fake-vs-real-road-sign-directions

How Many Fake Leads Come from Form Bot Fraud?

March 9, 2022

Many marketers, whether they’re working as part of an advertising department within a single business or a third-party ad agency that works with numerous clients, struggle to get more leads. Even when their ad campaigns are successful, there’s always to push to get more done with fewer resources.

For example, marketers often hear the question: “If you got X% leads last month, why can’t you get X+5% this month?” Or, they hear something along the lines of: “Well, if you got those leads last month, you can repeat the feat with a 10% lower budget, right?”

One of the consequences of the constant pressure to get more leads is that it’s all too easy for marketers of all skill levels to fall for fake leads brought in by bot fraud. In the rush to meet expectations for continuous growth, opportunities that would otherwise seem too good to be true might feel more like a necessity.

The problem is that falling victim to form bot fraud in ad campaigns can lead to over-inflated expectations while actively reducing the business’ opportunities to make money. Let’s take a look at why every marketer should be wary of bot fraud and what they can do about it.

What Is the Average Rate of Fake Leads in an Ad Campaign?

It is extremely rare for an ad campaign to be completely free of bad leads from form bots. Unless you have a very good anti-fraud solution in place, you can expect to have a significant amount of fraud.

How much? While the specific amount will vary from one campaign to the next, in Anura’s own experience, the average is typically between 20% and 25% in online advertising campaigns. In long-running ad campaigns that don’t have any kind of ad fraud protection, the percentage may run higher. Meanwhile, a fresher campaign with strong ad fraud countermeasures may have lower ad fraud rates.

A large portion of fraudulent form fills comes from bot traffic. So-called “bad” bots—those bots specifically designed to carry out fraud schemes and cyberattacks—account for 39% of all traffic on the internet. Meanwhile, “good” bots (like Google’s web crawlers) account for 25% of all web traffic—leaving humans as the remaining 36% of web traffic.

That’s right, your ad campaigns are more likely to run into a bot than they are a human! And, even when there is a person behind the screen, that doesn’t necessarily mean that they’re a legitimate lead (since some fraudsters use human fraud farms).

Of course, not all “bad bots” are specifically form bots. There are DDoS attack-enabling bots, bots that try to steal sensitive data, bots that buy up limited-availability products for resale, and countless other bots that help malicious actors carry out all kinds of schemes. However, it doesn’t take a lot of form bots to clog your ad campaigns with bad leads.

A single form bot could easily fill out a form on a page in milliseconds, then refresh the page and fill out the form again as a “different” lead before the page even finishes reloading what was on the screen. In short, just one bot could easily fill out dozens of forms a minute on a device with a high-speed internet connection.

How Many Form Bots Can One Fraudster Have?

One of the reasons why bots are so prevalent on the web is how easy they are to make (or buy and sell) on the internet. For an experienced programmer, a botnet program can be easily made within a few hours—often by tweaking an already-existing zombie bot infection program to help it avoid detection.

While there is a non-negligible investment of time and effort to keep the growing botnet from being detected, a cybercriminal can easily make and grow their own botnet. Some crooks are so good at making large botnets that they sell them to others. According to data from Kaspersky, botnets can be sold for as little as $0.50 per bot—so an investment of $500 could get a fraudster a botnet of 1,000 infected machines.

Fraudsters can buy these ready-made botnets with ease and start using them for fraud schemes in mere minutes. In many cases, the fraudster can buy or lease a botnet with a few thousand infected machines, carry out bot fraud schemes against several companies at once, and get away with the money before any of their victims can figure out that they’ve been defrauded.

Then, they sneak back in with a different online user profile and another rented botnet to repeat the whole process all over again. Considering how many form fills a bot can perform each day, even a small botnet of a few hundred infected devices could generate a solid profit for the fraudster using it—more than enough to justify the cost of buying or renting the botnet in the first place.

Those who have the programming know-how to make their own botnets are even more dangerous. Why?

First, they can grow their botnets to ludicrous numbers of infected machines. Some well-known botnets (like Zeus) have famously grown to include millions of infected devices. The sheer number of bots that these massive botnets can bring to bear make them incredibly difficult to pin down with traditional countermeasures like IP blocking. Plus, having a million or more separate IP addresses behind the form bots giving you fake leads makes it harder to definitively trace them back to a single source.

Second, those with the programming skills to write a botnet are more likely to be able to customize them to work around the specific protection methods you use to prevent fraud.

For example, say you use honeypot form fields (form fields that are hidden in your webpage’s code that humans can’t see but are visible to bots that are crawling the code on your website). Normally, these honeypots are able to help you near-automatically sort the leads that come from actual humans from ones provided by bots. If the honeypot field is filled in, you know that the “lead” came from a bot.

However, an experienced bot programmer could review your website’s code, identify the honeypot form fields, and program their bots to specifically ignore them. This would allow the form bots they make to keep adding fake leads to your online marketing campaigns almost uninterrupted!

How Fraudsters Use Larger Botnets to Avoid Detection

Fraudsters use a lot of different strategies to avoid detection. Oddly enough, one of those strategies they use to avoid detection is to employ larger botnets.

With more bots, fraudsters have more leeway to do things like have the bots simulate different device and browser specs between different form fills. This makes it much harder to identify the source of bad leads.

For example, say you have 1,000 leads, and they all come from a single IP address using the Chrome browser on an Android phone. That’s a strong indicator of fraud that’s easy to spot. Additionally, blocking all future leads from that device would be relatively simple.

However, by spoofing different device and browser specs, the fraudster makes it much harder to tell that the leads are fraudulent. Also, some bots might have built-in delays between when they load pages and when they fill out forms in order to better simulate a human user. The added load of spoofing device specs and imitating human users slows down the bot, meaning it fills out fewer forms per hour.

With thousands of bots, the fraudster can make up for the reduced productivity of each individual bot on the botnet while simultaneously spreading out the fake leads they give you among thousands of unique IP addresses.

How Real-Time Bot Detection Protects Your Ad Campaigns

So, how can you protect your ad campaigns from the ever-present threat of form bots and the fraudsters behind them? With more sophisticated fraud schemes constantly emerging, it is getting progressively harder to counter them.

Additionally, manual detection methods not only require extensive expertise to work reliably, but even the best experts require time to reliably identify fraudulent leads from form bots. In many cases, by the time an expert can positively ID a fake lead, the fraudster behind it is long gone and has moved the money from the account where they initially deposited it to an offshore bank that won’t give your money back.

To effectively protect your business from ad fraud, you need real-time ad fraud detection that can alert you to fraud as it happens. This is where Anura’s ad fraud solution can prove indispensable.

Anura provides real-time ad fraud detection by checking all of the traffic that fills out forms on your site. Hundreds of data points about each visitor are compared to an extensive database of real conversions spanning years of interactions.

This helps you stop ad fraud as it happens—allowing you to deny fake leads before you end up paying a fraudster for them. This helps you save money and headaches since you don’t have to fight fraudsters or their banks to get your money returned.

Being able to detect fraud before paying out to fraudsters also helps to work as a deterrent. Fraudsters are often looking for an easy payday. So, if your company makes it hard for fraudsters to collect money, other scam artists are less likely to target your business. Additionally, fraudsters may avoid coming back under different names to try to defraud you again if it doesn’t work the first few times. This helps you proactively reduce your risk of ad fraud and getting bad leads!

Are you ready to proactively protect your business from online scam artists who want to take advantage of your ad campaigns? Reach out to Anura today to get started!

bots 101 ebook cta