Conversion fraud is bots completing the actions you pay to optimise for: form fills, sign-ups, add-to-carts, even purchases. It is more expensive than click fraud for one reason. A fake click wastes a single click’s budget and stops there. A fake conversion wastes that, and then trains your bidding algorithm to go and buy more of the traffic that produced it.

Bots now make up the majority of web traffic — 51% in 2024, with malicious bots at 37% (Imperva) — and they don’t stop at the click. A share of completed conversions are automated rather than human, which means some of the wins in your reporting never happened, and your bidding has been setting targets against the inflated number.

Click fraud and conversion fraud are not the same problem

Click fraud is the one most advertisers know. Bots and click farms click your ads, you pay for the click, nobody buys anything. Tools have detected and refunded invalid clicks for years.

Conversion fraud sits one step deeper in the funnel. The bot does not stop at the click. It fills in the lead form, ticks the consent box, and submits. Maybe it adds an item to a cart. Now your analytics shows a conversion, your cost-per-acquisition looks healthy, and the campaign reports a win that was a script.

The reason this is worth a separate name: the two failures are detected in different places. You catch a fraudulent click at the click. You can only catch a fraudulent conversion at the conversion, because that is the only point where the fake action actually exists.

Why automated bidding makes it worse

Target CPA, Target ROAS, Maximise Conversions, Advantage+. Every automated bidding product works the same way underneath. It looks at which clicks turned into conversions and buys more clicks that resemble those. That is the whole mechanism, and it is usually a good one.

It has no way to ask whether a conversion was a person or a script that filled four fields in 90 milliseconds. So when fraud feeds the model, the model does exactly what it was built to do: it finds more of the source that produced the “conversion” and shifts budget toward it. The fraud becomes a training signal.

That is the doubling cost. You pay once for the fraudulent click, and you pay again, every day, while the bidder chases the pattern. Block the click after the fact and you have done nothing about the second cost, because the conversion already fired and already trained the algorithm.

What a fake conversion looks like up close

A person filling in a form leaves a messy trail. They move a pointer, click into a field, type, tab to the next one, pause, correct a typo. The submit event is one the browser marks as trusted because a real input device caused it.

A script does none of that. It assigns values to four fields at once, fires a submit event that no pointer preceded, and finishes in a fraction of a second. The order it fills fields in has no spread to it. Pasted values arrive with nothing focused.

None of those tells require reading what the visitor typed. They are properties of how the form was completed, not what went into it.

How you tell them apart without reading the form

ClickLens grades each conversion on its provenance: whether the submit was browser-trusted, whether a real pointer path came before it, the time from page load to submission, paste-without-focus events, and the entropy of the field-fill order. It also checks funnel coherence — whether the path to the conversion makes sense, or whether the session teleported straight to a thank-you page.

The tag never reads field values or field names. It records meta-signals only, so the grading works the same whether the form collects an email or a medical history.

Each conversion gets one of three verdicts. Pass leaves it alone. Downweight keeps it but restates its value down, so the bidder stops over-valuing it. Retract removes it, and on Google and Microsoft Ads that retraction is written back to the platform keyed by click id, under a measured rollout with a holdout.

What to do about it

Start by assuming a share of your conversions are automated until you have measured otherwise. With bots at 51% of web traffic in 2024 (Imperva), the question is not whether some of your conversions are fake but how many. Take last month’s conversions, discount the suspect ones, and recompute your true cost-per-acquisition. Then remember the bidder set its targets from the inflated figure before you discounted it.

The fix is to grade the conversion, not just the click, and to do it where the fake action exists. Run a free audit to see how your own traffic scores, or read how the detection is built and measured.

Sources

  1. Imperva (Thales), “2025 Imperva Bad Bot Report”, 2025. Accessed 24 June 2026. https://www.imperva.com/blog/2025-imperva-bad-bot-report-how-ai-is-supercharging-the-bot-threat/