Black Friday is a big deal. The retail ‘holiday’ now encompasses nearly an entire week and generates revenue numbers equal to the GDP of a small country. For retailers, the holiday season is often a make-or-break quarter, and a good Black Friday, Small Business Saturday, or Cyber Monday can be key to success.
And while blockbuster deals can still get people out to the brick-and-mortar stores, Black Friday is increasingly an online affair: American consumers spent $8.9 billion online during Black Friday 2021, and $10.7 billion on Cyber Monday and are expected to surpass that in 2022.
But where money goes, cybercriminals typically follow, and cybercriminals and bad actors have found plenty of ways to take advantage of retailers’ investments in Black Friday through various forms of bots, web scrapers, and fraudulent traffic.
Last year, we discovered that bots and fake users made up 35.7% of all online shoppers on Black Friday. Among the forms of fake traffic we uncovered were malicious scrapers and crawlers, sophisticated botnets, fake accounts, click farms, proxy users, and illegitimate users committing eCommerce-related fraud.
As we approach the 2022 holiday shopping season, we’ve decided to analyze how bots and fake users affected eCommerce sites on previous Black Fridays, and used that information alongside current fake traffic rates to uncover the potential financial and operational impacts retailers can expect this coming Black Friday in our new report, How Bots and Fake Users Impact Sales on Black Friday 2022.
To build our report, we analyzed data from 233 million eCommerce site visits originating from all source types (direct, organic, paid), across a 6-month span (January – June 2022) and studied the validity of each site visit. From there, we were able to pull inferences from typical site traffic numbers, consumer spending patterns and media spending in the eCommerce space.
$368M Could be Lost to Fake Clicks on Retail Ads
Bots and fake users frequently click on advertisements they encounter online, either for purposes of ad fraud, to inflate marketing budgets, or simply to scrape a website for competitive users. This can be done on paid search platforms, advertisements on social media networks, and other forms of display and text ads.
The eCommerce industry is certainly not immune to these actions. Based on the standard rates of fraud that are encountered across retailer websites from paid sources, analyzed alongside the volume and frequency of advertising clicks during the holiday season, CHEQ predicts that retailers will lose about $368 million to fraudulent clicks this Black Friday alone.
Get the Full Story in Our New Report
Invalid traffic is a year-round platform, but Black Friday and the holiday shopping season is a period of increased activity among cybercriminals, and retailers should be prepared to deal with ad fraud, skewed metrics, and cart abandonment.
To learn more about fake traffic and how it can affect eCommerce websites this holiday season in the full Black Friday report, available here.
Traffic is the lifeblood of digital business, and by extension, the lifeline of the marketing department. Traffic determines who sees your messaging, where your site ranks, and ultimately, how many conversions you gain. But traffic isn’t always what it seems. On average, over 20% of site visitors are not what they seem, according to recent research.
This invalid traffic threatens ad revenue, clouds marketing metrics, and muddies conversion rates. But to many marketers, it’s become a fact of life, an annoyance that cannot be effectively solved. But problem is growing. Most fraudulent traffic today is highly sophisticated. Let’s look at the kinds of sophisticated invalid traffic affecting websites and ad publishers today, and examine some of the ways marketers can fight back.
What is Invalid Traffic?
Invalid traffic is web traffic that cannot turn into a legitimate customer. This could mean harmless bots like search engine’s webscrapers, or ad fraud botnets.
Google defines invalid traffic as “any activity that doesn’t come from a real user with genuine interest. It can include accidental clicks caused by intrusive ad implementations, fraudulent clicking by competing advertisers, advertising botnets and more.” .
To Google’s, IVT is primarily a concern because it can be used to artificially inflate a publisher’s ad earnings, a practice that is against the Google Ad’s terms of service. But invalid traffic isn’t limited to paid traffic, it also makes up a large portion of direct traffic and unique site visitors, and has plenty of adverse effects downstream, from polluted marketing analytics to wasted remarketing efforts.
There are generally two types of invalid traffic, or IVT called general invalid traffic (GIVT) and sophisticated invalid traffic (SIVT). Let’s take a closer look at both below:
What is General Invalid Traffic (GIVT)?
General invalid traffic (GIVT) is the kind of nonhuman traffic you would expect to routinely access your websites: bots, spiders, search engine crawlers, and other traffic coming fro data center IP addresses known to site owners and advertisers. GIVT will generally identify itself as such and is easy to filter out of campaigns and metrics.
What is Sophisticated Invalid Traffic (SIVT)?
Sophisticated Invalid Traffic (SIVT) is invalid traffic that does not identify itself as such. SIVT could be competitors clicking on ads, bots scraping your website for pricing information, botnets built for ad fraud, or malicious users concealing themselves via proxies and VPNs.
What are The Types of SIVT?
SIVT can take various forms, depending on its goal. Common forms of SIVT include:
- Bots: Scripts running on headless browsers will mimic real humans and click on ads in order to generate fraudulent ad revenue.
- Cookie Stuffing: Cookie stuffing is a form of affiliate fraud wherein third-party cookies are illegitimately attached to a user and then used to falisfy conversions.
- Adware: Adware can be used to generate traffic from infected users without their consent.
