Avelon wins Best Value, Best Functionality & Features, Best Ease of Use and Best Customer Support on Capterra. What is Affiliate Bot Fraud? Bot & Fraud Detection Technology, explained.
Affiliate bot fraud is a type of digital fraud in which automated bots simulate human activity to generate fake conversions, clicks, or sales in affiliate marketing programs. Fraudsters use these bots to manipulate tracking systems and earn commissions dishonestly from affiliate platforms.Β
This type of fraud occurs when a network does not vet their affiliates and works on an ‘open program basis’ – meaning anyone can sign up and use their network, regardless of whether they’re trying to fraudulently use the system or not.
There have been attempts within the affiliate industry to create technology to help merchants combat this fraud. The most widespread of example of this being a merchants ability to approve or deny an order through most networks – but this requires an actual human to manually verify every order between the eCommerce system and the affiliate network. It’s a lot of work.
We like to address this issue at its root and this article will explain just how we do that. Oh and if you like, you can skip ahead to certain bits which are most relevant to you:
What actually is a bot? Are there good bots? Examples of bots
A bot isn’t an actual robot sitting at a computer, moving a mouse and pressing letters on a keyboard. A bot is a piece of code (script) developed by a programmer (a person who writes code) to perform certain tasks in a sequence.Β
An example of a bot is Google Search Console’s “crawler”. This bot crawls (like a spider) the internet clicking billions of links to create an index of all the web pages in the world. Just like the Yellow Pages (rest in peace) used to manually go to businesses and ask for their telephone number – Google uses a bot to do this but on a much larger scale.
Another example of a bot is any software that loads links before you have clicked them. If you’re in the business world, then you’ll be most familiar with LinkedIn’s link previewer, where if you paste a link into a post it’ll automatically add the image and create a bio for that piece of content. Other examples are Slack’s messaging feature which performs the same task at LinkedIn’s feature and Outlook’s security feature that crawls the page of the link before allowing you to click it.
When these bots do their job, they count as a click on your reporting software. Aside from Google Analytics (because Google are the tracking kings/queens) – WooCommerce, Shopify are all the others class this bot traffic as clicks.Β
But not all bots are good bots.Β
What are bad/malicious bots? Examples of bad bots in affiliate marketing
Malicious bots are designed to mimic humans and perform fraudulent activity. Whether that’s clicking links thousands of times, overloading servers to exploit vulnerabilities or even stealing data.
Bots are a pain in the arse for tracking companies – but because they are simply a piece of script designed to perform a specific action and generally aren’t that smart, they leave behind little breadcrumbs that we use to detect foul play. We prefer to say “little crumbs of sh*t” in our office, because we hate them.Β
That’s not us bashing any good bots by the way, just the naughty ones.
The most common example of bot activity in affiliate marketing is click fraud. Click fraud is pinned down to a script designed to click a link multiple times in order to drive fake traffic to a merchants site. Basically, instead of someone sitting there and clicking a link themselves, they’ve got a bot to do it for them. But why?
Merchants and affiliates all have specific agreements in place. Some may want commission only but some may want to be paid per click to incentivise brand awareness / bump the merchants promotion up the ranks. If a merchant has agreed a CPC (cost per click) with an affiliate without properly vetting how the affiliate will be promoting the merchant – then they can be opened up to click fraud.
Most of the time, click fraud comes from a few specific types of affiliate: browser extensions, cashback websites and coupon clubs. We’re not saying they’re all bad; but we recommend vetting all your partners properly before affiliating them.
Are browser extensions like PayPal Honey classed as affiliate fraud?
There’s genuinely no rules around browser extensions and the way they can potentially commit affiliate marketing fraud. In fact, it’s widely debated whether it’s fraudulent at all and some merchants are so focused on driving sales growth, they don’t care about browser extensions hoovering up all the sales…legitimately or not.
