Bots or click farms generate fake clicks to inflate campaign metrics, drain ad budgets, or manipulate analytics.<\/p>\n\n\n\n Signals in webhook data:<\/strong><\/p>\n\n\n\n Fake installs generated by device farms, emulators, or SDK spoofing to claim attribution credit or referral rewards.<\/p>\n\n\n\n Signals in webhook data:<\/strong><\/p>\n\n\n\n Users creating multiple accounts to refer themselves, or organized groups coordinating referrals for reward harvesting.<\/p>\n\n\n\n Signals in webhook data:<\/strong><\/p>\n\n\n\n The architecture is straightforward: receive webhook events, check them against fraud rules, and flag or block suspicious activity.<\/p>\n\n\n\n Flag events when a single IP generates too many events in a short window.<\/p>\n\n\n\n Flag when a single referrer token generates too many referrals too quickly.<\/p>\n\n\n\n Legitimate installs take time: the user clicks a link, visits the app store, downloads the app, and opens it. This process takes at minimum 30-60 seconds. An "install" within 5 seconds of a click suggests automation.<\/p>\n\n\n\n Compare real-time campaign metrics against historical baselines.<\/p>\n\n\n\n If your app only serves users in specific regions, clicks from unexpected countries are suspicious.<\/p>\n\n\n\n Run all rules and aggregate the flags:<\/p>\n\n\n\n When fraud is detected, you have several options:<\/p>\n\n\n\n The lowest-risk response. Flag the event for manual review without blocking anything.<\/p>\n\n\n\n For referral fraud, don't block the referral; delay the reward. Hold rewards for 7-14 days and review flagged referrals before releasing payment.<\/p>\n\n\n\n For confirmed fraud (after manual review), block the IP, referral token, or campaign:<\/p>\n\n\n\n Load the blocklists from your database on startup and refresh periodically.<\/p>\n\n\n\n Review fraud flags with these queries:<\/p>\n\n\n\n Every fraud detection system generates false positives. A legitimate office building might have 50 employees clicking the same link from the same IP. A successful referrer might genuinely generate 15 referrals in a day.<\/p>\n\n\n\n Mitigate false positives by:<\/p>\n\n\n\n For webhook security (signature verification, secret rotation), see the webhook security guide<\/a>. For monitoring delivery health, see the delivery monitoring guide<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Detect referral fraud, click fraud, and install fraud in real time using webhook event patterns. Build automated defenses for your deep link campaigns.<\/p>\n","protected":false},"author":2,"featured_media":1179,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Fraud Detection with Deep Link Webhooks","rank_math_description":"Detect referral fraud, click fraud, and install fraud in real time using webhook events. Build automated defenses for your deep link campaigns.","rank_math_focus_keyword":"webhook fraud detection","rank_math_canonical_url":"","rank_math_facebook_title":"","rank_math_facebook_description":"","rank_math_facebook_image":"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/og-webhook-fraud-detection.png","rank_math_facebook_image_id":"","rank_math_twitter_title":"","rank_math_twitter_description":"","rank_math_twitter_image":"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/og-webhook-fraud-detection.png","footnotes":""},"categories":[15],"tags":[37,20,264,126,45,93,61],"class_list":["post-1180","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-engineering","tag-analytics","tag-deep-linking","tag-engineering","tag-fraud-detection","tag-referrals","tag-security","tag-webhooks"],"_links":{"self":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/1180","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/comments?post=1180"}],"version-history":[{"count":2,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/1180\/revisions"}],"predecessor-version":[{"id":2269,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/posts\/1180\/revisions\/2269"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/media\/1179"}],"wp:attachment":[{"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/media?parent=1180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/categories?post=1180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tolinku.com\/blog\/wp-json\/wp\/v2\/tags?post=1180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Tolinku](\"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/platform-webhooks.png\")
