igaming faces attacks from high-rolling bots

With bricks and mortar casinos closed due to the pandemic, more people have settled down to online plays.

In the UK alone, online casinos and igaming have seen a 25% increase in people trying out internet gambling, and 38% chancing their hands at online poker. With this rapid increase in igaming, the house has been paying out, through rising paid customer acquisition. So much so that online gaming ad spend has tripled in many countries during the lockdowns of 2020 and 2021.

However, due to an arsenal of digital threats, from networks of bots to click farms, igaming has faced new threat levels of sophisticated attacks on ad budgets with real users, replaced with fakes.

The fraud follows the money. As we see, customer acquisition for gaming increased in countries including the UK, India, Brazil and Germany (Americans face a patchwork of state laws that give limited options for lawful online betting). In each of these countries the rate of attacks on paid customer acquisition have increased. Using sophisticated means to drain competitor’s ad budgets, bad actors have been able to skew data and help themselves to money from online casinos, skimming off the top.

14% of all online gaming user acquisition clicks are invalid

CHEQ for PPC is increasingly used by many of the leading names in ingaming to root out millions of dollars of user acquisition fraud. CHEQ has found that around 14% of all clicks on online gaming ads are invalid, coming from geographically irrelevant countries and hidden through location obfuscation. Across user acquisition campaigns we detected millions of mismatches between the declared browser, and the actual user agent. That this occurs at such high volumes indicates the fraud originating from click farms, masquerading as legitimate users. And during the initial pandemic related lockdowns in 2020, fraudulent traffic surged by around 21%.

There are several specific attacks on customer acquisition spend facing online casinos. Here are five that hit hard.

1. Affiliates and Click Outs

The $60 billion online gambling sector depends on affiliates. With the rise in bad actors, affiliates have seen plummeting “clickout rates”. They describe this as where  a user deposits money for the first time  that an affiliate provider gets paid. This has been subject to bot competitor attacks designed to deplete ad budgets and bring down rates of new customers.

2. Bots clicking keywords

Every time a click on a crucial keyword is made – the advertiser must pay out even if it is invalid. In igaming this often means clicking on the brand name of the company and most common phrases searched. To put it in context, there are 450,000 searches for the keyword ‘online casino’ each month, and the average click costs around $30. Bot attacks are an attractive way for bot-driven attacks against competitors in a highly competitive online space.

3. Bots spin free plays

Once in the funnel, large armies of bots spin their way to lots of free plays. In one case a leading online brand created a digital campaign targeting new players to receive an €8 free play without paying any deposit. The bots “play” until they win and then cash their winnings. The techniques used by fraudsters included the use of Navigator Webdriver, where the user agent of the bot is controlled by an automated script. It also involved spoofed user agents, where the bot’s user agent was passing back false information about the platform and the devices accessing the site.

4. igaming sees 15-30% of clicks from existing users

Igaming also faces the challenge that many of the biggest spending PPC brands see between 15-30% of paid traffic clicks coming from existing users. This often means that a registered or converted user is clicking rather than new users that ads are designed to attract. To take a typical example seen, in some case one user is clicking 500 times in one week on ads. This is not a problem for all verticals but is especially acute for igaming as online gambling is prevented from using audience targeting/audience exclusion on ad platforms with such restrictions increasing. This means many companies cannot exclude returning users. This means they spend millions  of dollars on targeting existing customers needlessly. CHEQ for PPC has the unique feature which creates controls over the amount of clicks coming from each user within a preset time and customizing this to the needs of a specific client. The platform can  protect from spending money on good users (who have already converted), as well as out-and-out criminals seeking to deliberately destroy igaming ad campaigns.

5. Early raids drain user acquisition budgets early in the morning

Raids on gaming budgets see peak bot attack at 5am, CHEQ has found. In a sense this reflects the no clocks/windows of Vegas casinos when time can get away from a player. But for bot clicks on customer acquisition campaigns, this early morning bot activity is in sharp contrast with the peak time we record real online players are spending real money – this peaks at 11pm. The case of one leading UK gaming site shows the bot click rates peaking early in the morning and draining their customer acquisition budget through replacing real users with fake users.

How online casino brands are stopping user acquisition fraud

Ploys by bad actors to cheat physical casinos have been around a long time. Bad guys in person have traditionally used fake glasses, and moustaches. In attacks on the millions spent on online user acquisition campaigns, bad actors use bot versions of disguise, using data centersheadless browsingVPNs, stolen credentials, and residential IP cheats to pretend to be someone else. While facial recognition has long been used to catch persistent cheaters in physical casinos, CHEQ for PPC offers a cybersecurity version. The cybersecurity-based customer acquisition security includes 1,000 sophisticated honeypots to the user’s browser, to uncover discrepancies between the declared data and the actual data. This ensure a user is human and a valid potential customer.

Online casino operators see igaming as a vital source of revenue emphasized furtherduring the distancing restrictions of COVID-19. Now new technology to spot the bad guys is shifting the odds back in their favor.

CHEQ for PPC is the first solution to block invalid clicks across multiple platforms including Google, Facebook, Instagram, Baidu, Bing, LinkedIn, Snap, Twitter, Pinterest, Yahoo, Yandex and more CHEQ is a cybersecurity company that drives revenue efficiency by eliminating fake users from your customer acquisition.