# Reason Codes Reference

*Event Risk reports* contain *reason codes*, which are standardized identifiers used to explain the cause for a particular action, event or click, depending on the nature of the reason code.

<details>

<summary>Spiders and Bots</summary>

Risk Level: <mark style="color:$danger;">Critical</mark>

**Applies to clicks only.**

A click was generated by an automated web crawler (a'bot) rather than a person. These are software programs that systematically browse the internet to index content for search engines.

The crawler identified itself as non-human in its connection details, so it won't be counted as real user activity.

This type of reason code has an extremely low false positive risk.

</details>

<details>

<summary>Image Click</summary>

Risk level: <mark style="color:$danger;">Critical</mark>

**Applies to clicks only.**

A click was generated as a result of a page or ad loading, without any interaction or intention from a user to click on the link or ad.

Image clicks are usually a malicious attempt to defraud CPC or CPA programs by generating hidden clicks while users browse the internet unknowingly. Rarely, they can result from an innocent bad implementation on a partner’s website, but even then, they still cause misattribution to the partner.

This type of reason code has an extremely low false positive risk.

</details>

<details>

<summary>Data Center</summary>

Risk level: <mark style="color:$danger;">High</mark>

**Applies to both clicks and actions.**

The IP Addresses that the clicks and actions originated from belong to a data center e.g. AWS or Google Cloud.

Clicks and actions with `REF_datacenter` are an action-level reason code. The `REF_` indicates that the action's `REFERRER` is the cause of the risk flag. In this case, the IP address of the `REFERRER` was a data center.

Clicks and actions from data centers can fall into 2 main categories:

* Malicious attempts to defraud your program.
* Innocent clicks that are non-human. These clicks are part of partners inadvertently buying invalid traffic or webscrapers.

This type of reason code has a very low false positive risk. Occasional false positives can result from partners implementing tracking links in an unsupported way (e.g. server side redirects). Partners should [contact support](https://app.impact.com/support/portal.ihtml?createTicket=true&) in these cases.

</details>

<details>

<summary>Request Anomaly</summary>

Risk level: <mark style="color:$danger;">High</mark>

**Applies to clicks only.**

The HTTP request contains signals that indicate non-human activity.

**REF\_request\_anomaly**: The action’s referring click has abnormal request properties.

Actions with `REF_request_anomaly`, particularly without `REF_datacenter`, should be scrutinized closely as this can be an indicator of cookie stuffing.

Similar to *datacenter clicks*, anomalies can fall into 2 main categories:

* Malicious attempts to defraud your program.
* Innocent clicks that are non-human. These clicks are part of partners inadvertently buying invalid traffic or webscrapers.

This reason code type has a very low false positive risk. Occasional false positives can result from unverified loading of clicks in the background in order to maintain a seamless user experience. If a partner has a valid reason use case they should [contact support](https://app.impact.com/support/portal.ihtml?createTicket=true&).

</details>

<details>

<summary>Proxy</summary>

Risk level: <mark style="color:$danger;">High</mark>

**Applies to clicks and actions.**

The IP Address that the click and action originated from is a known proxy.

Clicks and actions originating from *known proxies* are more likely to be malicious in intent, as these IPs are often used to hide the true source of activity. We recommend a careful manual review of any events flagged with this reason code before you approve payouts.

This reason code type has a very low false positive risk.

</details>

<details>

<summary>IP Reputation</summary>

Risk level: <mark style="color:$warning;">Suspect</mark>

**Applies to clicks and actions.**

IP Reputation uses a specialized algorithm to analyze the historical behavior of an IP address. The `REF_` version of the reason code means that the clicks and actions with `REF_ipreputation` were flagged for IP reputation.

By identifying patterns typically associated with fraud, it flags clicks and actions that show a higher risk of malicious intent. We recommend carefully reviewing any events flagged for this reason code before approving payouts.

This reason code type has a low false positive risk.

</details>

<details>

<summary>Domain Reputation</summary>

Risk level: <mark style="color:$danger;">Critical</mark>/<mark style="color:$warning;">Suspect</mark>

**Applies to clicks only.**

Domain Reputation uses a specialized algorithm to analyze activity associated with a specific domain to determine its legitimacy. The `REF_` version of the reason code means that the clicks with `REFERRER` was flagged for domain reputation.

Clicks originating from domains with a poor reputation are more likely to be malicious. We recommend carefully reviewing any events flagged with this reason code before approving payouts.

This reason code type has a low false positive risk. Occasional false positives can result from services holding out-of-date information.

</details>

<details>

<summary>Conversion Spoofing</summary>

Risk level: <mark style="color:$danger;">Critical</mark>/<mark style="color:$warning;">Suspect</mark>

**Applies to actions only.**

A spoofed conversion refers to a fake event or action that never happened. Spoofed conversions are automatically placed into a reversed state, ready for your review in [Review At Risk Actions](/brand/what-would-you-like-to-learn-about/platform-features/protect-and-monitor-your-performance-program/event-risk/review-at-risk-actions.md).

Client-side integrations (like JavaScript) can be vulnerable to bad actors creating fake conversion events in order to receive rewards, either directly via a partner account, or more commonly via the reward scheme of a loyalty/rewards type partner.

To detect spoofed conversions, our system analyzes internal signals alongside your specific `orderId` and conversion URL patterns to ensure every event is genuine.

This reason code type has a medium false positive risk.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.impact.com/brand/what-would-you-like-to-learn-about/platform-features/protect-and-monitor-your-performance-program/event-risk/reason-codes-reference.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.