- Web Scrapers: Web scrapers can be used to gather competitive information such as pricing from your website.
- Concealed ads: Hidden or misleading advertising can be used to attract unwitting users with no chance of converting.
- Fraudulent proxy traffic: Proxies and VPNs can be used to mask fraudulent traffic.
How to Detect and Stop SIVT
So how can you detect and block SIVT? As a manual process, it can be a challenge, but there are some best practices that can be taken to achieve at least a baseline of protection. Let’s look at Google’s advice first.
Google’s Advice on Invalid Traffic
While Google does its best to prevent invalid and fraudulent traffic, they unfortunately do not offer much in the way of resources for publishers dealing with high volumes of SIVT.
In the eyes of Google, AdSense publishers are ultimately responsible for the traffic on their ads, and are more or less left to their own devices when it comes to protecting site traffic and advertising budgets from fraud and waste. However, Google does offer some advice to publishers to help mitigate SIVT.
Namely, Google urges publishers to avoid unscrupulous third parties, make sure AdSense implementations are rock solid, and to understand ad traffic and site visitors and watch for unusual behavior.
Best Practices for SIVT Mitigation
There are a few other manual methods for mitigating SIVT, and IVT in general, let’s dive into a few techniques you can use to clean up your traffic within AdSense and other tools you already have.
Rethink Your Targeting
As marketers, it’s natural to want to put your messaging in front of the biggest audience possible, but overly broad targeting can easily leave your ad campaign open to invalid traffic and bad actors. To minimize both your ad spend and your exposure to invalid traffic, it’s important to be as granular as possible with your geotargeting. Excluding countries or regions known for high rates of IVT is an easy first step to reducing bad traffic.
On the same note, limiting the runtime of your ads to just your time zones waking hours can also limit exposure.
Check Out Your Ad Placements
It’s easy to keep track of where your ads are being displayed, but many businesses simply set up the ad with Google, and never think about it again. But there are thousands of websites out there that exist just to generate fraudulent ad revenue. Site owners set up a basic site, with little or no genuine content, host ads, then push fake traffic through the site and ads to generate ad revenue.
If you’re getting a lot of referrals, but no conversions, it’s worth taking a look at where those referrals are coming from. If you find a low quality site, it’s probably worth reporting to Google to stop the flow of bad traffic.
Monitor Your Site Traffic
Fraudulent traffic will often come in patterns–high volumes of clicks with low conversions, rapid clicks from a single IP address, etc.– that will give it away under keen observation.
Legitimate site visitors may visit your site multiple times while making purchasing decisions, but if a single IP begins visiting to be arriving on a website from paid advertising in rapid succession, that’s a clear sign of abuse.
Patterns can vary widely by industry, geography or method of IVT, so it’s best to keep a keen eye on your site traffic. Take a look every day, get a feeling for the typical patterns of your site traffic, and try to identify patterns in bad traffic.
Once you’ve found what you’re looking for, it’s time to investigate your server logs for suspicious IP addresses and add those addresses to your blocklists and the blocklists of your advertising partners.
Inspect Packet Headers for Suspicious Data
Packet headers contain a lot of information: browser type and version, OS, and more. This information is extremely useful in uncovering disguised bad traffic.
For example,. if you receive dozens of requests from the same IP address, but the packet header shows different device detail for each visit, it’s fair to deduce that this IP is a proxy server. Malicious users also have their own calling cards. Typically linux is used, and outdated browsers are easier to exploit. So a version of Chrome that is 10 or 15 updates behind is a dead giveaway.
In another example, if a user appears to be using a mobile device, but the packet header shows that there are browser extensions on that device, that is clear evidence of an attempt to disguise the source of the traffic and mislead you and your advertising partners, and should be investigated in further detail.
Set up IP Exclusion Lists
Through the above techniques, you’ll likely find a lot of IP addresses that need blocking. Google Ads offers an IP exclusion list, which lets you identify IP addresses you don’t want your ads served to. However, there is a limit of 500 IP addresses per campaign, which is easy to hit, since fraudsters and bad actors constantly change their IP addresses through proxies and other methods.
Manual IP address exclusion management is a best practice for a basic level of protection from SIVT, but it is a labor intensive and tedious process, and Google’s limited exclusion list size limits its effectiveness greatly.
Stop SIVT with Go-to-Market Security
As outline above, manually mitigation of invalid traffic is possible, in a limited scope, but it’s labor intensive, and probably not the most cost-effective use of your team’s time. Not to mention, it can take weeks or months to properly set up, leaving your site exposed to bad traffic in the interim
For businesses serious about protecting their pipeline, a comprehensive go-to-market security platform will help automatically detect and block invalid traffic in real-time, whether the source is paid, organic, or direct, and provide better insight into marketing analytics.
Cheq Paradome leverages thousands of security challenges to evaluate site traffic in real-time, determine whether a visitor is legitimate, suspicious, or invalid, and take appropriate action in blocking or redirecting that user. For paid traffic, Paradome automatically updates IP exclusion lists to reflect the constantly changing threat landscape, saving you valuable time and ad spend.
Book a demo today to see how Cheq Paradome can lower your CPA and protect your go-to-market efforts.