Back to Blog
Fraud Prevention

Detecting Click Velocity Anomalies Before They Become Costly

December 27, 20258 min read

A publisher who sent you two hundred clicks a day last week is suddenly sending twelve thousand before lunch. Your first instinct is to celebrate. Growth is the whole point, and a partner finally hitting their stride is exactly what you signed them for. But a sudden vertical line on a traffic chart is one of the most reliable early symptoms of a problem, and by the time it shows up in your payout report the money is already gone. The hard part of fraud prevention is not spotting a spike. Any dashboard does that. The hard part is telling the difference between a partner who just got featured on a high-traffic placement and a bot farm that discovered your redirect endpoint an hour ago.

That distinction is what velocity analysis exists to draw. This article is specifically about volume and rate anomalies. Where the traffic comes from geographically, and whether it is routed through proxies, is a separate diagnosis for a separate article. Here we are looking only at the shape of the curve over time: how fast clicks arrive, how bursty they are, and whether the pattern matches a human audience or a script.

Why a raw spike alarm is the wrong instrument

The naive approach is a fixed ceiling. Set an alert at, say, one thousand clicks an hour and page someone when a publisher crosses it. This fails in both directions at once. It punishes your best partners the moment they succeed, drowning your team in false alarms every time a legitimate placement goes live, and it completely misses a sophisticated operation that stays deliberately under the line. A fixed threshold has no memory. It cannot tell that a hundred clicks a minute is normal for one publisher and physically impossible for another.

Velocity detection done well is less like a smoke alarm and more like a doctor reading a patient's vitals. A heart rate of 150 means nothing on its own. It is alarming in a sleeping patient and unremarkable in a sprinter. The number only becomes a signal when you compare it against a baseline for that specific body, in that specific context. TrackingMD's fraud engine, which we call Guardian, is built around exactly that principle: rate signals scored against context, not against a single global line in the sand.

How Guardian measures click velocity

At the moment a click hits your tracking redirect, before the visitor is ever sent onward to the advertiser, Guardian runs the request through a chain of independent rules. The one that matters for volume is the click velocity rule, and its mechanics are deliberately simple so they can run in the few milliseconds you have before a redirect.

For each source, the rule keeps two rolling counters in fast in-memory storage: clicks in the last minute and clicks in the last hour. Each counter expires on its own schedule, so the per-minute window genuinely reflects the last sixty seconds and the per-hour window the last sixty minutes. Out of the box, the rule expects no more than ten clicks per minute and sixty per hour from a single origin. Those are starting values, not sacred ones.

What happens past the threshold is the important part. Guardian does not simply flip a boolean. It scores the overage proportionally. A source running at twice the per-minute ceiling earns a modest score. A source running at ten times the ceiling earns a much higher one, up to a capped maximum so no single signal can single-handedly dominate the verdict. The per-minute burst is weighted more heavily than the slower per-hour drift, because a tight cluster of clicks in a few seconds is far more machine-like than a busy but spread-out hour. The result is a graded reading of how abnormal the rate is, not a binary tripwire.

Bursts versus sustained volume

Splitting the measurement into a short and a long window lets Guardian describe the shape of traffic, not just its size.

  • A genuine viral moment tends to ramp: rising over minutes and hours, with the per-hour counter climbing while any single minute stays within reason. Real audiences do not all click in the same three seconds.
  • Automated traffic tends to spike: a wall of clicks compressed into a tiny window, tripping the per-minute counter hard while the hourly figure may still look almost ordinary.

Because the two counters are scored separately and then combined, a partner can send a large but human-paced surge and stay clean, while a smaller but violently bursty pattern gets flagged. Volume alone is not guilt. Cadence is the tell.

Deduplication catches the cheapest trick

The oldest velocity trick in the book is the refresh: the same visitor, or the same script pretending to be one visitor, firing the identical click over and over. Guardian handles this with a per-program duplicate window that is independent of the scoring rules. Every click carries a fingerprint, and if Guardian has already seen that fingerprint inside the program's configured window, the visitor is still redirected to the advertiser, but the click is not tracked and no attribution cookie is set.

