Ralph PerrierJuly 25, 2022

It has been estimated that, globally, digital advertising fraud costs would grow exponentially between 2018 and 2023, from $35 billion to $100 billion. That is a worrying prediction, and since bots are one of the main tools fraudsters use, it makes a lot of sense if you’re on the lookout to learn more about mitigating bots. 

There is good news and bad news about this. 

The good news is that mitigating bots is somewhat doable. The bad news is that it’s probably not what you think it is. 

To make it even more complicated, this story has nuances – most of which are given by: 

  • The actual definition of a bot 
  • How bots are classified 
  • How botnets make it all worse 
  • How infamous botnet scandals played out (spoiler: good guys don’t always win)

Let’s run through this issue and demystify bot mitigation. 

What Are Bots, Exactly? 

Bots are programs that imitate human behavior. Sounds super-dull and there’s no Terminator-like scenario in this definition, but if you think of bots as the driving force behind millions upon millions of USD, you kind of start to re-position yourself when it comes to how machines can damage humans. 

Some bots are useful. They automate pre-defined repetitive tasks nobody wants to do (or which are just a lot less expensive when they’re automated.)

However, some bots are used to mimic human behavior with malevolent intentions – such as, let’s say, driving thousands of worthless clicks to someone’s Google Ads campaign. 

Why would bots do this? 

Well, bots aren’t sentient. They are driven by humans – and in the case of bots that drive false clicks on Google Ads campaigns, they are driven by fraudsters. 

Why would fraudsters do this?

For the same reason fraudsters do anything, really: the cha-ching sounds. Money, that is. 

You can’t mitigate fraudsters, just like you can’t mitigate tornadoes. 

The question, then, is this: is mitigating bots possible, at least? 

good bots and bad bots examples

Bad Bots, Bad Bots, Whatcha Gonna Do? 

According to Statista, less than 60% of web traffic is actually driven by humans. The rest? Bots.

That’s not ALL bad news. Ish.

Bots are nothing but lines of code. Sure, they’re lines of code that can leave a gazillion-dollar hole in your marketing budget – but even so, you cannot actually humanize them and say they’re “bad”, “good.”


The intent behind how one uses a bot is, for sure, good or bad. The bot itself?

Think of it this way: are the laws of physics good or bad? Sure, we don’t like gravity that much when we’re going up the stairs, but it comes in useful when you want to, you know, stay on Earth. So can you really say gravity is good or bad?

The same goes with bots. In marketing and advertising, specialists refer to “bad bots” as those that drive wasteful and fraudulent traffic. But there are good bots driving traffic to websites too – such as Siri or Alexa, for example.

“OK, great, so I don’t have to worry, then, right?” 

Not so quick. The issue with all of this is that, according to the same aforementioned study, 15.2% of the online traffic is “good” bot traffic, and 5.6% “bad” bot traffic

Let’s see what this means… 

Types Of Bots

“Good” bots are bots that are useful and, more importantly, not harmful to businesses or internet users. This category includes: 

  • Search engine bots: they index content for search purposes
  • Chatbots: used mainly for customer services, these bots simulate human conversation through programmed responses
  • Social bots: Bots that operate on social media platforms

Other bots, on the other hand, are “bad” or malicious. These include: 

  • Spambots: these bots are designed to spread infected material; this can happen via email, social media sites, or an instant messaging app.
  • File-sharing bots are bots that spy on people’s search queries and provide fake links; these links can then get the device infected with a virus or another type of malware.
  • DDoS bots are bots that flood a website with requests in order to crash it.
  • Click fraud bots generate fake clicks for PPC ads by passing them off as human clicks.

These lists are by no means exhaustive - there are many kinds of bots out there. 

And as you can tell by now, many of them can be used for “bad” purposes - like supporting how fraudsters make money in PPC. 

What Are Botnets? 

The word “botnet” is derived from the term “robot network”. Botnets are a big part of how fraudsters make money in PPC.

Here’s how botnets work (in super-simple terms): 

  • The “bot-herder” infects devices with malware
  • The hijacked devices are used to carry out scams & cyberattacks 
  • These attacks are done automatically & at scale (and they can involve data theft, server crashing, or malware distribution). 

Using botnets makes a lot of sense for fraudsters. Not only are these armies of bots super-efficient at wreaking havoc, but they are very often undetectable as well. Most times, the owner of the device that’s been infected doesn’t even know that they’re being used for malevolent purposes. 

To top it off, bots and botnets are getting increasingly complex in how they mimic human behavior AND how they hide.

All of this makes it incredibly difficult to track and stop botnets.

botnet scandals

Cautionary Tales: Infamous Botnet Scandals 

To better understand why mitigating bots is such a crucial element of your marketing strategy, take a look at some of the worst botnet scandals to gauge a better understanding of the propensity of this issue. 

EarthLink Spammer

This is the first botnet to become infamous, back in 2000. We are talking about a spammer that sent roughly 1.25 million emails in a little over a year. 

These emails were all phishing scams - emails posing as real communications messages from legitimate websites, to collect sensitive information like credit card numbers or get viruses downloaded on the victims’ computers; these viruses would then capture sensitive information.

The spammer behind the botnet was identified and sued by EarthLink for using their network for his spam scheme. 

Storm

The Storm botnet made headlines back in 2007. It got so much attention because it was one of the first known peer-to-peer botnets. The network, controlled by several different servers, was huge - ranging from 250,000 to 1 million infected computers. 

Storm could be rented out by anyone willing to pay for it on the dark web. It was involved in various criminal activities, from DDoS attacks to identify theft. 

