Where Bots Come From: How Fake Traffic Compares Across Referral Sources
Jeffrey Edwards
|Cyber Risks & Threats | July 11, 2023
Over the past 40 years, the internet has expanded into a massive highway of information–with billions of daily active users and trillions of daily engagements–driving innovation, growth, and connectivity on a global scale.
But as the internet has grown in scale and sophistication, the quality and authenticity of its traffic have decreased as the web is increasingly flooded with automation tools, bots (good or bad), and users who, for one reason or another, aren’t genuine. In the marketing industry, this traffic is known as Invalid Traffic (IVT).
To help better understand this phenomenon and the impact it has on businesses, CHEQ has conducted the first annual State of Fake Traffic report.
By analyzing billions of data points from tens of thousands of anonymized campaigns, funnels, and websites protected by CHEQ, we were able to gain accurate insights into the scope of the fake traffic problem and how it affects different platforms, industries, and regions. In this blog post, we’ll examine the leading referral sources for fake traffic in an effort to show which platforms are leading sources of bot traffic. For more information on how specific industries, regions, and platforms are affected by fake traffic, download the full 35-page report here.
What is Invalid Traffic (IVT)?
Invalid traffic is web traffic that consists of bots, fake users, and otherwise invalid users who cannot turn into legitimate customers. This could mean harmless bots like search engine web scrapers or malicious traffic like ad fraud botnets.
Google defines invalid traffic as “any activity that doesn’t come from a real user with genuine interest. It can include accidental clicks caused by intrusive ad implementations, fraudulent clicking by competing advertisers, advertising botnets, and more.”
To Google, IVT is primarily a concern because it can be used to artificially inflate a publisher’s ad earnings, a practice that is against Google Ad’s terms of service. But invalid traffic isn’t limited to paid traffic; it also makes up a large portion of direct traffic and unique site visitors and has plenty of adverse effects downstream, from polluted marketing analytics to wasted remarketing efforts.
Invalid Traffic’s Impact on Marketing Organizations
Historically, IVT has been a major concern for information technology and security teams looking to guard organizations from bad actors disguising their online footprint to commit attacks. However, as today’s CMOs have realized, IVT is also a prevalent problem for marketers and go-to-market teams.
For marketers and businesses dependent on web traffic to drive sales, this creates a unique challenge: Because of the prevalence of IVT, nearly every marketing funnel, campaign, and operation is impacted to some degree, oftentimes in very harmful ways.
Where IVT is present, audiences, CDP segments, and CRMs become polluted, campaigns become optimized toward fake users, and revenue opportunities are missed. Analytics and BI systems are skewed by bad data, leading to poor insights and worse decisions made on bad information.
Additionally, website and conversion funnels are disrupted by invalid leads and visitors. This is a challenge that must be dealt with, sooner, rather than later.
Examining Invalid Traffic by Source
Fake traffic is a persistent threat that affects all digital marketing channels. Left unaddressed, this fake traffic will waste advertising budgets and create negative downstream effects such as poorly optimized and ineffective campaigns, confused analytics, and inaccurate attribution.
Despite the best efforts of search engines, ad networks, and social media platforms to mitigate fraud and falsification through dedicated teams and built-in tools, there remains a significant ingress of fake traffic across all platforms.
Our analysis of billions of fake traffic referrals found a general level of parity in fake traffic across most platforms, with some notable exceptions. The general findings of our research is outlined in the chart below:
Social Fake Traffic Rates Climb as Professional Networks Attract Bad Actors
While the general fake traffic rates for social media platforms were lower than comparable search and display ads, one category of social media had, by far, the highest fake traffic rates of any platform studied.
Professional networking platforms had an average invalid referral rate of 12.4%, with 9.7% of paid traffic and 15.3% of organic traffic determined to be invalid.
For hackers, these platforms make a convenient group of high-value targets.
