MarketingAlec
Subscribe

Ad Fraud · The Bots Draining Your Budget · 2026 Field Guide

Ad Fraud: The Bots You Need to Know

More than half of all web traffic is now automated, and some of it is filling your forms and clicking your ads right now. Here are the six bots to know, and what each one costs you.

For the first time, most of the traffic on the internet isn’t human. The 2025 Imperva Bad Bot Report puts automated traffic above half of all web activity, with malicious “bad bots” alone making up 37%. That is the sixth year in a row the number has climbed.

This isn’t a security-team problem you can hand off. These bots fill your lead forms, click your paid ads, scrape your funnels, and skew the analytics you use to set budgets. Juniper Research estimated ad fraud cost advertisers about $84 billion in 2023, roughly 22% of all digital ad spend, and the figure is projected to top $170 billion by 2028.

AI made all of it cheaper and harder to catch. The same tools that help you write faster help fraudsters build bots that pass for people. Here are the six types worth knowing, what each one costs you, and how to spot it.

Roughly one in five ad dollars never reaches a human.

The six bots at a glance

  1. Form bots fill your forms and poison your lead database.
  2. Spam bots harvest your contacts and bury your comments and inbox.
  3. Spy bots scrape your pages and quietly skew your analytics.
  4. Botnets rent out hijacked devices to run everything else at scale.
  5. Click bots burn your ad budget on clicks no human ever made.
  6. Malicious chatbots and rogue AI agents (new for 2026) talk like people to phish, manipulate, and impersonate.

1. Form bots

Automated programs that complete web forms at machine speed, often across thousands of sites at once. The modern ones solve basic CAPTCHAs and use AI to write realistic names, emails, and message text, so the junk looks like a real lead until your sales team tries to call it.

What it costs you:

  • Fake leads that clog your CRM and waste your team’s time.
  • Inflated cost-per-lead, because you paid for clicks that became garbage entries.
  • Conversion rates that lie, making a weak campaign look like a winner.
  • Higher server and infrastructure bills from the flood of submissions.

Spot it: A spike in form fills with no matching revenue, mismatched or gibberish name and email fields, or submissions clustered from one IP, city, or device.

2. Spam bots

Crawlers that harvest contact information and spray unsolicited content across comments, forums, reviews, and inboxes. Many run through compromised email servers, so the volume looks like it comes from everywhere at once.

What it costs you:

  • Polluted comment sections and review pages that erode trust with real visitors.
  • Email deliverability damage when your domain gets tied to spam patterns.
  • Support and moderation hours spent cleaning up.
  • Harvested address lists that later feed phishing aimed at your customers.

Spot it: Sudden comment or signup volume with off-topic links, repeated templated text, and addresses on throwaway domains.

3. Spy bots

Built for covert data collection. They monitor your site in real time, copy pricing and content, and feed competitors or scrapers, all while using evasion techniques to stay out of your bot reports. In 2026 a large share of this is AI training and answer-engine crawlers pulling your content without sending a single visitor back.

What it costs you:

  • Skewed analytics: inflated sessions and pageviews that hide your real audience.
  • Marketing metrics you can’t trust, which leads to budget calls on bad data.
  • Competitive exposure when your pricing and strategy get scraped around the clock.
  • Real infrastructure load from aggressive, repeated crawling.

Spot it: Traffic with near-zero time on page, unusual user agents, and visits from data-center IP ranges instead of consumer networks.

4. Botnets (zombie networks)

A botnet is a network of hijacked devices, including computers, phones, routers, and smart TVs, all controlled from one place. The owners usually have no idea. Botnets are the engine behind most large-scale fraud: they supply the fresh IP addresses and real-looking devices that make click and form fraud read as human.

What it costs you:

  • Distributed click and impression fraud at a scale no single machine could fake.
  • DDoS attacks that can knock your site or landing pages offline mid-campaign.
  • Credential stuffing against your customer logins.
  • Stolen bandwidth and compute that you may be paying for.

Spot it: Coordinated traffic from huge pools of residential IPs across many regions, hitting the same pages in patterns no real audience would follow.

