You launch a campaign, you check your clicks, and the numbers look great…

…except 99% of it isn’t real.

That’s not a random number we pulled up.

Bots will consistently be over 99% of your traffic.

Now, this isn’t something to panic about — every website, link, metadata, image, etc. on the internet experiences bot traffic. 

They’re simply an inseparable part of being online. 

And they can come from many places and for different reasons. Some are malicious, but most are benign.

Thankfully, there are ways to limit their access. We’ll cover that later in this article.

But first — what exactly is bot traffic? And how does it relate to your shortlinks?

What bot traffic actually is

You already know what a bot is — it’s a program that works on its own, without human operation.

So then why are bots creeping on your shortlinks?

To put it short(.io), they want to peer inside your links and check out what’s in there. Whether it’s text, images, or anything else, they want a piece of the pie so they can give it to someone else.

The reasons for this are many. They want to:

• Index your page
• Scrape metadata
• Download images
• Probe for vulnerabilities
• And more

Your shortlink isn’t really the target. It’s the door through which bots get their information. And the bots are just uninvited guests passing through.

The thing is, from your analytics' perspective, both look like a click. The redirect fires either way. 

That’s why your total click count is so inflated.

Every single interaction gets counted, and the vast majority will always be bots. 

In order to properly understand why this happens, let’s look at the different types of bots you’ll encounter.

Types of bots

As mentioned, there are many hats a humble bot can have.

But for 99.9% of the time, they’ll fall under one of the following categories.

Make sure you familiarize yourself with this section properly. This is where you’ll gain the most value from.

Search engine crawlers

These are the basic ones.

Whether it’s Google, Bing, DuckDuckGo, or any other search engine, a website needs to be indexed to show up in their results.

Since adding each page manually would obviously be impossible, search engines use “crawlers” — a type of bot that goes from link to link, indexing anything and everything it finds.

SEO/ competitive intelligence tools

Ahrefs, SEMrush, Bytespider, etc. 

These tools are constantly scraping the web, but building their own databases.

Because they need data to be up-to-date at all times, they hit up links with a way higher frequency than search engines, so most of the hits your links get are likely to be from these tools.

They can be set up in very specific ways, too.

For example — if a new domain gets registered or an SSL certificate gets issued — one of these tools can index it to its own database. 

So technically, your shortlinks can be indexed before you even post them anywhere.

Security scanner

These scanners can come from many places.

Gmail, Slack, LinkedIn — they all pre-click email links to check if they’re safe, even before the user is presented with them.

That’s why you get notifications about specific links being suspicious.

So, an email sent to 1,000 people? That’s 1,000 clicks logged for your link. 1,000 hits that don’t mean a single human being has looked at your link.

This is probably the most misunderstood source of clicks for marketers.

Malicious bots

This is the one you were probably waiting for.

Unlike the other types, these bots are actively trying to steal or break something. They're also the hardest to identify, since the sophisticated ones try to mimic human behavior.

Yes, with every new technology, there are opportunists. And malware isn’t anything new.

But they’re getting smarter. And they’re starting to work in new ways.

As you can imagine, your shortlinks are a gateway for all of these, putting not just your domain (or wherever you shared your link), as well as the destination, at risk.

It’s a profound responsibility.

So when you’re looking for ways to keep your services safe, don’t forget to take care of those you’re responsible for as well.

Wrapping up the types

So, in summation:

Posting a single link once could trigger a social platform's preview bot, Google's crawler, three SEO tools that noticed the link, two email security scanners, etc.

It’s important to know how your approach to your use case and campaigns will likely reflect one or two types more than the others.

Speaking of which:

Where would you see the most traffic coming from?

This section should be pretty straightforward, but it still merits inclusion.

Knowing that most of your links’ traffic comes from bots is essential, but even if you don’t use that data point at all, it’s still useful to understand why they’re finding you. 

So. Here’s a rough way to troubleshoot your analytics.

If you distribute links primarily through email

• In this scenario, security scanners would dominate your statistics. One newsletter that reaches 5,000 people means 5,000 bot clicks before a single human opens the email. The more you scale, the more likely you are to see this.

If you share links on public web pages

• Blog posts, documentation, help centers, landing pages. Wherever it may be. You can expect search engine crawlers and SEO tools to take over.

If you share links on social media

• Preview bots should be the immediate spike. Post one link on X, LinkedIn, and Facebook, and you’re already three bot clicks deep. And if the post gets traction, you can expect search engine crawlers and SEO tools to follow.

If you use links in affiliate or ad campaigns

• This is when malicious bots become very realistic. Competitors or bad actors can spam automated clicks to drain your budget or inflate fake engagement. This is the one use case where malicious bots might actually be your biggest source of non-human traffic.

If you have a branded domain that's publicly registered

• In this case, SEO tools can find your links before you even share them, all through DNS records and public certificates. If you’ve been confused by seeing bot traffic for links you haven’t even posted yet, this is why.

Patterns to look out for

And finally, what are some classic giveaways that bots are skulking around?

Unusual browser names in Click Stream

First, try to learn the main bots — Bytespider, HeadlessChrome, OAI-SearchBot, etc.

These are likely to be your main offenders, so it's useful to familiarize yourself with them.

Once you’re used to them, you’ll be able to spot the more suspicious ones easier.

Do keep in mind that malicious bots can sometimes pretend to be non-malicious bots.

Geographic anomalies

If you receive traffic from markets you don’t serve or target and have no reason to expect clicks from, this is a pretty obvious tell.

A few clicks from random countries is normal. Bots crawl globally, and someone might’ve stumbled onto your link anyway.

A sudden surge in traffic can mean bots, VPN traffic, or just your link getting shared in unexpected places.

But if you want to make sure, reference this data with the browsers you’re seeing used.

Same IP hitting multiple links in rapid succession 

You can also find this one in Click Stream.

If you see the same IP address clicking five, ten, twenty of your links within seconds, that's not a human browsing — that's a bot systematically working through your links. 

Could be a crawler doing its job, could be a scraper, could be something worse. 

The speed is the giveaway. Humans don't click ten links in three seconds.

Clicks with no referrer and a generic user agent 

A human click almost always comes from somewhere — a website, an email, a social platform. 

No referrer, a generic user agent, and/or an instant response time is likely a bot that doesn’t even bother hiding what it is.

A lot of security scanners work like this.

Clicks at unlikely hours

If your audience is entirely US-based and you're seeing a cluster of clicks at 3am Eastern with no corresponding conversions, that's probably not (just) insomniacs. 

Cross-reference the timing with the IP and browser data to confirm.

What you can actually do about it

The good news is that Short.io already handles the heavy lifting for you.

We filter out the human clicks from the bot click, and try to prioritize the former using our own, proprietary detection methods.

But outside of that, it’s important to be vigilant yourself.

• Focus on human clicks for every decision.
• Track the ratio over time.
• Don't panic, but don't ignore sudden changes.

Need immediate solutions?

Here’s what you can do right now.

• Block a bot’s IP from your statistics
• Edit robots.txt to block specific crawlers

Safety = being informed

Bots might seem scary at first, and it’s true that the damage they can inflict is immense.

But in most cases, all you need to do is pay attention, understand how bots work and what the risks are, and what you can do about them.

Just like every other safety practice on the internet, protecting yourself is about being informed and proactive.