What Marketing Teams Need to Know About Security Bot Traffic

With the rise of artificial intelligence (AI) and a growing number of data center operations comes a startling fact: about 50% of all Internet traffic these days originate from non-human sources, according to a 2024 Imperva Threat Research study. Malicious bots, in particular, account for nearly one-third of all Internet traffic.

Non-human bot traffic can appear in many forms and with many different intentions. In addition to inflating page views and email opens, malicious bots may run scripts that mimic human behavior, scrape data, and even commit digital ad fraud, the latter of which is artificially inflating ad impressions and clicks to show deceivingly high numbers and waste advertiser dollars. Malicious bots are commonly run by criminal organizations, worldwide fraud networks, and sometimes even by competitors.

But of course, there are useful and helpful bots too — search engine crawlers and digital assistants are often employed to help websites get listed in results pages, aggregate helpful data from legitimate resources, and monitor any downtime or disruption. There’s more than just bad actors trying to attack organizations and their highly valuable websites or new startup pages ripe for exploit; there’s also security bots that pre-screen as much web data as possible to rule out harmful intrusions and spam.

Where security bots come in — and why

As marketing becomes more data-driven and automated and the number of digital channels across which to advertise increases, IT security has become an issue correlating very closely to many marketing initiatives. Data-driven digital campaigns rely on exports from CRM platforms, increasing the exposure of private information and form submits to potentially bad actors. This is giving rise to security bot traffic, which are helpful for companies but not necessarily for marketing teams.

Maintaining a secure IT infrastructure has become a key necessity for many companies, which also employ advanced email security systems such as Microsoft Defender, Mimecast and Proofpoint to automatically scan emails before they actually arrive at employees’ inboxes. This can mean things like pre-loading image pixels and clicking every link available to ensure they are legitimate. If you’ve ever observed certain individuals to be clicking on all the links in every email you send, it’s likely they’re not a real super reader, but just someone with a robust email security bot.

What does this mean for marketing teams? It’s time to start taking a closer look at your analytics to ensure your metrics are being propped up by real human activity. But sometimes this is not clear cut and dry. Complicating issues is the fact that security bots are used by real users at real companies, with the same IP addresses as the bots running interference. For example, it may not be practical to block all Microsoft Defender-related IPs since it would block marketing emails from being delivered at all, with real subscribers potentially missing out from your messaging as a result.

How to handle security bot traffic in your reporting

Security-driven bot clicks do sometimes serve as a positive sign. They confirm the emails were delivered to the company’s system and passed specific filters, as well as verify the address was spelled correctly and is active. So while such clicks are not exactly ideal because they weren’t performed by real humans, they indicate there are real humans that can still be reached and that the communication path is open.

All email service providers continually run into this challenge, and many have different practices to combat bot traffic. Marketing departments should collaborate with IT and digital security teams to establish shared frameworks for identifying IP ranges, click timing and behavioral patterns. To avoid tracking unnecessary or excessive email clicks, teams should filter out flagged engagements out of reporting data so the metrics are as close to true human numbers as much as possible. It is sometimes easier to remove the excessive email opens and clicks from reporting downstream rather than blocking those IP ranges completely and potentially hindering emails from delivering to actual audiences. Malicious bots that are not affiliated with AI or data center traffic should continue to be blocked.

Questions to consider when looking at your analytics to determine what is bot-driven versus human-driven:

• For emails, are there unusual patterns detected in the data, such as 100% click-through rates, identical timestamps across a high number of clicks, or the same people clicking the same things every day?
• For website metrics, are there unusual sessions with 0 second durations, extremely high bounce rates or activity coming from unknown or atypical geographies?
• Are there rules set up with IT to ensure only malicious bots are blocked and not potential AI/data center bots that are affiliated with legitimate organizations?
• Are there also rules set up to limit the number of requests an IP address can make during a set time?

Today, a bot defense strategy should be a key ongoing practice for all companies, as technology advances and one-time fixes become overridden by new bot strategies and techniques. Future-ready marketing teams should treat bot defense as a key component to accurately measuring performance and ROI so that campaigns can run smoothly and budgets are used widely and efficiently.