\nThe webhooks page with create form, webhook list, and delivery log.<\/em><\/p>\n\n\n\nCommon Fraud Patterns<\/h2>\n\n\n\n
Click Fraud<\/h3>\n\n\n\n
\n
Install Fraud<\/h3>\n\n\n\n
\n
Referral Fraud<\/h3>\n\n\n\n
\n
referral.created<\/code> events from the same IP<\/li>\n<\/ul>\n\n\n\nBuilding a Detection Pipeline<\/h2>\n\n\n\n
Tolinku Webhook \u2192 Receiver \u2192 Fraud Rules Engine \u2192 Flag\/Block\n \u2192 Store for analysis\n<\/code><\/pre>\n\n\n\nReceiver with Fraud Checking<\/h3>\n\n\n\n
import express from 'express';\nimport crypto from 'crypto';\n\nconst app = express();\napp.use('\/webhooks', express.raw({ type: 'application\/json' }));\n\nconst WEBHOOK_SECRET = process.env.WEBHOOK_SECRET!;\n\napp.post('\/webhooks\/tolinku', async (req, res) => {\n const signature = req.headers['x-webhook-signature'] as string;\n const expected = crypto\n .createHmac('sha256', WEBHOOK_SECRET)\n .update(req.body)\n .digest('hex');\n\n if (signature !== expected) {\n return res.status(401).send('Invalid signature');\n }\n\n res.status(200).send('OK');\n\n const event = JSON.parse(req.body.toString());\n const flags = await checkFraudRules(event);\n\n if (flags.length > 0) {\n await handleSuspiciousEvent(event, flags);\n }\n\n await storeEvent(event, flags);\n});\n<\/code><\/pre>\n\n\n\nRule 1: IP Velocity<\/h2>\n\n\n\n
import Redis from 'ioredis';\n\nconst redis = new Redis(process.env.REDIS_URL!);\n\nasync function checkIPVelocity(event: any): Promise<string | null> {\n const ip = event.data.ip;\n if (!ip) return null;\n\n const key = `fraud:ip:${event.event}:${ip}`;\n const count = await redis.incr(key);\n\n if (count === 1) {\n await redis.expire(key, 3600); \/\/ 1-hour window\n }\n\n const thresholds: Record<string, number> = {\n 'link.clicked': 100, \/\/ 100 clicks\/hour from one IP is suspicious\n 'install.tracked': 5, \/\/ 5 installs\/hour from one IP is very suspicious\n 'referral.created': 3, \/\/ 3 referrals\/hour from one IP is suspicious\n };\n\n const threshold = thresholds[event.event] || 50;\n if (count > threshold) {\n return `IP velocity: ${count} ${event.event} events from ${ip} in 1 hour (threshold: ${threshold})`;\n }\n\n return null;\n}\n<\/code><\/pre>\n\n\n\nRule 2: Referrer Velocity<\/h2>\n\n\n\n
async function checkReferrerVelocity(event: any): Promise<string | null> {\n if (event.event !== 'referral.created' && event.event !== 'referral.completed') {\n return null;\n }\n\n const token = event.data.referrer_token;\n if (!token) return null;\n\n const key = `fraud:referrer:${token}`;\n const count = await redis.incr(key);\n\n if (count === 1) {\n await redis.expire(key, 86400); \/\/ 24-hour window\n }\n\n \/\/ Normal users generate maybe 1-2 referrals per day. 10+ is suspicious.\n if (count > 10) {\n return `Referrer velocity: ${count} referrals from token ${token} in 24 hours`;\n }\n\n return null;\n}\n<\/code><\/pre>\n\n\n\nRule 3: Click-to-Install Timing<\/h2>\n\n\n\n
async function checkInstallTiming(event: any): Promise<string | null> {\n if (event.event !== 'install.tracked') return null;\n\n const token = event.data.token;\n const installTime = new Date(event.timestamp).getTime();\n\n \/\/ Look up the most recent click for this token\n const clickKey = `fraud:lastclick:${token}`;\n const lastClickTime = await redis.get(clickKey);\n\n if (lastClickTime) {\n const timeDiff = installTime - parseInt(lastClickTime);\n\n if (timeDiff < 5000) { \/\/ Under 5 seconds\n return `Suspiciously fast install: ${timeDiff}ms after click for token ${token}`;\n }\n }\n\n return null;\n}\n\n\/\/ Record click timestamps for timing analysis\nasync function recordClickTime(event: any) {\n if (event.event !== 'link.clicked') return;\n\n const token = event.data.token;\n const clickTime = new Date(event.timestamp).getTime();\n await redis.set(`fraud:lastclick:${token}`, clickTime.toString(), 'EX', 86400);\n}\n<\/code><\/pre>\n\n\n\nRule 4: Campaign Anomalies<\/h2>\n\n\n\n