For those committing ad fraud, the incentive is even stronger. At an average of $5.58 per click in 2022, the cost-per-click for professional networks is typically up to five times that of typical social and PPC costs. From an attacker’s point of view, that makes it five times more efficient to target a campaign on these sites.
Click Hijacking Attacks Drive Fake Traffic to Display Ads
Display ads are the oldest form of online advertising, and they’re still an extremely effective tool that allows businesses to reach a broad audience and raise brand awareness. However, because these ads are delivered to third-party websites, they are often easily manipulated by malicious actors. Display ads are particularly vulnerable to clickjacking attacks, which grew by 125% across all platforms in 2022.
This deluge of these attacks lead to a fraud rate of 7.2% for displays in 2022, 40% higher than the rate for search ads.
Click hijacking occurs when a valid user clicks on an asset, such as a link or advertisement, that appears to be legitimate, but it is actually a disguised malicious element, which may install malware, or redirect users. Last year, researchers discovered a set of Google Chrome extensions that had been installed over one million times was hijacking searches and inserting affiliate links into web pages, disrupting user experience, and costing retailers thousands in affiliate fraud. In the case of a display ad, an attacker may use various techniques, such as adding hidden layers or modifying the code of a webpage, to cause a display ad to be clicked without the user’s knowledge. The attacker can then collect payment for the fake click from the advertiser.
This type of attack can be difficult to detect and prevent because it occurs on the client side, and the user’s browser is often not able to distinguish between a legitimate click and a hijacking click.
Viewbots Inflate Streaming Numbers and Burn Advertising Dollars
Streaming platforms had an unprecedented reach in 2022. The top streaming site reaches more people aged 18-49 than all TV networks combined, and it reaches them with more ads–which are statistically more likely to hold viewer attention, and ultimately to convert.
But many of those ad viewers are not human. In 2022, streaming platforms generated the highest invalid rate for paid traffic of any category, at 11.1%. Based on the ad revenue figures of just one streaming platform, that could amount to over $3 billion in wasted ad spend.
So where is all of this traffic coming from? The answer is view bots, a relatively new form of fake traffic in which pieces of automated software (bots) are used to view streaming videos or live streams in order to artificially boost the view count and generate fake engagement–and fake ad views–for unscrupulous creators.
Most view bots are simple scripts that open a video in a headless browser, but more complicated viewbots may also create fake accounts to mimic logged-in viewers, and can even incorporate a chatbot capability that will spam the stream’s chat or comments section with artificial banter to make audience numbers appear more legitimate. Some viewbots will even click through on ads to increase the perceived click-through rate. And these bot networks are available for rent for prices as low as $10/month.
The impact of these fake viewers goes far beyond fake clicks–most established creators offer partner programs, where they earn a commission for mentions or ad impressions.
If those impressions are generated by bots, not real people, then the ad budget used to create and place those ads has essentially been wasted.
If it costs $2000 for 100,000 impressions, and 15-20% of those impressions are fake, that’s $150-200 wasted. Considering most advertising campaigns on these platforms measure impressions in the millions, the costs of those fake impressions can add up fast. Furthermore, with key performance metrics becoming skewed by fake traffic, decision making becomes increasingly difficult.
Get All the Details in the State of Fake Traffic Report
Want to know more about the state of fake traffic in 2023? Download the full report here to get a full overview of fake traffic threat groups and types, how fake traffic breaks down across traffic sources, and more
In this 35-page report, we offer new insights into invalid traffic trends and statistics as we:
- Share invalid traffic rates and trends
- Examine prominent and growing threat types
- Compare invalid rates across 11 major industries
- Compare invalid traffic by region of origination
- Compare invalid rates for paid and organic traffic generated by leading ad platforms, search engines, and social media platforms.
Download our free report today and learn about the latest trends and insights in the world of invalid traffic.
Author
Jeffrey Edwards
Content Marketing Manager
Jeff is the resident content marketing expert at CHEQ. He has several years of experience as a trained journalist, and more recently in his career found a knack for communicating complex cybersecurity topics in an approachable yet detailed manner.
