Why do hidden links in emails get high click rates from bots and automated systems?

Key findings

• Automated security scanning: Many email providers and corporate firewalls employ bots to scan incoming emails for malicious content, phishing attempts, and spam. These bots automatically click on all links within an email, including those that are hidden, to analyze their destination and ensure they are safe.
• Image proxying and pre-fetching: Services like Gmail proxy image loads and may pre-fetch images and associated links to improve user experience or for security checks. Even if a link leads to an image, these systems will often interact with it. This can lead to what appears to be a false open or click.
• Indistinguishable engagement: Bot interactions are often designed to mimic human engagement, making it challenging to differentiate them from genuine user clicks, which can inflate click-through rates and skew analytics.
• Specific link types: Some bots may behave differently depending on the link type. The observation that image links trigger more bot activity than website links might be due to specific security protocols or how image rendering interacts with pre-fetching systems.

Key considerations

• Data accuracy: High bot click rates can significantly distort your email campaign metrics, making it difficult to assess genuine subscriber engagement. This can lead to misinformed decisions regarding content and segmentation strategies.
• Identification methods: While challenging, identifying bot clicks often involves analyzing click patterns, user agents, IP addresses (especially those from data centers or known providers like Google, Microsoft, or Barracuda), and the speed of clicks (e.g., milliseconds after delivery).
• Impact on sender reputation: While bot clicks for security scanning are generally benign, they still contribute to your overall click data. Understanding these automated interactions helps in forming a more accurate picture of your sender reputation.
• Strategic use of hidden links: Some marketers intentionally use stealth links as a bot trap to segment out automated clicks from human clicks, providing cleaner engagement data.

Key opinions

• Hidden link testing: Marketers have deliberately embedded hidden image links to test for bot activity, observing massive click rates that surpass open rates, indicating automated, non-human interaction.
• B2C vs. B2B impact: While B2B inboxes are known for enterprise-level filters that scan links, marketers in B2C contexts also report significant bot activity, suggesting widespread bot presence across different audience types.
• Limited data granularity: A common frustration for marketers is the lack of detailed data from their ESPs, such as user agents or IP addresses, which are crucial for identifying automated clicks. This limitation makes it hard to accurately measure deliverability.
• Distorted metrics: The presence of bot clicks can significantly inflate engagement metrics, leading to an inaccurate perception of campaign performance and making it harder to optimize future emails.
• Image link specificity: Some marketers have noted that hidden links pointing specifically to images (e.g., JPEG files) receive disproportionately higher bot clicks compared to links directing to standard websites.

Key considerations

• Tracking capabilities: Marketers should investigate their ESP's hidden tracking capabilities for data like user agents, IP addresses, and timestamps to better identify automated clicks.
• Metric adjustments: It is important to adjust click metrics to account for bot activity, focusing on unique human clicks for a more accurate view of engagement and campaign effectiveness.
• Bot detection strategies: Consider employing bot detection strategies, such as using hidden links to isolate bot clicks, to gain clearer insights into human engagement.
• Impact on deliverability: While primarily affecting metrics, understanding bot behavior (like rapid, non-human clicks) can inform broader deliverability strategies, particularly concerning spam filtering. Learn more about it on the Constant Contact Community.

Key opinions

• ISP security scanning: Major ISPs and security services, including Microsoft (Outlook Safelinks) and Google, automatically scan and click links in emails as a pre-emptive measure against malware and phishing. This explains why even hidden links are triggered.
• Gmail's image proxy: Gmail proxies all images and sometimes prefetches them for certain users, which can result in what appears to be a 'false open'. While not 100% of the time, this contributes to automated engagement.
• Granular data importance: Access to detailed data such as user agents, IP addresses (e.g., from Google's Mountain View IPs or AWS-hosted IPs often associated with Barracuda spam filters), and platforms is critical for identifying and filtering out bot clicks from real engagement.
• Distinguishing scanning vs. user clicks: Google's security scanning, distinct from its image proxy loads, happens infrequently (around 0.1% of messages) and uses different IP ranges and user agents, helping to differentiate its purpose.

Key considerations

• Accurate metric analysis: Deliverability professionals must account for automated clicks to gain a realistic view of subscriber engagement and avoid misinterpreting inflated click rates as genuine interest.
• Leveraging external tools: Using email testing tools that provide detailed user agent, platform, IP, and location data can help in pinpointing and segmenting automated clicks from human interactions.
• Filtering bot activity: It's important to develop methods to filter out or ignore these automated clicks in reporting, ensuring that marketing decisions are based on genuine human behavior.
• Data center IPs: Bot clicks are frequently associated with data center IPs, which can serve as a key indicator for identifying automated traffic. These are often used for security scanning, automated testing, and spam filtering.

Key findings

• Spam filtering function: Email bots primarily act as spam filters, preventing malicious emails from infiltrating mail servers by auto-clicking and verifying links in incoming emails. This proactive measure ensures the safety of the recipient's inbox.
• Security scanning: Bots are programmed to click on links as a means to explore, identify, and prevent links to malware or phishing attacks. They evaluate the destination of every link, including hidden ones, to determine its validity.
• Distortion of engagement metrics: Automated clicks, often from data center IPs, can distort engagement metrics by imitating real user behavior. This makes it challenging for marketers to accurately assess their campaign performance.
• Pre-delivery checks: Some security bots perform checks on links before an email even reaches the recipient's inbox. Since the bot cannot immediately determine the link's ultimate destination, it clicks the link to confirm its validity, contributing to the early click surges.

Key considerations

• Metric adjustments: Email marketers should implement strategies to identify and filter out bot clicks to ensure their engagement metrics reflect genuine human interaction. This can involve analyzing user agents, IP addresses, and click timestamps.
• Impact on deliverability strategy: While bot clicks are a security function, understanding their prevalence and nature helps in fine-tuning overall email deliverability strategies, particularly concerning how ISPs perceive sender engagement and legitimacy.
• Harnessing hidden links: Some documentation suggests using 'stealth links' (hidden links that only bots would click) as a method to differentiate automated traffic from human engagement. This helps in cleaning up analytics for a more accurate view.
• Security implications: The fact that bots click all links, including hidden ones, underscores the importance of ensuring all links within an email, regardless of visibility, are secure and lead to legitimate content. This is a critical aspect of email deliverability.