Every link shortener records clicks. The question is: which clicks are real? A growing problem for anyone running link-based campaigns is click fraud — clicks that appear in your analytics but don't represent genuine human interest. They come from bots, VPN-masked repeat visitors, click farms, and automated tools. Left undetected, they inflate your numbers and push you toward decisions your real audience data doesn't support.
This guide explains how click fraud enters link analytics, which signals reliably detect it, and what to look for when choosing a link tool that handles it correctly.
What counts as click fraud in link analytics
The term "click fraud" covers several distinct categories, each with different causes and detection methods:
Repeat clicks from the same source
A single user clicking a link 30 times in an hour isn't 30 interested prospects — it's noise. This can happen intentionally (from a competitor artificially inflating your ad spend, for example) or accidentally (a redirect loop, a monitoring script that keeps following a URL). Either way, a link shortener that doesn't deduplicate by IP subnet will count every request as a new click.
Good detection works at the subnet level, not just the exact IP address. A VPN user or someone on a shared network might present different IPs on successive requests. Grouping by /24 subnet (the first three octets of an IPv4 address) catches clusters of activity that originate from the same small block of addresses.
Click burst patterns
A burst is a high volume of clicks on a single link from nearby IP addresses within a short window. Five clicks from the same /24 subnet in one hour on the same link is unusual for organic traffic — and a reliable signal of click farm activity or automated testing.
Click farms are networks of real phones or computers operated in low-cost regions, used to simulate engagement at scale. They appear as human traffic because they use real browsers, but the click patterns betray them: unnaturally consistent pacing, clusters from the same geographic area, and rapid cycling through links without any downstream conversion.
VPN and proxy traffic
Legitimate users occasionally use VPNs. But a pattern of clicks from VPN exit nodes, datacenter IP ranges, or known proxy services is a different matter. These are infrastructure IPs — not home or mobile connections — and they appear in link analytics when automated tools route traffic through anonymising proxies to obscure the true origin.
Detection requires access to IP reputation data. Services like ip-api.com classify IPs by type: residential, mobile, hosting (datacenter), VPN, or Tor exit node. A link shortener that queries this data at click time can flag datacenter and VPN traffic separately from organic clicks.
Tor exit node traffic
Tor traffic represents a small fraction of total link clicks, but it's worth identifying separately. Tor exit nodes relay traffic through a distributed network of volunteer servers, making the true origin undetectable. While some legitimate privacy-conscious users use Tor, a campaign link receiving repeated Tor-originated traffic is unusual and worth understanding.
Bot traffic from user-agent matching
Many crawlers, scanners, and preview generators identify themselves with recognisable strings in their HTTP user-agent header. Googlebot, Bingbot, Semrush, Ahrefs, Screaming Frog, Microsoft Defender URL Scanner, and dozens of others announce who they are. A link shortener that maintains a current list of these patterns can exclude them at the point of recording — before they're ever written to your analytics.
The challenge is that the list of known bots is always growing, and some tools deliberately disguise their user-agents to appear as browsers. A good detection system layers user-agent matching with the other signals above rather than relying on it alone.
The signals that reliable fraud detection combines
No single signal is reliable on its own:
- User-agent matching alone misses bots that spoof browser strings
- IP subnet deduplication alone catches repeat visitors but not first-time bots from fresh IPs
- IP reputation data alone covers known bad actors but misses novel click farms using clean residential IPs
- Burst detection alone can flag legitimate events like a viral share
The most accurate approach layers all four: known bot user-agents are filtered immediately; unrecognised clicks are checked for repeat patterns by subnet; unusual burst volumes trigger a secondary flag; and IP reputation data adds the final layer for VPN/proxy/Tor identification.
This is what Truthylink's fraud detection does. Each click that passes user-agent matching is evaluated for repeat and burst patterns in real time. If an IP reputation API key is configured, datacenter, proxy, and Tor IPs are also identified. Fraudulent clicks are recorded (for audit purposes) but excluded from the metrics you see in your dashboard.
