Ultimate Guide to the Threat Types seen in GTMSec


Marketers and analytics professionals are increasingly realizing the importance of protecting their campaigns and customer acquisition funnels from invalid traffic. Users who have no possibility of becoming real customers can clutter businesses’ websites and digital assets, effectively skewing data to the point where important company decisions are being made based on false information. These users are referred to as invalid users and, regardless of intention, can be incredibly harmful to your marketing efforts.

This article covers the top three categories of threats as well as 18 specific threat types. By understanding exactly what types of invalid users are threatening the accuracy of your data, you can better protect your platforms. Since many issues can arise from invalid activity – from skewed optimization to polluted audiences and resource misuse – marketers who educate themselves on this topic can get ahead of the issue before it becomes detrimental to business.

Invalid Malicious Activity

This type of user creates invalid activity purposefully with harmful intentions. This category typically refers to human users, but the channels they utilize and their ultimate goal can vary. Sometimes malicious users are competitors who want to run your campaigns out of budget or give you misleading data. Malicious users could also be trying to steal information or hijack accounts. Maybe they have been hired by another entity to artificially increase traffic through repetitive clicks or repeated actions. Regardless of specifics, any malicious activity can be incredibly damaging to your acquisition efforts and should typically be blocked from all areas of your customer acquisition funnel.

Excessive Rate Limit

This type of action describes an excessive or unusually high number of submissions, actions, or clicks. Sometimes this is in the form of repeatedly hitting capacity for invalid actions (like incorrect login information). This is typically carried out by users who are posing as legitimate users but do not have any intention of following through and converting or working with your business.

Network Anomalies

This type of threat describes behavior that includes one or more attributes (e.g., IP, user cookie) associated with known irregular patterns. This includes non-disclosed auto-refresh traffic, duplicate clicks, and attribute mismatch. However, to be a network anomaly, it must come from a network of devices rather than one individual or device.

Behavioral Anomalies

Behavioral anomalies occur when individuals are found to have hostile intentions based on behaviors or actions toward digital assets that draw red flags. Different from network anomalies, these unusual actions are taken by one individual person on a device rather than a network of devices.

False Representation

False Representation, also known as “user agent spoofing,” occurs when the user information is modified with the intention of being misleading about who they really are. Bots are frequently programmed to hide their tracks and mask their identity in this way, but sometimes, users do this as well, which is where this type of malicious user fits in.

Disabled JS

When the browser’s JavaScript is disabled, certain features on a website might not work. In other cases, the website might not operate completely, or you’ll be stuck using an incredibly old version of the page. This changes the way a website appears and reduces someone’s chances of converting.

Disabled Cookies

Malicious users frequently disable cookies so they cannot be tracked. This changes the way they interact with a site because some features might not be accessible without enabling cookies. For example, the way they move throughout a site and the pages they view or click on are not available to a business. This is sometimes purposely done so they can interact with your assets without becoming a lead or customer in your system.

Click Farms

This type of fraud organization is typically groups of workers readily available for hire. They are paid to rapidly click on content or ads in order to manipulate data. Click farms have people clicking on ads with no intention of converting.

Click Hijacking

Click hijacking occurs when a valid user clicks on an asset that appears to be legitimate, but it is actually a malicious element in disguise. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

Invalid Suspicious Activity

Any activity that comes from a questionable or unidentifiable source, or activity that is abnormal and raises concerns, is typically categorized as suspicious. There are many reasons why someone might want to mask their identity online or submit an action multiple times. The intentions could be harmless, but if that user has no chance of converting because of the barriers in place, then you’ll probably want to either monitor or potentially block this traffic. It is also important to keep in mind that suspicious users are malicious some of the time. Even when someone is not trying to steal information or hijack an account, they still skew our data and provide misleading information if we don’t keep a close watch on them.


A proxy is a middle-man tool that masks a user’s identity and location but is not exclusively used for malicious purposes. However, since proxies make it easier for users to be anonymous, these types of tools can enable someone to manipulate traffic counts or pass on invalid traffic that would have otherwise been filtered out.


A VPN, or virtual private network, is a common type of proxy. The main distinction is that VPNs have the added security of encryption. This allows users to access websites that normally would have been out of reach, which skews data and manipulates traffic, which causes inaccuracies in location and user information that a company might try to analyze.

Data Centers

Data centers are physical locations where computer technology stores data for many different users. So this type of activity comes from those centers rather than an individual device like a laptop, smart phone, or desktop computer. This should be flagged because it is not able to convert the way a user on an individual device would be able to.

Abnormal Rate Limits

Abnormal rate limit occurs when a user performs an unusual number of actions or requests on a particular advertisement, website, or other assets. Abnormal rate limits do not necessarily equate to malicious activity, but they can sometimes come from users trying to imitate someone else and not succeeding, therefore raising a red flag on the website.

Invalid Bot Activity

Different from malicious and suspicious users, bots are not users at all. Instead, they are automated tools or systems that perform actions through preprogrammed technology. Some bots were created specifically to carry out malicious actions, while others perform mundane tasks and scan websites for information. However, regardless of why a specific bot was created, it is not a real user and, therefore cannot turn into a customer and cannot contribute to your customer acquisition efforts in a meaningful way. Similar to the other categories of threats, bots should be monitored and typically removed from your analytics to provide more accurate and protected information on your platforms.

Malicious Bots

While there are many types of bots, and not all are bad-intentioned, malicious bots certainly are. Malicious bots are specifically designed to steal personal information, commit fraud, or commit some form of cyber crime. They can sometimes be referred to as “malware,” and can enact a variety of attack patterns.

Automation Tools

These are tools that are used to perform an automatic activity, usually repetitively, fast, and at scale. While automation tools are used for many purposes, since they are bots, they can not convert or complete real actions that a valid user could.


Scrapers typically scan your website, looking for a specific target or piece of data. This frequently occurs on e-commerce websites with the intention to find prices to then sell items for slightly less and therefore gain more customers than the competition. Scrapers are looking for information and cannot become real users or customers.

Known Bots & Crawlers

These bots are sometimes considered “good bots” because they do not have malicious intent and are commonly found on the internet for innocent purposes, including content indexing. However, since they share some characteristics with malicious bots and cannot convert, it’s important to keep an eye on them when evaluating data and analytics.


These are bots that actively send out large quantities of messages to users, typically through email. Spam bots can create many accounts and send out these messages to the masses in a quick way, but they are not real users and do not intend to convert in any way.

Account Takeover

An account takeover occurs when one malicious user imitates the identity of another genuine user by using their account or profile. There are many types of accounts that could be taken over by malicious users, including social media profiles, bank accounts, email accounts, television or streaming subscriptions, and more.

Now that we’ve identified the key types of threats to your customer acquisition funnel, it’s time to take action. One of the best ways to protect your platforms against invalid activity is to implement Go-to-Market Security (or GTMSec) technology. CHEQ is a leader in the cyber security space and is the premier provider of GTMSec technology to businesses with various objectives. CHEQ has the capability to protect all major platforms through behavioral analysis, invalid user detection, and user identity validation. Many of our customers have seen revenue uplifts, more accurate analytics, increases in conversion rates, and other major uplifts to their businesses. To learn more about how CHEQ works, schedule a demo with our team today.

Latest Posts

Ready to secure your
Go-to-Market efforts?

Get started