Question: How profitable is lead generation fraud? This post shows the steps and the business plan to start a fake lead generation company in order to show you how profitable it is.

The startup costs are low, very low. With only a few thousand dollar investment you’ll be able to setup a cloud based click and lead generation machine. The software will be able to load a landing page and fill out the contact form; CAPTCHAs? IP reputation blacklists? Fingerprints associated with fraud? No problem.. these are all inconveniences which can be solved. Want to know exactly how? Continue reading.

Fraud exists for a reason. Simply said, because it is worth the risk! This would imply, the higher the risk the more the reward. But, as you’ll find out, in the online advertising ecosystem this works the other way around; ie. There’s nearly zero risk and the rewards.. these are skyhigh!

So, let’s break down how skyhigh these profits are, what minimum investment is required and how long it takes before this investment starts to generate profit.

In the advertisement ecosystem your fraud options are generally to 1) generate fake impressions, 2) generate fake clicks, 3) generate fake leads and/or sales. Each option has a different level of difficulty, but as always the more difficult the higher the reward. That’s why this blog focuses only on fake leads/sales, because this type of fraud is the most advanced form of fraud in the marketing ecosystem, will have the highest startup costs (bot development) and the highest infrastructure costs.

Infrastructure

In order to run your fraud scheme you’ll need an IT infrastructure. Luckily most cloud vendors offer you to run docker containers. This allows you to run Node.js with Puppeteer or Playwright to start a Chrome browser using XVFB (a virtual display). This software stack will be able to pre-load cookies and fully control the browser, eg. go to a specific URL, move the mouse, click around, fill out the contact form, etc. Of course, you’ll need to hide that the browser is remote controlled, randomize your fingerprint, but that’s part of the game. Though running containers is quite expensive, the costs for CPU cycles, bandwidth and storage are ~$0.0003 per landing page. In order to reduce cloud costs you could run multiple tabs in the Chrome browser where each tab connects through a different proxy server. This isn’t included the calculations below.

Residential Proxies

Traffic from the cloud isn’t sent directly to the landing pages, that would be too easy to block. Instead, residential proxies are used: fresh high quality residential proxies, guaranteed not to be blacklisted. Based on a few companies offering residential proxies, you’ll see that these proxies are priced per GB data. Depending on the quality and volume they will cost up to $15/Gbyte (low volume) – $4/Gbyte (high volume). $15/Gbyte is the amount I’ve been using in the calculation below. If you want to read more about residential proxies, continue at this link below [1].

CAPTCHAs

Some websites and/or landing pages try to stop bots using CAPTCHAs. This doesn’t really work, it only increases the costs, as these CAPTCHAs are forwarded to a solving service, where humans solve the CAPTCHA and return the answer, the bot again simply returns this answer. Captchas cost less than $10 per 1000, even as low as $1 per 1000.

Device fingerprints

When your bots run in the cloud they all use the same machine and browser configuration. That will look suspicious, even from different IP addresses. That’s why the browser configuration (memory, cpu cores, language, platform, etc) need to be distributed in a realistic way. These configurations can be bought, or randomly generated. Either way, this doesn’t costs much. If you want to read more about device fingerprints, more info below at [2].

Personal Data

In case you are going to fill out lead generation forms, test credit cards, or buy digital goods, you will need the personal data (full name, address, city, state, etc). This data can be bought on marketplaces on the darkweb. In case you need the associated credit card info, the price will be higher. We’re going for the cheap dumpz which are ~a penny per record, or $10 per 1000. You could also use data which uses synthetic data, but that’s up to you.

Development and Maintenance

Most people don’t have a computer science degree and creating your own scalable and undetectable botnet will be out of your league. Luckily, again supply and demand have found each other in online forums and chat groups where you can hire a CS student or an expert to develop, build and maintain your bot environment.

The most expensive part of the development will be to bypass existing anti-bot detections. It depends on the anti-bot vendor as some are very easy to bypass and some are very hard. As always: The harder it gets, the more it will cost.

Development by a professional takes typically less than 10 hours, simply because they've done this multiple times. The real expensive part might be when you’re dealing with an unexpected change in an anti-bot detection, which requires reverse engineering. And that can be a lot of work.