Why the timing of detection matters
Fraud detection that runs after the fact — as a batch job on historical data — is less useful than real-time detection at click time. If you're looking at "human clicks" in your dashboard and that number was only corrected two hours later, you'll be making decisions on stale data during live campaigns.
Real-time detection also lets you handle fraudulent clicks differently from legitimate ones at the redirect level. Rather than just filtering them from reports, some use cases call for rate-limiting suspicious IPs or returning a different response entirely.
What good fraud reporting looks like
Understanding fraud detection isn't just about knowing what gets filtered — it's about being able to audit the filtering. A trustworthy link analytics platform should show you:
- Total requests vs. human clicks — the difference tells you how much noise was present
- Fraud reason — was a click flagged as a repeat, a burst, a VPN, or a known bot? These mean different things and suggest different actions
- Bot breakdown — which specific bots hit the link (email security scanners, crawlers, monitoring tools)
- Filtered click count — so you can see the scale of what was removed, not just the cleaned result
If your link shortener only shows you a single "clicks" number with no visibility into what was filtered, you have no way to know whether the filtering is aggressive (too much removed), too permissive (too much included), or simply not happening at all.
Click fraud vs. bot filtering: what's the difference
These terms are related but not identical:
Bot filtering refers to identifying and excluding automated traffic in general — crawlers, preview generators, security scanners, and monitoring tools. Most of these are not malicious; they're just not human engagement, and you don't want them in your click counts.
Click fraud is a specific subset: automated or artificial clicks intended to manipulate a metric. The intent might be to inflate a creator's engagement numbers, waste a competitor's ad budget, or game an affiliate programme. Detection methods overlap, but the adversarial context means fraud detection also has to account for attempts to evade filters (like rotating IPs, spoofing user-agents, or using residential proxy networks).
Both matter for link analytics, and a robust system handles both simultaneously.
How to evaluate your current link tool
If you're not sure whether your link shortener is filtering fraud, there are a few things to check:
Compare email campaign click rates with actual open rates
If your email open rate is 25% and your click-through rate is 40%, something is off — clicks should be a subset of opens, not more than them. The excess is almost certainly email security scanner traffic being counted as clicks.
Look at click timestamps relative to send time
Human clicks on a campaign email typically arrive in waves — a spike shortly after send, a secondary peak after the morning email check, then a long tail. Clicks that arrive in the first 30 seconds after send, before recipients could possibly have opened the email, are automated.
Check for geographic clustering
If 80% of your clicks claim to come from a single city you don't recognise, you're seeing proxied traffic routed through a datacenter. Legitimate organic campaigns produce distributed geography.
Ask your provider what they filter and why
A link shortener that can explain exactly what they remove (and show you the audit trail) is more trustworthy than one that just advertises "bot filtering" without specifics. The question to ask is: "If I see 1,000 clicks in my dashboard, what was the total request count and what was filtered?"
A note on false positives
No fraud detection system has zero false positives. A legitimate user on a corporate VPN might get their first click flagged. A marketing team doing QA on a link from the office will look like a burst click from the same subnet.
The goal isn't zero fraud in the dataset — it's a filtered view that's substantially more accurate than the raw count, with the raw data available for audit when something looks wrong. Treat the "human clicks" number as a reliable estimate, not a count of named individuals.
Truthylink exposes both numbers: total requests and filtered human clicks. If you need to defend a metric to a client, you can show them the filtering breakdown and explain exactly what was removed.
Summary
Click fraud in link analytics shows up as repeat clicks from the same IP, burst patterns from coordinated sources, VPN and proxy traffic, and known bot user-agents. Catching it accurately requires layering multiple signals in real time, not filtering in batches after the fact.
The number your link shortener shows you as "clicks" is only as useful as the filtering behind it. If you're not sure what's in that number, start by comparing it to what you'd expect from your campaign's open rate, send size, and audience geography — and ask your provider what they actually remove.
See how Truthylink handles click fraud detection →