5. Click bots

Click bots simulate human clicking, rotate through many IP addresses, time their clicks to look natural, and operate across devices. They exist for one reason: to drain ad budgets. Sometimes it’s a competitor burning your spend, sometimes it’s a fraudster monetizing fake inventory.

What it costs you:

  • Wasted ad budget on clicks no customer ever made.
  • Inflated impressions and click-through rates that hide which creative actually works.
  • Invalid traffic that poisons your retargeting and lookalike audiences.
  • ROI and ROAS math built on numbers that were never real.

Spot it: High click volume with near-zero conversions, clicks from countries you don’t sell to, and traffic that bounces in under a second.

6. Malicious chatbots and rogue AI agents (new for 2026)

This is the category that changed the most. Cheap large language models let bad actors run bots that hold real conversations, impersonate support reps, and personalize scams at scale. The 2025 Imperva report is blunt about it: AI is supercharging the bot threat, which is part of why automated traffic just passed human traffic for the first time.

What it costs you:

  • Customers phished by bots posing as your brand on social and in DMs.
  • Trust erosion in your real chat and support channels.
  • Fake engagement and comments that distort social proof and sentiment.
  • Account-takeover and social-engineering attempts aimed at your team.

Spot it: Direct messages and comments that read fluent but generic, accounts created in bursts, and “support” replies that try to route your customers off-platform.

What ad fraud actually costs you

Add it up and every bot above shares one trait: you pay for activity, not outcomes. Here is the scale, and how it lands in your account.

  • About $84 billion lost to ad fraud in 2023, roughly 22% of all digital ad spend (Juniper Research). Projected to top $170 billion by 2028.
  • More than half of all web traffic is now automated, and bad bots alone make up 37% (2025 Imperva Bad Bot Report).
  • In our own audits as an ecommerce agency, invalid traffic often ran 20% or more of paid media spend before anyone cleaned it up.

In your account it shows up as wasted spend, inflated CPMs, fake leads, and attribution you can’t trust. The quiet damage is the worst part: bot clicks feed your retargeting and lookalike audiences, so the ad platform learns to go find more bots just like them.

How to fight back

You won’t get to zero, and you don’t need to. The goal is to find it, block the worst of it, and stop letting it shape your decisions. Three moves, in order.

1. Track it. Make invalid traffic (IVT %) a number you watch every month. Pull the invalid-click report in Google Ads, or ask your agency for it, and watch Google Analytics for the tells: zero time on site, repeated IP, city, or device, and spikes from places you don’t sell to.

2. Block it. Start where the leverage is highest:

  • Low budget: Cloudflare bot management (there’s a free tier), Ads.txt to stop unauthorized resellers, and Google Ads’ built-in invalid-click protection. If you only pick one, start with Cloudflare.
  • Medium: ClickCease to auto-block click fraud across Google and Meta, and Integral Ad Science for invalid-traffic insight on display and video.
  • High and multi-channel: HUMAN (formerly White Ops) and Pixalate for advanced detection across programmatic, mobile, and CTV.

3. Own it. Ask for refunds when you find fraud, build block lists of bad IPs and low-quality placements, and shift budget toward the channels where conversions, not clicks, hold up.

Do this this week

Fifteen minutes today beats a quarterly cleanup:

  1. Pull last month’s invalid-click report in Google Ads. Write down the number.
  2. In Google Analytics, sort paid traffic by time-on-site and bounce rate. Flag anything near zero.
  3. Put Cloudflare (free tier) in front of your highest-traffic landing pages.
  4. Block the top countries and IP ranges you don’t actually sell to.
  5. Add “IVT %” to your monthly report so you can watch it move over time.
You can’t stop every bot. You can stop paying for them.

Ad fraud won’t disappear, and AI keeps making the bots better at passing for people. But the marketers who track it, block it, and own it earn an edge that compounds: their numbers mean something, so their budget reaches people who can actually buy.

Alec

Keep reading and sources

Stop paying bots.

I write about getting real results from your ad spend, minus the hype.

More at marketingalec.com →