Professionals may cost you $250+/hour, which might look steep, but they’re worth their money as you’re paying for the accumulated knowledge and experience. They’re able to create your solution within a few hours, instead of getting stuck while the clock is ticking.

Maintenance and updating of the infrastructure is required to keep up to date. Each month a new Chrome browser version is released, anti-bot scripts get updated, etc. In order to blend in, you’ll have to use the latest version.

The fake lead generation company: Golden Leads

Now that you have you infrastructure and software stack, you are ready to generate leads. Leads are generated at the landing pages of a brand; insurance companies, banks, solar panels, software downloads, book a testdrive at a car dealer, etc. Companies selling these services or products will often run their own campaigns and in addition they buy traffic from 3rd parties and compensate these 3rd parties per click (CPC) or per generated lead (CPA /CPL). The latter is what the fictitious company Golden Leads will offer.

In lead generation not all visitors will leave their contact details, or buy a digital product. Only a small subset will convert, which is exactly what we’re going to emulate.

Without scaling the business the fixed monthly costs (development and maintenance) are clearly the biggest expense, but that changes when generating a lot of leads. Let’s look how it looks when we put all this data into an excel sheet and create a financial forecast of the golden leads company.

Most of the values are self-explanatory. The Low CPA indicates the min price you’ll get paid for a generated lead, and the Max CPA the maximum price. The true value will be somewhere in between. This is to illustrate the potential profit range. The low and high CPA prices are used to create the table below in Figure 3 where the revenue L, profit L and profit L% are based on the Low CPA price, the low estimate of the range. The High CPA is used to calculate the high of the range.

Residential proxies will cost about $15 per Gigabyte and the average size of a landing page is set to 4 Megabytes. This means each pageload will cost $0.06, which makes residential proxies the most expensive variable component.

Figure 3 shows that at $20 per generated lead you will have to generate at least 700 visits, of which 140 (20% of 700) will convert to a generated lead in order to start making profit. At $50 per generated lead you only have to generate 300 visits (60 generated leads). Of course you can tweak the conversion% to your needs, but keep in mind: The conversion% has to be realistic! It clearly shows that the financial risks are very small and the more leads you generate the less the monthly development and maintenance overhead costs will hurt your ROI.

The profit range in Figure 4 shows how your investment becomes more successful at scale. Of course you’re always constrained by your buyer’s budget, ie. the number of leads a company wants to buy, and how well your buyer is in control, ie. do they continuously monitor the quality per source of the bought leads: conversion% to a sale, number of TCPA claims, number of chargebacks, etc. You’ll be surprised how many enterprises don’t really continuously check and act on these measured metrics. As long as the number of clicks (visits), generated leads and conversion% is high, the gamescore is all-time high and.. that means: all is good, someone’s bonus is secured!

Just by looking at the profit range in Figure 4 shows that lead gen fraudsters make a lot of money, and without major financial risks. Who doesn’t want to risk a few thousand dollars a month when you can earn 20 to almost 50 times your few thousand dollars? At only 20,000 visits (4,000 leads) -a day, week or month- this is almost $200,000 with only $4,146 of costs. It now depends on how good your sales is in order to scale the company. You can even hire a booth at trade shows to sell your golden leads, make sure you have some great freebies, like socks, lip balm, or mini hand sanitizer.

Now that your golden leads business is operational and you have a great monthly recurring revenue, you might start thinking about the next steps. Maybe, start a lead generation fraud detection company to detect bots and fraud -of course not your own bots and fraud-, and/or just enjoy the the good life. I can assure you with such a money machine you’ll be living a very relaxed life with a nice big house, big garden with a swimming pool and a calming lazy river, maybe your own hobby plane to fly around!

Answer: In the digital marketing lead generation fraud is very profitable!

Questions? Want the Excel sheet? Comment or DM

Disclaimer: The story, all names, characters, and incidents portrayed in this production are fictitious. No identification with actual persons (living or deceased), places, buildings, and products is intended or should be inferred.

2023-05-31

[1] https://www.linkedin.com/pulse/residential-proxies-available-millions-have-become-why-kouwenhoven/?

[2] https://www.linkedin.com/pulse/fingerprinting-finger-pointing-fingers-crossed-sander-kouwenhoven?