill in forms became a major strategy for generating fake leads.                

What Are the Signs of Bot Fraud?

One common question about bot-based advertising fraud is: “How can I tell bot form fills apart from legitimate ones?”

There are a few warning signs of bot fraud that an organization can use to identify it after the fact, including:

  1. Large increases in ad spend without increases in deals closed.
  2. Filled out forms having invalid contact information.
  3. Multiple “contacts” having the same information (emails, phone numbers, addresses, etc.) despite not being from the same organization.
  4. Complaints from prospects who say they never consented to receive marketing communications.
  5. Large numbers of contacts coming from the same IP address or coming from a data center’s IP address.

While these warning signs can provide clues of bot-based fraud after the fact, the problem is that identifying fraud this way is a reactive rather than proactive process. When relying on post-campaign analysis, it’s often too late to stop payments to fraudsters.

Learn More about Lead Generation Fraud. Download the Lead Generation Fraud 101 eBook now!

The Impact of Form Bots and Why Early Bot Detection Is Key

Fake clicks and bot traffic can be disastrous to your ad campaign’s bottom line. Each fraudulent impression, click, or lead that you pay for is money wasted that you aren’t likely to get back.

However, fraudulent form fills from bots carry an even heavier risk.

Although basic bot programs will sometimes fill form fields with random gibberish, more sophisticated fraudsters use bots that either provide information that looks like it could be real or uses stolen information from a real person to populate form fields.

If you neglect to properly check the validity of the lead before using the contact information provided, then that could open your organization up to consumer complaints and TCPA violations.

5 Tips for Bot Detection

Being able to detect and block form bots and other bot traffic early can be a literal life-saver for your business. But, how can you ensure early detection?

Here are a few bot detection tips:

1. Use Honeypot Form Fields

The “honeypot” technique is an older trick for identifying bot form fills, but it continues to be a valuable and reliable strategy. In the honeypot technique, you create an “invisible” form field in your site page’s CSS code.

Since the form is purely code-based and won’t display visibly, human site visitors will never see it. However, a bot that visits the page can only read it by scanning the page’s code—so it will see the honeypot form field and attempt to fill it out.

Any form submissions that fill out the invisible honeypot field will almost certainly be from bot traffic instead of legitimate human users.

HoneyPot_Technique

2. Using CAPTCHA to Block Basic Bot Programs

CAPTCHA, or the “Completely Automated Public Turing test to tell Computers and Humans Apart,” is a solution that was created to help combat bot fraud techniques. The older versions of this solution put distorted text or low-resolution images on the screen and asked users to either type in the text or select the right images.

The newer version of the tool, reCAPTCHA v3, analyzes how users behave on a website, ranking each interaction to determine how much risk a website visitor poses. While this is less obtrusive than older versions that required manual input from users, it hurts user privacy in exchange.

Even the newest version of CAPTCHA is not enough to stop the more sophisticated bot fraud schemes in use today. As fraudsters encounter newer versions of CAPTCHA, they constantly alter their bots to better imitate human users and fool the public Turing test. Additionally, even reCAPTCHA v3 has been demonstrated to have a high false positive rate—marking legitimate website traffic as bot traffic.

Ultimately, free CAPTCHA tools are mostly useful for catching the most basic bot traffic—the kind where there is little attempt to hide the fact that a bot is in use. Anything more sophisticated will require a more robust bot traffic detection solution.

3. Continuously Check the National Do-Not-Call Registry

When a bot uses junk or gibberish data to fill out form fields, it’s often easy to spot and is unlikely to result in TCPA violations since the contact data is nonsense that doesn’t match any real-world person. However, more sophisticated bot fraud schemes may use databases of stolen data to fill in forms with real information.

Much of the time, these unwilling contacts will have received unwanted marketing before—prompting them to sign up for the National Do-Not-Call (DNC) Registry. So, one way to spot fake leads entered by a form-filling bot is to check all new contacts against the DNC list. If several phone numbers match ones in the DNC Registry’s database, there is a strong chance that they are the result of bot fraud—especially if every form was filled by visitors with the same IP address.

4. Check Web Visitor Meta Data

One easy way to detect bot fraud being run from a single data center is to examine the meta data of website visitors, such as their IP addresses, to see if the same data keeps popping up across multiple form fills.

More simplistic fraudsters might run their bot programs from a single computer or data center because they lack the knowledge or tools needed for more complex schemes. However, more advanced fraudsters might use massive botnets to spread out their fraud and make it harder to trace back to them.

5. Keep Track of Which Affiliates and Marketing Partners Have Excessive Fraud

Is there an affiliate or other advertising partner that keeps bringing a large percentage of fake leads? Have you traced bot traffic back to the same source time after time? If so, then you may have just identified the source of your lead generation fraud.

Keeping a record of where fraudulent traffic comes from and each incident of fraud can be invaluable for finding the source of fraud and confronting fraudsters. So, having a solution in place that can collect that data and provide the needed proof can be invaluable.

Whether you simply want to drop a bad affiliate/advertising network or wish to recover some of the money lost to fraud, having evidence is crucial for making informed, data-driven decisions.

How Anura's Ad Fraud Solution Provides Bot Detection (Before It's Too Late)

Need help with bot fraud detection and collecting the data you need to prove fraud? Anura is here to help.

The Anura ad fraud solution analyzes hundreds of data points in real time and compares them all to real conversion data. This helps to identify fraudulent bot traffic so you don’t pay for fake leads or risk TCPA violations from reaching out to them.

Anura also eliminates false positives—activity isn’t marked as fraud unless we’re 100% certain of it. With the massive amount of data that Anura’s ad fraud solution collects, we help you find more fraud and provide the proof you need to not only identify bot fraud, but to confront fraudsters.

Because the detection is done in real time, you can stop fraud as it happens instead of having to wait for an “after the fact” report. This is invaluable for protecting your ad spend from fraudsters and maximizing your marketing ROI.

Don’t let bot traffic drain your marketing budget. Contact Anura today and find out how you can stop bot fraud now!

This article has been republished with new information. 

request a trial