async function checkCampaignAnomaly(event: any): Promise<string | null> {\n if (event.event !== 'link.clicked') return null;\n\n const campaign = event.data.campaign;\n if (!campaign) return null;\n\n const key = `fraud:campaign:${campaign}:hourly`;\n const currentCount = await redis.incr(key);\n\n if (currentCount === 1) {\n await redis.expire(key, 3600);\n }\n\n \/\/ Get the baseline (stored separately, updated daily)\n const baselineKey = `fraud:campaign:${campaign}:baseline`;\n const baseline = parseInt(await redis.get(baselineKey) || '0');\n\n \/\/ If current hourly rate is 5x the average, flag it\n if (baseline > 0 && currentCount > baseline * 5) {\n return `Campaign anomaly: ${campaign} has ${currentCount} clicks this hour (baseline: ${baseline}\/hour)`;\n }\n\n return null;\n}\n<\/code><\/pre>\n\n\n\nRule 5: Geographic Anomalies<\/h2>\n\n\n\n
import { Reader } from '@maxmind\/geoip2-node';\n\nlet geoReader: Reader;\n\nasync function checkGeoAnomaly(event: any): Promise<string | null> {\n const ip = event.data.ip;\n if (!ip) return null;\n\n try {\n const geo = geoReader.country(ip);\n const country = geo.country?.isoCode;\n\n \/\/ Data center IP ranges (no country) are suspicious\n if (!country) {\n return `No geo data for IP ${ip} (possible data center)`;\n }\n\n \/\/ Check against allowed countries (configure per campaign)\n const ALLOWED_COUNTRIES = new Set(['US', 'CA', 'GB', 'AU']);\n if (!ALLOWED_COUNTRIES.has(country)) {\n return `Unexpected country ${country} for IP ${ip}`;\n }\n } catch {\n \/\/ GeoIP lookup failed; could be a reserved\/private IP\n return `GeoIP lookup failed for ${ip}`;\n }\n\n return null;\n}\n<\/code><\/pre>\n\n\n\nCombining Rules<\/h2>\n\n\n\n
async function checkFraudRules(event: any): Promise<string[]> {\n \/\/ Record click time for timing analysis\n await recordClickTime(event);\n\n const checks = await Promise.allSettled([\n checkIPVelocity(event),\n checkReferrerVelocity(event),\n checkInstallTiming(event),\n checkCampaignAnomaly(event),\n checkGeoAnomaly(event),\n ]);\n\n const flags: string[] = [];\n for (const check of checks) {\n if (check.status === 'fulfilled' && check.value) {\n flags.push(check.value);\n }\n }\n\n return flags;\n}\n<\/code><\/pre>\n\n\n\nResponding to Fraud<\/h2>\n\n\n\n
1. Flag and Log<\/h3>\n\n\n\n
async function handleSuspiciousEvent(event: any, flags: string[]) {\n await db.query(\n `INSERT INTO fraud_flags (event_hash, event_type, flags, event_data, flagged_at)\n VALUES ($1, $2, $3, $4, NOW())`,\n [\n getEventHash(event),\n event.event,\n JSON.stringify(flags),\n JSON.stringify(event),\n ]\n );\n\n \/\/ Alert the team\n await sendSlackAlert(`Suspicious ${event.event} event flagged:\\n${flags.join('\\n')}`);\n}\n<\/code><\/pre>\n\n\n\n2. Delay Rewards<\/h3>\n\n\n\n
3. Block the Source<\/h3>\n\n\n\n
const BLOCKED_IPS = new Set<string>();\nconst BLOCKED_TOKENS = new Set<string>();\n\nasync function isBlocked(event: any): Promise<boolean> {\n if (BLOCKED_IPS.has(event.data.ip)) return true;\n if (BLOCKED_TOKENS.has(event.data.token)) return true;\n return false;\n}\n<\/code><\/pre>\n\n\n\nDashboard Queries<\/h2>\n\n\n\n
Most Flagged IPs<\/h3>\n\n\n\n
SELECT\n event_data->>'data'->>'ip' AS ip,\n COUNT(*) AS flag_count,\n array_agg(DISTINCT event_type) AS event_types\nFROM fraud_flags\nWHERE flagged_at > NOW() - INTERVAL '7 days'\nGROUP BY ip\nORDER BY flag_count DESC\nLIMIT 20;\n<\/code><\/pre>\n\n\n\nReferral Fraud Candidates<\/h3>\n\n\n\n
SELECT\n event_data->'data'->>'referrer_token' AS referrer,\n COUNT(*) AS referral_count,\n COUNT(DISTINCT event_data->'data'->>'ip') AS unique_ips\nFROM fraud_flags\nWHERE event_type IN ('referral.created', 'referral.completed')\n AND flagged_at > NOW() - INTERVAL '30 days'\nGROUP BY referrer\nHAVING COUNT(*) > 5\nORDER BY referral_count DESC;\n<\/code><\/pre>\n\n\n\nClick Fraud by Campaign<\/h3>\n\n\n\n
SELECT\n event_data->'data'->>'campaign' AS campaign,\n COUNT(*) AS flagged_clicks,\n COUNT(DISTINCT event_data->'data'->>'ip') AS unique_ips\nFROM fraud_flags\nWHERE event_type = 'link.clicked'\n AND flagged_at > NOW() - INTERVAL '7 days'\nGROUP BY campaign\nORDER BY flagged_clicks DESC;\n<\/code><\/pre>\n\n\n\nFalse Positives<\/h2>\n\n\n\n
\n