ad fraud data and facts logo
New Research Report: Quantifying The Cost Of Ad FraudView Now
New Report: Quantifying The Cost Of Ad Fraud View Now

Honeypot: Your Secret Weapon to Easily Identify Bots

What is a honeypot

Have you experienced fake leads from your form submissions on your website?

It’s extremely rare to NOT have any fake leads coming in from your ad campaigns when 25% of internet traffic is comprised of bad bots.

Fake leads can appear in many ways:

  • Repetitive names
  • Email addresses that don’t work
  • Names that clearly look fake
  • Wrong phone numbers
  • Multiple submissions from the same IP addresses
  • Leads that simply have abysmal contact or sales rates

People submit leads for many different reasons, however the most common reason for fake leads is because the user (or bot) is paid for submitting the lead – either from the initial ad click or after submitting the form. Fake leads are especially common if you’ve worked with affiliates where they are often paid per lead submitted (a “cost-per-lead” model).

Creating a “Honeypot” is an easy way to help you reduce or eliminate your fake leads and improve your advertising performance.

What is “form spam”?

“Form spam” is the filling out of forms on websites by malicious actors with the goal of generating profits by providing scam information, phishing links or by receiving payouts from advertisers.

Form spam is typically performed by a bot that is programmed to look for forms on the web and fill them out at scale without any real purchase intent.

Advertisers that buy media using a pay-per-lead model (CPL), such as with affiliate programs, are especially ripe targets of form spam as the spammers are paid each time they complete a lead form. While humans can also create fake leads and earn commission, bots can perform the same task at scale, while still maintaining the illusion of a human user.

Form spam can also increase the perceived success of an ad network. For example, if an advertiser is testing ad campaigns on a new display network, they would be more likely to increase their spend with that network if the traffic produced a high rate of form submissions. A bot can produce these results unbeknownst to the advertiser that the leads are fake.

Overall, form spam is a nuisance to website owners as it can interfere with their performance analytics and it can be very difficult to detect since their behavior mimics humans.

Why a CAPTCHA doesn't work

For nearly two decades, CAPTCHAs have been widely used to protect against bots. But today bots are much more sophisticated and can easily defeat or bypass CAPTCHAs.

A recent study from Cornell University, shows that bots are far more successful at completing CAPTCHA then humans. Thus, using it may even be counter-productive by causing you to believe your leads are more qualified, while, in fact, it could be the opposite.

captcha v honeypot

Image: success rates of CAPTCHA by bots and humans

What is a honeypot?

A honeypot is a technique designed to attract and trap form bots and other types of web bots.

For advertisers, CAPTCHAs have high success rates by bots and they also don’t identify the source of where the bots came from. 

On the other hand, a honeypot enables the bot to actually submit the form successfully and you can capture additional identifiers, such as IP address, to potentially block that user or source in the future. 

How to create a powerful honeypot

It works by adding a “hidden” field in the CSS. This field is invisible to humans, but since bots read the HTML on the page, they see the field and fill it out. When you review the results, any traffic that completed the form is fraudulent and you should immediately pause all campaigns from those sources (You should also get a refund. Here’s how to get a refund from Google Ads)

Here’s visually how a honeypot works:

How a honeypot works

Image: how a honeypot works

Tips to create a honeypot:

  • Create an additional “hidden” field and use real fields that closely resemble the other fields on the page. These may include “phone number,” “second phone number,” “fax number,” “middle name,” etc.
  • Don’t make the hidden field complicated such as entering “date of birth.” It should be text only answers.
  • Ensure the styling of your hidden field matches the other fields. It should look the exact same including any bullet points, font treatment or adjacent icons.
  • Make the field optional. 
  • To hide the field add the CSS style “display: none !important”. However, bots often look for this code, so the best option is to use a class that contains a random word other than “hide” or “display: none”
  • Consider using multiple hidden fields on the page in case the bot skips one of them.
  • Track the source of your form submissions. Most ad networks allow you to see the website that you’re purchasing traffic from. Make sure you connect your leads to a source and block the ones that are submitting leads with hidden fields filled in.

Bots can also ruin your advertising performance by clicking on your ads and draining your ad budget. Fraud Blocker helps protect you from all forms of bots and ad fraud. Try our free 7-day trial and improve your results today.


More from Fraud Blocker