Skip to main content

Fake web traffic is always an issue, but during the COVID-19 pandemic, the FBI reported a significant uptick of cybercrime complaints. They note that “there’s a lot of precedent for criminals taking advantage of natural disasters and government relief packages to conduct fraud, including through cyber means.” Charities have even been warned to monitor cybercrime, as online spending (including donations) has surged, making it easy for bots or malicious content to slip in unnoticed.

As Senior Systems Administrator, clients ask me for recommendations on how to defend against fake traffic and better protect their websites. In this post, I’m sharing my top tips to mitigate fake web traffic.

What is fake web traffic?

Measuring how much web traffic is actually fake is not simple, but some estimates put non-human traffic at 50 percent on the high end.

It’s important to understand what fake web traffic is, so here’s a crash course.


Fake web traffic typically comes from hacker groups, compromised computers, or even organizations whose entire purpose is to exploit vulnerabilities.


Across the globe, bot traffic and automatic scripting requests make up a good majority of fake web traffic.


Probing is the most common cause of fake traffic we typically see. Probing entails automatic scripts running against many websites looking for weaknesses in the framework and code that may be exploitable. An example of a vulnerability is a donation or check out page that doesn’t use a reCAPTCHA check to verify whether the user is a human or bot. Once discovered, the donation or check out page is used as a testing bed for stolen credit numbers while stealing your hardware resources.


Fake web traffic like this can be random, however, if your organization has a major event (maybe a new product, new show, or a major acquisition) malicious groups might strike at that time. I’ve seen this happen several times after major acquisitions. Organizations don’t necessarily need to bolster defenses ahead of these events, but should just be aware that if their traffic spikes during this time, it could be fake and a sign of an attack.


In most cases, fake traffic entails harmless probing of a website for weaknesses and open vulnerabilities in the underlying operating system and/or the framework; however, critical vulnerabilities can be exploited in order to hijack a website and hold it for ransom.

How can fake web traffic hurt your organization?

Fake web traffic will hurt your organization at the bottom line.
In the example above with a donation page being used as a testing bed, the fake web traffic hurts an organization in three ways:

  1. it interferes with legitimate web traffic and transactions;
  2. it wastes hardware resources such as bandwidth consumption and computer processing;
  3. it causes chargebacks to the organization by the payment processor.

Web services like cloud hosting or online ads charge based on computing power and traffic, consequently, if bots are inundating your site with traffic, your hosting bill could go up. Chargebacks are when a credit card provider requests a return of money from a retailer to make good on the loss on a fraudulent or disputed transaction, the retailer may be charged a fee for every disputed transaction.

So how can you defend against it?

How to fight fake web traffic

There’s a delicate balance between the amount of damage caused by the cost of implementing any defensive measure. Additionally, it’s normal to receive some bot traffic since some bots are good and conduct search rankings or provide monitoring functionality. Given that, it is not necessary to take immediate action to protect a website from fake traffic. On the other hand, should your website become susceptible to a high amount of bot traffic, I recommend taking the following steps.

Understand your normal traffic.

Understand your traffic trends.

Have a good grasp of your expected web traffic numbers and behavior through Google Analytics. Certain metrics will provide some clues in identifying fake traffic and allow you to decide if further investigation or defense is warranted. Here are some general rules to be aware of:
Bounce Rate: when this number either becomes too high or too low, it’s likely due to fake traffic.
Average Session Duration: anything less than 30 seconds can indicate a possible sign of bot traffic.
New Sessions: High numbers of new users typically don’t come at once unless there’s a known campaign or on-sale that is taking place, high traffic at an uneventful time could indicate bot activity. On the flip side, if new sessions appear unusually low or non-existent, it’s a good indication that bots are revisiting repeatedly.
• Geography: Verify that the location of visitors is consistent with the website’s audience. If your website is English-only, and you find a disproportionate amount of visitors from non-English speaking countries, then it’s likely these are non-human traffic visitors.

Protect critical pages with reCAPTCHA.

reCAPTCHA is a deterrent for those trying to exploit pages like account login and payment forms. Today’s bots still have a hard time getting through a reCAPTCHA so if you find certain pages being hit by bots, reCAPTCHA is a cost-effective tool to provide further protection.

From Google

Deploy a Web Application Firewall (WAF).

This is the most effective defense to protect an entire site from unsolicited, malicious, fake web traffic. WAFs inspect each HTTP request, so in addition to bots, most WAF implementations also protect against other well-known website attacks like SQL injection and cross-site scripting. WAF implementation and costs vary depending on the provider as each has its own proprietary technology of detection and filtering. While it doesn’t have to be a permanent solution, the majority of organizations that implement a firewall, stay in a firewall.

Evaluate the code.

Older sites or sites that tend to attract bots should also consider conducting code reviews. Auditing the website code can reveal security weaknesses that are typically probed against – things like insecure session cookies and SQL injection queries. Once discovered, organizations can rewrite sections of code to be more security-focused.

To learn more about the types of cyber fraud, read this blog by Senior DevOps Engineer Andres Herrera.