Detecting and mitigating fraudulent lead activity or bot behaviour is essential for ensuring data integrity and compliance. These features protect against inaccurate data and help businesses focus on genuine leads
ReCapture
Our form builder allows you to quickly and easily apply a reCapture field to your forms, which offers fraud and bot protection capabilities against the most sophisticated targeted and scaled attacks.
Adding a ReCapture field is as simple as adding the input type to your form and saving.
HoneyPot Implementation
By implementing a hidden field in your forms, it’s often possible to trick a bot to populate that field and using Convertr’s powerful validation rules to reject those records. This is called a HoneyPot and a well known method for tricking and identifying bot activity.
To do this in Convertr, simply add a hidden field with a name which a bot will see, but will be hidden for a legitimate user. How you name the field is important, it needs to seem a legitimate field in order to trick the bot, so we recommend a variation of another field you’re already collecting but with a different naming convention - this makes it look legitimate to a bot, but as the field is hidden a normal user wouldn’t see it, ‘personal_email’ is a good example of this, where the actual field you’re looking to collect is just ‘email’.
In your campaign rules, you then add a Simple Conditional field which will pass if the ‘personal_field’ email is empty. If the value is populated, then you know that it’s likely it was populated programmatically in some way.
Rapid Post Check
Another way to detect potentially fraudulent and bot activity is to leverage our Rapid Post validation check. This rule will look for any leads created from the same IP address within a specific timespan (30 seconds by default) and mark them as invalid.
Duplicates based on IP Address
Convertr has a wide range of deduplication rules that you can apply to any piece (or multiple pieces) of data you’re collecting. If you’re using our forms, it’s easy to set up a duplicate check on an IP address. This will allow you to control the number of leads you see from a single IP address which can be a clear indication of fraudulent activity.
Please note this is only applicable when using our forms as a lead source and not applicable to connected apps or imports.
Live Email & Telephone Validation
Our form builder comes out the box with a live email and telephone validation check, which will perform a live lookup on the entered telephone number or email address and prevent the form being submitted should it not be considered ‘live’.
Other Mechanisms
Other techniques such as fingerprinting, checking for mouse / keyboard interaction and time spent on the form can be good ways to detect bot activity.
The following set up will add a value of ‘suspicious’ if the user is missing certain browser features (indicating it’s likely not a traditional web browser), if the form is submitted in less than 3 seconds or no mouse or keyboard interactions are detected. You can then use a validation check on your campaign to flag any leads which have a value of suspicious as a value.
To implement this, you’ll need to add a HiddenInput type to your form and give it the name “b_status”.
Next, the following javascript can be added to your form through the Javascript tab:
const isLikelyBot = () => {
const suspicious =
!navigator.languages || // Most browsers report this
!window.screen || // Should exist
navigator.webdriver || // True for headless Chrome
!navigator.userAgent || // No UA? Suspicious
window.outerWidth === 0 || // Window manipulation
window.outerHeight === 0;
return suspicious;
};
if (isLikelyBot()) {
document.getElementById('form_b_status').value = 'suspicious';
}
let userInteracted = false;
let formLoadTime = Date.now();
document.addEventListener('mousemove', () => userInteracted = true);
document.addEventListener('keydown', () => userInteracted = true);
if (document.querySelector('form')) {
document.querySelector('form').addEventListener('submit', function (e) {
let timeTaken = (Date.now() - formLoadTime) / 1000;
if (timeTaken < 3) {
document.getElementById('form_b_status').value = 'suspicious';
}
if (!userInteracted) {
document.getElementById('form_b_status').value = 'suspicious';
}
});
}
Finally, configure your Simple Conditional Validation rule to reject any leads which have the value suspicious on the b_status field.