Some of Storm’s servers were shut down in 2008. Its activity has slowed down and the botnet is believed to be inactive nowadays. 

Mirai 

The Mirai botnet first caught attention in 2016 when it was responsible for a massive distributed DDoS attack that left much of the internet inaccessible on the US East Coast. Mirai was also remarkable because it was the first major botnet to infect IoT devices. At its peak, it infected over 600,000 devices. 

The infamous botnet wasn’t stopped but continued growing and evolving. It drew attention again in 2019, as it also changed its tactics, becoming more complex - it has expanded its techniques to target more processors. 

The botnet hasn’t been stopped. Reports of it wreaking havoc continue to pop here and there, to the date. 

TrickBot 

When compared to early botnets, more recent ones have a strange trajectory. Some just seem to “calm down” in time, others keep repairing over time. 

That is also the case of TrickBot, which was first identified in 2016, but has made a comeback in 2021. The latest version has been updated with functionality that allows it to scan the UEFI/BIOS firmware of the targeted systems for vulnerabilities.  

Mitigating Bots: Science-Fiction or Self-Help? 

So, is mitigating bots doable in ad fraud – and if so, how? 

To understand bot mitigation (in click fraud), you will have to return to one of the basic tenets of this article: fraudsters make money using bots to drive wasteful and illegitimate clicks on Google Ads.

The keyword here is money. 

How Fraudsters Make Money in PPC: A Scenario

Click fraud cybercriminals offer a service: that of driving wasteful clicks and traffic to someone’s campaigns. 

So, for example, if a competitor wants to make sure your ads aren’t working as they should in a particular time span (like, for example, when they launch a new campaign), they would go to the fraudster and buy the service.

(Let’s be clear here: competitors are not the only ones who might be driving click fraud attacks to your Google Ads campaigns; plenty of other entities could do this – intentionally or not.)

Can you prevent this from happening? 


Not really. You can’t set up a secure firewall to protect all your Google Ads clicks from ALL click fraud there is. As mentioned before, botnets are getting increasingly more sophisticated – which means they can get through most security checks. 

Mitigating bots?

That’s an entirely different affair. 

In fact, mitigating bots in click fraud might just be the only sane and efficient thing to do. 

Here’s why: mitigating bots is all about making it less profitable for the fraudster to keep attacking your ads with fake clicks. The one way you can do this is by keeping your fraudsters on their toes with actions such as blocking their IP addresses from a botnet unit (which will force them to deploy new units, which will drive the costs up too). 

The more you “block” your fraudsters, the less profitable it becomes for them to attack you – and the more good traffic you will attract on your Google Ads. 

Compare this with a DDoS attack, if you will. One of the ways you can prevent and mitigate such attacks is by installing Captcha verification on your forms. However, Captcha is not 100% effective because some machines are so smart that they can solve Captcha riddles.

Even so, Captcha can still help a lot because it’s expensive for cybercriminals to run software programs capable of solving human-oriented problems. 

Likewise, in addition to using Captcha verification, you can also block an IP associated with a potentially fraudulent device. Yes, in this case, the fraudster will still be able to change their IP address or deploy its software on another server or even deploy an entire unit in the botnet. However, it will cost them more to do this. 

Getting Your Money Back: Science Fiction?

“All this sounds complicated. Is the law on my side on this?”

We spoke about the (il)legality of click fraud here, more extensively, if you want to learn about it.

If you want the short version, though, here it is: do not rely on the idea that you can just file a lawsuit against fraudsters or ad networks and get your money back. 

Yes, fraudulent activities like click fraud are illegal, but bringing a case to court and proving the intent behind the wasteful clicks is nearly impossible. You just can’t prove the intent of something or someone – not in a way that’s admissible in a court of law. 

Successful click fraud lawsuits are few and far between, and their wins are connected to very specific, unrepeatable contexts. 

“OK, but the ad network will help, right?”

Yes and no. Platforms like Google claim to be doing their best at mitigating click fraud and repaying the victims. But the truth looks a bit different.

For example, in 2017, Google has agreed to provide refunds to advertisers using DoubleClick Bid Manager (now Display & Video 360). These refunds were meant to compensate for ads that had been served on sites that had fraudulent or invalid traffic. 

Google offered to refund the “platform fee” for its ad-buying tool, which represented only a fraction of the total advertising costs. Google claimed it wasn’t in a position to return money that had already flowed from its buying tool to third parties. According to the Wall Street Journal, a class-action lawsuit followed, asserting that Google improperly withheld those refund payments.

Are you willing to spend years in court to get your money back? While that seems like the legitimate way to handle ad fraud losses, it is not very practical for your business. 

What’s the Easiest Way to Mitigate Bots in Click Fraud? 

The easy answer here is: click fraud software. 

While ad networks (like Google, in this case) promise to eliminate bad clicks and even reimburse you when such fraudulent activities occur on your campaigns, the harsh truth is that they don’t do that much about it. Remember, click fraud is a multi-billion dollar issue even to the date, even with all the lawsuits that have been filed against Google. 

ClickGUARD is a click fraud software that helps you keep your clicks clean – and your ROI high. We use advanced post-click analytics (or “click forensics” as it is sometimes referred to) to help you understand what really happens in your Google Ads and take action accordingly. 

Check out what our customers have to say about us. Not that we’re bragging, but it’s pretty impressive! 😉

Ralph works with department leads to ensure they are well-integrated, highly motivated and focused on changing the AdTech space for digital marketers by delivering game-changing products and personal experiences.