5 Types of Coupon Fraud & How to Protect Coupon Sites & Apps
Digital couponing is a flourishing industry. Coupon websites and apps provide brand partners with exclusive marketing and promotion tools, while offering consumers special savings and the chance to discover new brands.
What is coupon fraud?
Coupon fraud refers broadly to the fraudulent use of coupons and/or couponing platforms. There are many types of coupon fraud, ranging from coupon glittering to account takeover attacks targeting coupon websites, apps, and APIs.
Why do bad bots target coupon sites? Unfortunately, anywhere there is money to be made, cybercriminals want in. Thus, in addition to attracting bargain hunters, successful coupon sites and apps also attract fraudsters hoping to exploit the platforms for their own gain.
Let’s take a closer look at the top five most common (and harmful) types of coupon fraud that use bad bots to target coupon websites and apps. Then, we’ll explore why traditional security tools are ineffective against today’s malicious attackers, and what coupon website owners should do to mitigate your risk.
5 Common Types of Coupon Fraud & Bot Attacks
Malicious bots exploit couponing sites by launching attacks that include:
Keep reading to learn more about each type of bot attack and how to fight back to protect your business, partners, and customers.
1. Coupon Scraping
The most frequent bot threat that affects coupon sites is web scraping, typically committed by competing businesses. Attackers use bots to easily scrape (in other words, steal) coupons from your website, change the affiliate links to their own, and republish them on their own sites.
For minimal cost, unethical coupon site owners can easily find software solutions or coupon scraping services that enable them to scrape your website content. Coupon scraping projects are also frequently posted to freelancer job boards.
The damage caused by scraping goes beyond competitors stealing your affiliate commissions—scraper bots also hurt your website performance. The most unscrupulous bots hit hundreds of thousands of pages every day, overloading your servers and causing longer page loading times for your human users, who grow frustrated and move on to look elsewhere.
Case Study: CouponCabin vs. PriceTrace
In a 2019 lawsuit, the popular coupon site CouponCabin brought their competitor, PriceTrace, to an Illinois district court over unauthorized web scraping. CouponCabin claimed that PriceTrace used invasive scraping techniques to obtain and republish coupon codes on the PriceTrace website.
The court, however, dismissed CouponCabin’s claim that PriceTrace violated the Computer Fraud and Abuse Act (CFAA) by web scraping, because CouponCabin failed to provide the amount of damage inflicted by the scraping.
The enforceability of clickwrap language against unwanted web scraping remains in question after the court case, illustrating how difficult it can be to recompense unwanted scraping. CouponCabin’s case demonstrates why it is so important to block scraper bots from the start.
2. Ad Fraud
Ad fraud is a type of automated bot attack that falsifies the number of clicks on an advertisement or the number of times an ad appears.
Vandals and shady competitors commit ad fraud in order to harm your relationship with your affiliate partners (like how spammy links to your site harm your search results in Google), or to benefit from fraudulent advertisement earnings.
Some sites even publish invalid or fake coupons to earn a commission and gain an unfair advantage over honest coupon businesses that only post valid promo codes for consenting brands.
In a 2018 study, 90% of the 1,051 promo codes marketed on a coupon website over two months were found to be fake, expired, or invalid. The same site promoted coupon codes for 28 affiliate advertisers that do not support coupon codes at all.
Criminals have also been known to launch one-off websites and load them with phony coupon codes to earn commissions, hurting the entire couponing industry’s reputation.
Use Case: Diwanee Fights Ad Fraud With DataDome
3. Layer 7 DoS attacks
Denial of service (DoS) attacks can swamp your coupon website with traffic, triggering substantial loading times for visitors and even taking down your site altogether.
Layer 7 DDoS (distributed denial of service) attacks occur when cybercriminals target the “top layer” (L7) in the OSI model. Unlike with network layer attacks, layer 7 DDoS attacks are typically low and slow (which makes them more difficult to detect). For businesses that generate important revenue online, the low and slow attacks can be substantially disruptive.
Both coupon industry competitors and cybercriminals may use layer 7 DDoS attacks to disrupt your site’s availability.
Learn More: Layer 7 DDoS Protection: How to stop malicious bots.
4. Account Takeover
Account takeover (ATO) involves unauthorized access to your user accounts to carry out various types of fraud.
Cybercriminals obtain lists of customer account credentials from the dark web or through phishing attacks, and then use the stolen usernames and passwords to gain access to coupon member accounts.
Once inside a user account, an attacker can perform unauthorized transactions. They can also resell compromised payment and account information to other criminals in the underground marketplace.
A successful account takeover attack can hurt your reputation, drive away customers, and expose you to hefty GDPR or CCPA penalties.
Learn More: Credential Stuffing Attacks & Methods for Prevention
5. Vulnerability Scanning
Vulnerability scanning is a type of threat where bots are used to identify security vulnerabilities on your couponing site. Bad actors use knowledge of found vulnerabilities to plan more attacks.
For example, after scanning your site, hackers might discover you have an SQL injection vulnerability, which enables them to input SQL injection queries into the promo code box upon checkout to successfully reveal valid coupon codes or expose your entire promo code database.
Learn More: Malicious vulnerability scanning attacks: how to protect your websites, mobile apps, and APIs.
How coupon websites try to fight bad bots:
Coupon businesses generally try to protect themselves from malicious bot threats by:
- Displaying codes for verified users instead of in the HTML code for easy scraping.
- Limiting the number of times a user can check for valid coupon codes.
- Protecting against SQL injection attempts with input validation.
- Enabling two-factor authentication or identity verification for user accounts.
- Building a user block list to ban repeat bot offenders.
While the above defense tactics may lessen the impact of attacks targeting your coupon sites, there are scores of challenges—they can add friction for genuine customers, can be difficult to manage, or are only put in place after the harm is done.
To eliminate bot-related security risks once and for all, by far the easiest way is to implement an efficient bot protection solution.
Real-time bot protection for coupon websites, apps, and APIs:
DataDome is a true SaaS solution which detects and blocks 100% of OWASP automated threats, including coupon scraping, layer 7 DDoS attacks, and all the other threats mentioned above.
Our bot detection engine compares every request to your site with a massive in-memory pattern database, and uses both AI and machine learning to determine in less than 2 milliseconds whether the visitor is a visitor or a bot.
DataDome runs on autopilot, and blocks both known and new threats without requiring any intervention from your team.
Take advantage of our free trial offer or request a demo to explore how DataDome can protect your couponing business from automated bot attacks.
Related posts
Why Virtual Waiting Rooms Fail: How Malicious Automation Beats Basic Queue Protection
Tell me more
How to Choose the Right Online Queue Management System for Your Business
Tell me more
What is a Virtual Waiting Room? Your Guide to Online Queue Management
Tell me more
10 Questions to Ask a Bot & Agent Trust Management Provider
Tell me more
