Lead gen fraud
Recycled/stolen information
Bad actors that defraud lead gen campaigns will submit either illegitimate information (a nonexistent person) or recycled/stolen legitimate information. In the latter case, real peoples’ personally identifiable information (PII) is bought or captured through fake lead forms and then recycled to collect cost-per-lead (CPL) payouts from multiple advertisers. This technique bypasses data validators and defrauds advertisers of their performance spend. It also damages their brand reputation among the real audience members whose information is stolen, especially when the advertiser attempts to contact a person whose PII was stolen or recycled.
How they do it
- Malicious publisher has registered for advertiser’s lead gen campaign
- Malicious publisher buys stolen information from a data breach on the black market
- Malicious publisher then sends bot traffic through their own webpage on to advertiser’s website
- Malicious publisher populates advertiser’s form fill with the stolen PII
- Malicious publisher’s bot traffic submits fraudulent lead
- Advertiser attributes credit to malicious publisher, even though they provided an illegitimate lead, and pays them a (generally high) percentage of revenue
- Malicious publisher uses the same user’s info to replicate this process across many CPL advertisers and amplify their earnings
