We all know about affiliate marketing. A company looking for new customers asks affiliates to find them leads. In exchange, the company pays the affiliate for each lead generated, following the classic cost per lead (CPL) pricing model.

We also know that if you pay someone to do something, they’re going to find a way to cheat the system. Dishonest affiliates looking to make a quick buck will do anything for leads, such as buying low-quality traffic, incentivising traffic, and using bots to fill out forms.

Unfortunately, affiliate fraudsters aren’t the only ones making the connection between form fills and bots. Following their lead, bad actors behind click operations have started to use fake form fills to keep their “businesses” afloat.

But how exactly does that work?

Gaming the System

Let’s pretend you’re a fraudster who makes quite a bit of money driving bot traffic to display campaigns. A display ad pops up, your traffic clicks through, and you get paid. It’s a simple business model. But programmatic platforms have noticed that your traffic clicks but doesn’t convert once it reaches a landing page—a major red flag.

At risk of getting shut down, you tell some bots to scan landing pages for lead forms, like email subscription sign-ups or ebook download offers. The bots then fill out the forms to trigger a conversion.

In the programmatic platforms’ perspectives, a “user” that fills out a form after clicking an ad looks a lot more real than one that bounces immediately upon hitting a landing page. Since some of your traffic “converts,” the platforms decide you’re legitimate and leave you alone. Once back under the radar, you can continue your click fraud operation without fear.

In these types of scenarios, the fraudsters aren’t getting paid for the form fills, as they would with affiliate marketing. Instead, the form fills are simply measures taken to keep their other click fraud methods alive.

Risky Business

Fake clicks and bad traffic will certainly wreak havoc on an advertiser’s bottom line. But for those in the lead generation space, it’s the form fills that carry a heavier monetary risk.

While some bots just submit gibberish, others are sophisticated enough to provide seemingly valid information in a form, like a real phone number or email address. If the form’s owner doesn’t properly vet the “lead,” then they could run into a TCPA noncompliance issue.

Let’s now pretend you’re an insurance company on the other side of the form. You notice someone named John submitted information requesting a quote on car insurance. Everything about the lead, from the name to the phone number, appears legitimate. So you pick up the phone and make the call.

John answers and you ask him to verify his name and number. He says they’re correct. But when you mention the insurance quote inquiry, he says he never filled out a form. Since technically you contacted John without his permission, you broke TCPA rules and could face $500 to $1,500 in fines if John files a complaint.

Block the Bots

The best way to avoid TCPA noncompliance is to stop bots from reaching your forms in the first place, but that’s easier said than done. Fortunately, you can take some precautionary measures to reduce fraudulent form fills.

The honeypot technique is a tried-and-true trick used to identify bot submissions. Setting up a “honeypot” field on your forms is actually pretty easy. Within your site’s source code, you create an invisible form field using CSS. Human users don’t know it’s there, but bots do. If some of your submissions have the hidden field filled out, then that probably means bots were hard at work.

Another popular bot detection method is the CAPTCHA program. CAPTCHA puzzles are designed to prevent bots from completing certain actions, like submitting forms, posting comments, and making monetary transactions.

A CAPTCHA puzzle usually consists of a visually distorted word in a box. Hypothetically, only humans can decipher what the word says, which they type into a field. If the word is entered correctly, then the user can continue. If not, then they’re blocked.

Although some argue that CAPTCHA is on its way out, you should still consider adding a CAPTCHA form to your site until the next best thing comes along.

If you’re buying traffic, ask your sources if they use a traffic filtration or validation system of some kind. If they don’t, consider working with sources that do. Remember though, not all systems score traffic the same way, so you might have to shop around to find one that meets your needs.

This post originally appeared on Anura.