Our current algorithm for suspicious activity detection is the following:
The first level (first 10 clicks):
1) If at least 9 from the first 10 clicks have no referrers, were made using proxies, Have less than 3 different browsers (including browser version), then we mark this participant as a suspicious one. By no referrers we mean that the unique url was pasted directly into a browser address bar.
2) If the first condition is ok, then we check IP addresses, if these 10 clicks were done from less than 5 different IPs we mark this participant as suspicious.
.The second level (first 50 clicks):
3) If all conditions above were O.K., then we check whether at least 90% of the first 50 clicks have referrers, were made using proxies, or were made from less than 3 different browsers (including browser version). If not - it is marked as suspicious activity.
4) If these 50 clicks were made from less than 25 different IPs - again, we mark this as suspicious activity.
Therefore, if you see the suspicious activity sign, it means that the participant was trying to click on their own links and cheat the system, it doesn't happen by accident. You can block these participants and they won't be able to interact with the widget using the same email and browser.