Reason Codes Reference

Risk Level: Critical

Applies to clicks only.

A click was generated by an automated web crawler (a'bot) rather than a person. These are software programs that systematically browse the internet to index content for search engines.

The crawler identified itself as non-human in its connection details, so it won't be counted as real user activity.

This type of reason code has an extremely low false positive risk.

Risk level: Critical

Applies to clicks only.

A click was generated as a result of a page or ad loading, without any interaction or intention from a user to click on the link or ad.

Image clicks are usually a malicious attempt to defraud CPC or CPA programs by generating hidden clicks while users browse the internet unknowingly. Rarely, they can result from an innocent bad implementation on a partner’s website, but even then, they still cause misattribution to the partner.

This type of reason code has an extremely low false positive risk.

Risk level: High

Applies to both clicks and actions.

The IP Addresses that the clicks and actions originated from belong to a data center e.g. AWS or Google Cloud.

Clicks and actions with REF_datacenter are an action-level reason code. The REF_ indicates that the action's REFERRER is the cause of the risk flag. In this case, the IP address of the REFERRER was a data center.

Clicks and actions from data centers can fall into 2 main categories:

• Malicious attempts to defraud your program.

• Innocent clicks that are non-human. These clicks are part of partners inadvertently buying invalid traffic or webscrapers.

This type of reason code has a very low false positive risk. Occasional false positives can result from partners implementing tracking links in an unsupported way (e.g. server side redirects). Partners should contact support in these cases.

Risk level: High

Applies to clicks only.

The HTTP request contains signals that indicate non-human activity.

REF_request_anomaly: The action’s referring click has abnormal request properties.

Actions with REF_request_anomaly, particularly without REF_datacenter, should be scrutinized closely as this can be an indicator of cookie stuffing.

Similar to datacenter clicks, anomalies can fall into 2 main categories:

• Malicious attempts to defraud your program.

• Innocent clicks that are non-human. These clicks are part of partners inadvertently buying invalid traffic or webscrapers.

This reason code type has a very low false positive risk. Occasional false positives can result from unverified loading of clicks in the background in order to maintain a seamless user experience. If a partner has a valid reason use case they should contact support.

Risk level: High

Applies to clicks and actions.

The IP Address that the click and action originated from is a known proxy.

Clicks and actions originating from known proxies are more likely to be malicious in intent, as these IPs are often used to hide the true source of activity. We recommend a careful manual review of any events flagged with this reason code before you approve payouts.

This reason code type has a very low false positive risk.

Risk level: Suspect

Applies to clicks and actions.

IP Reputation uses a specialized algorithm to analyze the historical behavior of an IP address. The REF_ version of the reason code means that the clicks and actions with REF_ipreputation were flagged for IP reputation.

By identifying patterns typically associated with fraud, it flags clicks and actions that show a higher risk of malicious intent. We recommend carefully reviewing any events flagged for this reason code before approving payouts.

This reason code type has a low false positive risk.

Risk level: Critical/Suspect

Applies to clicks only.

Domain Reputation uses a specialized algorithm to analyze activity associated with a specific domain to determine its legitimacy. The REF_ version of the reason code means that the clicks with REFERRER was flagged for domain reputation.

Clicks originating from domains with a poor reputation are more likely to be malicious. We recommend carefully reviewing any events flagged with this reason code before approving payouts.

This reason code type has a low false positive risk. Occasional false positives can result from services holding out-of-date information.

Risk level: Critical/Suspect

Applies to actions only.

A spoofed conversion refers to a fake event or action that never happened. Spoofed conversions are automatically placed into a reversed state, ready for your review in Review At Risk Actions.

Client-side integrations (like JavaScript) can be vulnerable to bad actors creating fake conversion events in order to receive rewards, either directly via a partner account, or more commonly via the reward scheme of a loyalty/rewards type partner.

To detect spoofed conversions, our system analyzes internal signals alongside your specific orderId and conversion URL patterns to ensure every event is genuine.

This reason code type has a medium false positive risk.