Event Risk reports contain reason codes, which can apply to clicks or actions, depending on the nature of the reason code.
Risk level: Critical.
Applies to clicks only.
A click was generated as a result of a page or Ad loading, without any interaction or intention from a user to click on the link or ad.
Image clicks are usually a malicious attempt to defraud CPC or CPA programs by generating hidden clicks while users browse the internet unknowingly. Rarely, they can result from an innocent bad implementation on a partner’s website, but even then, they still cause misattribution to the partner.
This type has an extremely low false positive risk.
Risk level: High.
Clicks: The IP Address that the click originated from belongs to a data center e.g. AWS or Google Cloud.
Actions: The IP Address that the click originated from belongs to a data center e.g. AWS or Google Cloud.
REF_ datacenter: The IP Address that the click originated from belongs to a data center e.g. AWS or Google Cloud.
Clicks from data centers can fall into 2 main categories: Malicious attempts to defraud your program or innocent, but still non-human clicks (publishers inadvertently buying bad traffic or webscrapers).
This type has a very low false positive risk. Occasional false positives can result from partners implementing tracking links in an unsupported way (e.g. server side redirects). Partners should contact support in these cases.
Risk level: High.
Clicks: The http request contains signals that indicate non-human activity.
REF_request_anomaly: The action’s referring click has abnormal request properties.
Anomalies can fall into 2 main categories: Malicious attempts to defraud your program or innocent, but still non-human, clicks (e.g., publishers inadvertently buying bad traffic or webscrapers).
Actions with REF_request_anomaly, particularly without REF_datacenter, should be scrutinised closely as this can be an indicator of cookie stuffing.
This type has a very low false positive risk. Occasional false positives can result from unverified loading of clicks in the background in order to maintain a seamless user experience. If a partner has a valid reason use case they should contact support.
Risk level: High.
Clicks: The IP Address that the click originated from is a known proxy.
Actions: The IP Address of the conversion originated from is a known proxy.
Clicks and actions from known proxies are more likely to be malicious in intent since Proxy IPs are typically used to mask fraudulent activity. Events flagged for this reason code should be carefully reviewed before approving payouts.
This type has a very low false positive risk.
Risk level: Critical/Suspect.
Applies to actions only.
A spoofed conversion is one that never happened.
Client side integrations like JavaScript can be vulnerable to bad actors creating fake conversion events in order to receive rewards, either directly via a partner account, or more commonly via the reward scheme of a loyalty/rewards type partner.
The best way to confirm if an action is valid, is to cross-reference the orderId against your own order logs. Spoofed conversions will not exist in your backend system.
To detect this, impact.com allows you to apply validation rules for expected orderId and conversion page url patterns.