Robot Placing Check Mark In Box
Robot Placing Check Mark In Box

How Do Form Bots Work? (+ Ad Fraud Detection Tips)

February 3, 2022

Here’s a scenario that we see all too often: A company launches a brand-new ad campaign to promote their products and services. To spread their reach as far as possible, the company partners with a lot of different ad platforms, social media influencers, and others.

At first, the campaign goes great—they see a ton of new leads come in and fill out forms on their website. In fact, their total number of new leads generated beat their projections by a wide margin. 

Happy with the influx of leads they’ve gotten, the company pays their marketing partners for their hard work and starts trying to turn those leads into business opportunities.

This is where things start to go wrong.

Instead of converting customers, every lead the company reaches out to either results in a “bounce” (where their email/phone call doesn’t go through) or a complaint along the lines of “who are you and why are you bothering me?”

There was a problem with the leads: they were generated using form bots and other fraudulent techniques. 

But what is a form bot? More importantly, how can you spot them in time to disqualify the fake leads they bring so your company doesn’t lose money?

Get started with a free trial today to see exactly how much you could be losing  to ad fraud.

What Is a Form Bot?

A form bot is a type of bot program designed to fill out forms. Sometimes, these bots are used to access restricted content that has been gated (reducing the revenue of brands relying on premium content or subscriptions). At other times, these bots are made to create fake leads on the behalf of the fraudster using them.

Why would someone use form-filling bots on your ad campaigns?

The primary reason is usually money. By generating a ton of bad or fake leads, a fraudster can claim credit and collect a big paycheck for minimal effort. When you later realize the leads they gave you were all bad, the fraudster is long gone with your money!

Alternatively, a malicious competitor might employ form filling bots to get at gated information or drain your ad budget with fake leads. This way, they can get access to resources you didn’t want them to have or hamper your own advertising efforts.

How Do Form Bots Work?

Form bots operate much like any other bot—a programmer writes some code and designs it to carry out a specific task. In the case of form bots, however, that task is to fraudulently fill out forms while posing as a human user.

The automated software program is typically designed to crawl a webpage while looking for code that indicates an online form field. The bot then compares the form field to the parameters it was programmed with and inserts data or picks the appropriate information from the form’s preset choices.

Form-filling bots are often programmed to use a large database of stolen consumer data. This data is what the bot uses to populate each form field so that the “leads” they generate look like real people. After all, if you check the information, you’ll see that it matches the data of a real consumer you can reach!

Other, more basic bots might just enter information at random (constrained to certain presets values) to complete form fields.

The most advanced bots may even try to mimic human behavior on websites—spending extra time on the page before filling out the form, taking a realistic amount of time to “type” or “scroll through” entries for form fields, and other randomized actions that imitate the sometimes unpredictable behavior of a real person. They can even beat CAPTCHA tests!

Unlike a person, though, a bot doesn’t need to actually “read” the designed webpage on your website. Instead, they’re crawling the webpage’s code to “see” what’s on the page and reacting according to their programming. This is a fact that some savvy companies use to their advantage when trying to detect form bot fraud.

5 Bot Fraud Detection Tips

Ad fraud is a huge problem for any company that wants to leverage online marketing channels. Just as online advertising has made generating leads faster and easier for companies, it’s also made conducting fraud easier for crooks. So, it’s incredibly important for companies to be able to detect bot fraud as it happens and put a stop to it.

However, bot detection is often much easier said than done. Modern bot programs leverage a variety of tools to make themselves harder to identify (and to even specifically thwart certain well-known protection measures).

Here are a few tips for bot detection that can help you protect your ad budget from the countless form bots that your ad campaigns will encounter:

1. Use Honeypot Form Fields to Trick Form Bots

Here’s a trick that’s been around for a while, but is definitely worth mentioning again: using fake form fields that only exist in your website’s code to trick bots into filling them out. Often referred to as “honeypot” form fields, this trick can be highly effective at helping you identify bot traffic on your site and eliminating it.

Unfortunately, this technique isn’t perfect. Just as you try to improve your defenses, fraudsters are constantly upping their game as well. 

Some more advanced fraudsters might manually review the forms they’re using bots to fill and instruct the bots to ignore any hidden form fields. 

However, this requires some programming knowledge, which means that a lot of fraudsters who buy pre-made botnets won’t be able to do it.

2. Using CAPTCHA Tools to Weed Out Basic Bots

CAPTCHA is a free, publicly-available (and very simple) Turing test tool designed to help websites quickly sort human users apart from bots. As a free tool, CAPTCHA is easy to acquire and implement—though it is far from perfect.