The below video by MegaLag caused huge uproar in the affiliate marketing world because people never actually read or bothered to understand how PayPal Honey actually worked or how it was attributing so many sales.Β
If you don’t want to watch the video, I’ll outline it for you here:
PayPal Honey is a browser extension designed to get you the best deals when you’re shopping online. It crawls the internet (acting as a bot) finding the best coupon codes and automatically applying them to your cart when you go to checkout. Sounds great for consumers, right? Well, it’s a nightmare for affiliate marketers.
PayPal Honey doesn’t perform this service in an ethical way. You see, the affiliate industry typically works on something called last click attribution. Last click attribution means that the last affiliate you interacted with before making a purchase earns the total commission. It makes it incredibly simple for platforms to track attribution because, well, there’s only one affiliate it could ever be attributed to. The previous interactions just get wiped out.
The problem with this is 74% of all affiliate sales have multiple touch points (at least, that’s what we’ve figured out). Whether that’s from clicking a link from a content creator, a publisher or even on a podcast – everyone has done their job.
And this is why PayPal Honey is so controversial: they don’t even require a touch point (you to visit one of their web pages) when you’ve got their browser extension installed. When you press that ‘apply discount code’ button on the pop up, they create a ‘simulated referral click’ in a new tab and close it again before you’ve even noticed – making it look like you came from one of their web pages.
From there, PayPal Honey creates its own cookie and overwrites that original cookie in the users browser to ensure the sale gets attributed to them, hoovering up all the commission.
What’s worse is that even if you go to purchase something with their browser extension and decide not to, PayPal Honey STILL overwrites the cookie and ensures the previous affiliates tracking doesn’t exist. Crazy, right?
There are hundreds of versions of PayPal Honey out there, which is why we highly recommend vetting and doing your research into more ‘automated, spurious’ affiliates before working with them. In fact, it’s why we don’t work with them in the first place and why we work on split attribution instead of last click attribution. We believe everyone in the affiliate chain should get a cut.
How can bot fraud be detected in affiliate marketing?
Whilst we can’t give away all our secrets, we can highlight some of our basic techniques (not our advanced ones) we use. Also, with the rise of AI in development circles, bots are figuring out ways to mimic human activity on the internet and get around security protocols –Β therefore we have to constantly evolve our bot and fraud detection capabilities.
Some of the top-level ways we detect and eliminate bot activity include; IP address tracking, detecting irregular traffic spikes and high page view sessions and our favourite, device fingerprinting.
But, what happens when a bot is detected? Does it count as traffic in my affiliate program?
How Avelon eliminates bot traffic
Avelon was voted the most transparent affiliate platform in the world for good reason: because we don’t take no sh*t and provide the most comprehensive, correct tracking metrics around. In fact, of the 300 merchants we work with, every single one has stated that our tracking metrics are more reliable than Google or their own actual eCommerce platform. We’ll get onto that later…
Right now, though – the outcome of us detecting bot traffic is pretty simple:
- We detect the bot traffic
- We block, report and ban that bot’s credentials from engaging with our links
- We do not report the traffic as a click or a conversion
Does this mean Avelon's Dashboard reporting will be different to Google Analytics?
Potentially, yes.Β
At the end of the day, it comes down to a mixture user consent, technology provider, tracking tools, attribution techniques and many more. For example, Google Analytics (GA4) may show 1000 users but Avelon shows 1500 users – this is because GA4 is significantly impacted by cookie consent/GDPR banners and ad blockers.Β
At Avelon, we don’t sell your data and primarily use it for reporting in your Dashboard, whilst GA4 is a data collection tool and feeds into Google Ads, so Google are using your data to power their ad system. Remember the old saying, “if the product is free to use, then YOU are the product“?
All our data is anonymised, encrypted and then stored with enterprise grade security. Our cookies are first-party and classed as essential to the operations of the website, which means they do not require consent.Β
I won’t get into too much detail here, but if you’d like a true understanding of your traffic, just check out your Dashboard. It’s 100% accurate.Β
Contact Support
If you require any support on the above, please contact the Support Team.
- Contact Support Team