A conversion pixel fires the instant a form submits or a purchase completes. It records that an event happened and reports it back to the ad platform. What it never asks is whether a person caused that event or a script did. The pixel has no model of the actor. Bots now make up the majority of web traffic — 51% in 2024, with malicious bots at 37% (Imperva) — and they don’t stop at the click. A share of completed conversions are automated rather than human, and a pixel counts every one of those as a genuine win.
That gap is structural, not a bug in any particular pixel. It comes from what a conversion pixel is built to measure.
What a conversion pixel actually records
Drop a Google or Meta pixel on your thank-you page and you have told the platform one thing: when this URL loads, or when this event fires, count a conversion. That is the entire job. The pixel watches for a trigger and reports it.
It can carry a value, a currency, an order id. It cannot carry an answer to the only question fraud detection cares about, which is whether the submit that fired it came from a human at a keyboard or from automation assigning field values in bulk. The trigger looks identical either way. A bot that loads your thank-you page fires the pixel exactly as a customer does.
Why that makes it blind to automation
A real person filling a form leaves a trail the browser can attest to. They move a pointer, focus a field, type, tab, pause, fix a typo. The submit event arrives with the browser’s trusted flag set, because a genuine input device caused it.
A script produces the same end state with none of the path. It sets four fields at once, dispatches a submit no pointer preceded, and finishes in under a second. The conversion pixel sees a fired event and nothing else. It has no access to pointer trustworthiness, to fill timing, to whether anything was focused before a value appeared. Those are the signals that separate a person from a script, and a pixel reads none of them. It was never designed to.
This is why invalid traffic that imitates human behaviour survives at the conversion stage. The crude bots get filtered earlier by signature lists. The ones that reach your pixel are the ones built to look like customers, and to a pixel they succeed.
Suppressing the pixel is not the same as grading it
Some fraud tools work pre-conversion. They watch sessions, flag the ones that look automated, and suppress the conversion pixel for those users so the bad event never reaches the platform. That has a real use: it keeps already-flagged traffic from training your bidding.
But suppression only acts on what it caught before the pixel fired. It gives you no read on the conversions that got through. If a session looked clean enough to keep its pixel and was still a bot, suppression has nothing to say about it, because suppression makes a decision once and walks away. You learn nothing about the fake conversions sitting inside your reporting as passes.
Grading the conversion is the opposite stance. Instead of deciding whether to let the pixel fire, you let it fire and then judge the event on its provenance — the evidence of how it was produced. Every conversion gets a verdict you can inspect, including the ones that looked fine. That is the only way to measure what slipped past, rather than assume the slips don’t exist.
How ClickLens grades provenance without reading the form
ClickLens scores each conversion on seven provenance signals, none of which read what visitors type. The tag records meta-signals only: whether the submit event was browser-trusted, whether a pointer path preceded it, time from page load to conversion, paste-without-focus events, and the entropy of the field-fill order. It also checks funnel coherence — whether the session browsed its way to the thank-you page or teleported straight there.
Because the grading reads how a form was completed and not what went into it, it works the same whether the field holds an email or a medical history. The tag never sees field values or names.
Each conversion lands on one of three verdicts. Pass leaves it alone. Downweight keeps it but cuts its reported value, so the bidder stops over-valuing it. Retract flags it for removal, and on Google and Microsoft Ads that retraction is written back to the platform keyed by click id, under a measured rollout with a holdout.
A pixel tells you an event happened. To know whether it should count, you have to grade the event itself. Run a free audit to see how your own conversions score, or read how the detection is built and measured.
Sources
- Imperva (Thales), “2025 Imperva Bad Bot Report”, 2025. Accessed 24 June 2026. https://www.imperva.com/blog/2025-imperva-bad-bot-report-how-ai-is-supercharging-the-bot-threat/