In recent years, bot programs have become increasingly sophisticated. Many of the cybercriminals behind bot programs have even modified them to specifically thwart CAPTCHA tools. 

When you add this to the fact that many users find CAPTCHA tools to be incredibly annoying, and CAPTCHA quickly becomes a poor choice for bot detection and prevention.

Case in point: According to data cited by The Verge, in a test of a CAPTCHA tool, a Google machine learning algorithm “got the test right 99.8 percent of the time, while the humans got a mere 33 percent.” So, you may actually end up blocking more real people than you do bots!

Ultimately, CAPTCHA is a supplemental tool for blocking basic bots and shouldn’t be relied on as your primary bot fraud prevention strategy.

3. Check Your Contact Database for Abnormalities

When you’re generating leads via affiliate marketing or other online advertising channels, one of the best ways to protect yourself from the impacts of ad fraud is to regularly check your leads for any abnormalities.

For example, do you have multiple leads with the same name? While some names, like John Smith, are so common that you’d expect to see a couple of repeats, having the same few names appear dozens of times in your database could be a warning sign that a form bot with a small table of names to work with is generating fake leads.

Additionally, it can help to check the IP addresses of the leads you’re generating. For example, if your business operates primarily in Sacramento, California, but the leads who fill out your forms are all coming from IP addresses in China or Russia, that could be an indication of fraud.

While useful, this strategy for finding fake leads generated by form bots can be labor-intensive and time-consuming. In many cases, by the time you’ve identified the fraud manually, the fraudster is long gone and you won’t be able to get your money back from them.

4. Be Wary of Sudden Large Increases in Leads Generated

One of the big reasons to launch an online ad campaign is to generate a lot of leads in a short amount of time. However, there is such a thing as something being too good to be true. 

If you have an ad campaign that has been consistently performing at a certain level and then it just suddenly jumps to 1,000 times its normal level, that might not be real traffic—it could be bot traffic.

So, before jumping for joy, it’s important to verify where those leads came in from. Did they all get referred by the same marketing partner? If so, does it make sense for that partner to have generated so many leads all at once? 

For example, an influencer or app with 3,000 active monthly subscribers/users probably won’t bring in 300 leads in any single week, let alone 30,000!

Such discrepancies are what tipped off Uber to potential ad fraud in their own ad campaigns.

5. Use Email Verification for Forms

Another way to quickly weed out bot traffic from your leads list is to use email verification for any lead generated through one of your forms. When the “lead” fills out the form, a verification email will be sent to the email address they used. If the verification link in the email isn’t clicked, then you can ignore the lead.

Most form bots won’t be able to check and click the links in the emails—especially if the email used is going to a real person whose contact info is being used without their knowledge. The real person may well ignore the email and not click the link.

This measure can be further enhanced by automatically rejecting emails from free email client domains (like yahoo.com or google.com). B2B companies may use this measure to make sure they can associate all of their contacts with a specific company based on their email domain. 

For example, if someone submits a user_name@yahoo.com email, they would be disqualified as a lead. But, if they used their corporate email of user_name@ABCcompany.net they would be added as a valid contact once they clicked on the verification email.

Rejecting free email domains can be a powerful way to keep fake leads from form bots out of your database. However, this is not as viable a solution for B2C companies looking to get leads from the general public—most of whom use free email accounts for their personal business.

Stopping Online Ad Fraud with Anura

The above tips are all at least somewhat useful for detecting bot fraud and putting a stop to it, but none of them are perfect solutions. 

Whether it’s because bots are getting better at thwarting preventive measures like CAPTCHA, the fact that manual reviews of data take too long (and require extensive expertise to positively ID fraud), or the specific measures mentioned are just impractical for business reasons, they tend to fall short of the goal of providing an ideal way to stop fraud.

However, there is actually a way to reliably identify bad leads from form bots without inconveniencing your customers—one that doesn’t require extensive expertise on your part but provides you with all of the information you need to proactively fight fraud and win. 

The Anura ad fraud solution is the ideal tool for spotting fraudulent activity in your online ad campaigns and putting a stop to it before it can hurt your company’s bottom line.

With real-time analysis of website visitors that takes hundreds of data points and compares them all to a massive database of real conversion data spanning decades of activity, Anura provides accurate assessments of every lead that fills out your forms. When you use Anura’s ad fraud solution, you can rest easy knowing that every lead that gets flagged as fraud is fraud.

Why wait? Get started with Anura today!

request a trial