The window defaults to one hour and is fully tunable per program, anywhere from a single second up to a full day, because what counts as a duplicate is genuinely different across offers. A price-comparison link a shopper legitimately revisits five times in an afternoon is not the same as a one-time signup where a second identical click can only be noise. Tightening or loosening that window is one of the most direct levers you have over inflated volume, and it locks appropriately once a program leaves draft so it cannot be quietly changed underneath in-flight attributions.

A related rule watches for a single fingerprint showing up under several different publishers in the same day. One device legitimately belongs to one traffic source. The same fingerprint credited across four or five publishers is a strong signal of coordinated inventory, and it too contributes a graded score rather than an instant ban.

Per-publisher baselines, not one global rule

Rate rules catch the obvious in real time, but the more valuable judgment is longitudinal: is this publisher behaving like themselves? Guardian's conversion rate anomaly rule builds a rolling thirty-day baseline of each publisher's own conversion behavior and compares it against the program-wide average, requiring a minimum amount of traffic on both sides before it will render any opinion at all. A publisher whose conversion rate runs several times above the program norm is doing something the rest of the roster is not, and paired with a volume spike that is a much sharper signal than either reading alone. Ten thousand clicks that convert like a human audience is growth. Ten thousand clicks that convert at an impossible rate, or never, is a pattern.

This is the difference between an accusation and a diagnosis. A spike is a single vital sign. A spike that breaks the partner's own established pattern, arrives in machine-like bursts, and carries suspicious conversion behavior is a cluster of symptoms pointing the same direction.

From signal to a proportionate response

Every rule Guardian runs returns a weighted score, and the engine sums them into a single risk score capped at one hundred. That number maps to one of four escalating responses. Low scores are simply allowed through. A moderately elevated score puts the click into monitor, where it is recorded for review but nothing is interrupted. Higher scores flag it, and only the most extreme scores trigger a block, which by default is a silent redirect: the visitor still lands on the advertiser, but the click is neither tracked nor attributed, so a fraudulent source earns nothing while a false positive costs a real visitor nothing.

Crucially, the thresholds and the weight of each rule are configurable per advertiser. You can dial the click velocity rule up if your vertical runs hot, disable a rule that does not fit your model, or raise the bar before anything gets blocked. The engine ships with sensible defaults so it works on day one, but it is tuned to your program, not to an industry average that may have nothing to do with your traffic.

Watching the partner, not just the click

Individual clicks are the wrong altitude for the final call. A single burst can be a fluke; a pattern of bursts is a decision. On a rolling schedule, Guardian sweeps every publisher who has generated alerts recently and evaluates them against a longer horizon: how many severe alerts they have accumulated in a recent window, and what their average risk score looks like over the past month. Only when a partner crosses those sustained thresholds does the system escalate to suspension, and even then that automatic action is off by default, because pulling a publisher offline is a business decision most teams want a human to confirm. The velocity rules protect any single click in real time; this longer sweep protects you from the partner who has quietly turned into a liability over weeks.

Industry studies consistently estimate that a meaningful slice of paid traffic is non-human, and the operators behind it iterate faster than any static rule can. The reason to build detection around baselines and graded scores rather than fixed ceilings is that baselines adapt as your program grows and your partners' normal shifts. A spike will always be the first thing you see. Whether it turns out to be your best month or your most expensive mistake depends entirely on whether you measured it against the right baseline before the payout cleared. The teams that catch it early are not the ones with the loudest alarms. They are the ones who taught their system what healthy looks like, one publisher at a time.

See it in your own program

Start your free 7-day trial and put these ideas to work — no credit card required.

Start free trial

We use essential cookies to run the platform. With your consent, we also collect privacy-friendly, first-party usage analytics — no third-party trackers and no cross-site tracking cookies. Choose “Essential Only” to opt out of analytics. Privacy Policy