Klaviyo Bot Issue

Summary of issue

Starting in early June, we became aware of inflated visitor counts on tests on several stores. Upon investigation, these visitors were identified to be bot traffic sent via inbox providers like Gmail and Outlook to perform security scans on emails sent through Klaviyo.

Klaviyo noticed this issue becoming more prevalent since mid-January 2024, but it appears that in June 2024 the issue has become increasingly frequent. Klaviyo currently does not have a method to mitigate the issue, but is working to address it. It has been observed that this bot traffic may impact Shopify Analytics as well.

Issue details

As this traffic is sent by inbox providers as part of email security scans, it is necessarily masked to look like genuine users, rather than bots.

Shoplift was able to identify these visitors as bots not by any particular attributes on the visitor (like UserAgent, which is currently leveraged to filter out bots from other sources) but rather by the timing during which this traffic was tracked.

We observed that as Klaviyo campaigns are sent out, inbox providers will sent significant amounts of bot traffic at the outset of the hour for a period of a few minutes. This traffic tapers off until the outset of the next hour, and this cycle has been observed to continue for several hours following a campaign being sent.

The bot filtering that Shoplift leverages today is able to protect against known bots coming from sources like Google or Facebook crawlers, but as these bots coming from inbox providers are masked to look like genuine users for inbox security purposes, we are not yet able to filter them out. We are working on a solution to address this issue and hope to have this released soon.

Shopify analytics may also be impacted. Shopify has advanced models to help reconcile and filter out bot traffic within 24-48 hours, but we recommend examining your Shopify reports for traffic with "utm_source=Klaviyo" to help identify if and to what degree your Shopify analytics may be affected.

Klaviyo analytics are also impacted. Klaviyo is aware of this issue, and they are also working on a method to address inflated click counts arising from this bot traffic.

Issue mitigation

In the meantime, Klaviyo has provided various resources and strategies which may help to mitigate the issue:

• Understanding bot clicks

• Set up dedicated click tracking

• Options to prevent list bombing

• Blocking fake email addresses from subscribing

• Prevent spam bots from signing up while keeping list set to single opt-in

• Single vs double opt-in emai list liability

Getting support

If you suspect your tests are receiving higher than normal visitor counts stemming from inbox provider bots, reach out to our support team at help@shoplift.ai or by using the in-app chat widget to get in touch. We are here to support you.

Additional resources

Communities on Reddit have also been discussing the issue, including what Klaviyo is doing about it and how it might affect Shopify Analytics.