Click fraud is a major consideration for any digital advertiser. Practically every single digital advertising channel is exploited for financial gain by cybercriminals.
As the largest and most popular advertising platform, Google Ads is still the primary focus for click fraud. However, no advertising platform is immune to these threats. Facebook Ads, Bing Ads…even Connected Television (CTV) advertising is vulnerable.
If they’re going to succeed, digital marketers need to educate themselves about the risks posed by click fraud. If you understand the click fraud methods used to target your ads, you can identify – and avoid – the theft of your advertising budget. But you’ve got to learn how they do it.
Often, these click fraud methods are used in combination, to create the maximum damage possible before their intentions are discovered and blocked. Once you understand some of the common techniques and principles, you’ll become adept at spotting vulnerabilities – and developing strategies to combat those techniques.
Tell Me Again – What Is Click Fraud?
The classic definition of click fraud would be an interaction between a user and a PPC ad, with the goal of profiting from charges made to marketers.
However, terms like click fraud and the umbrella term, ad fraud, are often used interchangeably. When discussing click fraud methods, it’s not always helpful to stick to the strict definitions of click fraud as a PPC problem – most digital marketing strategies are now omnichannel, with many different promotional tools used across the buyer journey.
After all, cybercriminals certainly aren’t restricting their activities to your PPC ads. And as the estimated cost of digital ad fraud was believed to be in excess of $81bn in 2022, it definitely pays to be aware of the bigger picture.
Here’s an overview of some of the ad fraud and click fraud methods that are used to steal advertising budgets. We’ve listed some ‘golden oldies’ that are still very much in use, as well as some of the more recent developments we’ve seen here at ClickGUARD.
Click Fraud Method 1 – Getting Anti-Social, With Fake Facebook Accounts
As the biggest ad platform outside of the Google ecosystem, social media giant FB/Meta offers lucrative criminal opportunities to anyone prepared to put the effort into circumventing the security measures.
As with all social media-based click fraud methods, once a fake user profile has been successfully created, bad actors can easily take advantage of the systems to undermine protest movements, influence elections – and drain ad budgets, and target businesses.
And the scale of the problem is mind-boggling –FB’s own Community Standards Enforcement Report disclosed the removal of 1.5 bn fake profiles in Q3 of 2022 alone. And that’s just the ones they caught.
Here’s the methodology typically used by traders in fake Facebook profiles.
- Create new profiles, using multiple SIM cards in a burner phone. Creating a FB profile requires a 2-step verification setup – because only ‘real people’ would have a mobile phone as well, right? Not a huge obstacle, when SIM cards can be purchased in bulk at a relatively low cost. Insert the SIM into a cheap phone for a minute or two to set up the profile, then remove and discard.
- Disguise fake profiles, using AI-generated profile pictures. Rather than stealing images of existing people, more sophisticated FB fraudsters use AI-generated facial images. These composites of thousands of different photos can’t easily be matched to existing profiles, allowing them to slip through standard detection algorithms.
- Sell fake profiles to click farms and bot farms. Quite often, bulk-produced fake profiles can then be sold to larger organizations, which use the profiles to generate clicks or fake engagement as a service.
Click Fraud Method 2 – Square Eyes, Empty Pockets, With CTV Fraud
Connected Television, or CTV, is the latest high-value target for ad fraud.
Smart TVs and streaming services offer advertising inventory that combines the targeting potential of programmatic and search ads with the high visibility and reach of traditional broadcast ads. It’s expensive, though – CTV ad inventory is in limited supply, which drives the cost up – which then inevitably attracts fraud.
A popular CTV fraud method is to create fake inventory on existing CTV platforms, and then use a botnet or a click farm/bot farm to generate impressions.
In 2020 the MultiTerra botnet was discovered to be generating up to 3 million faked impressions a day on faked inventory by hijacking thousands of IP addresses. By using each IP address only briefly, MultiTerra was able to evade shutdown for 50 days after it was initially detected.
Click Fraud Method 3 – Mobile Emulators (For Apps, For Apps, For Apps)
As digital communications technology continues to evolve at an astonishing rate, so does click fraud. With every innovation that makes it easier to communicate comes a new set of vulnerabilities and risks (as we outlined last week in our article on the evolution of bots and cell phone bot farms).
Mobile emulators are another critical step in that responsive criminal evolution. In the same way that headless browser development tools allowed cybercriminals to replicate the appearance of a typical internet browsing user, mobile emulators (the development tools used to simulate apps under construction) allow fraudsters to create fake apps.
These fake apps then provide ad inventory, where your ads can be displayed for fake impressions, clicked repeatedly, or subjected to any number of the tried and tested click fraud techniques.
Mobile emulators can be a particularly devastating click fraud method – not least because mobile phone apps are often left running 24/7 by their device owners.
Click Fraud Method 4 – Ad Hijacking, a.k.a. the Talented Mr Rip(off)ley
This ‘classic’ technique is used by rogue affiliate publishers. Firstly, the publisher establishes an affiliate link with a recognized brand. The brand gives them a link to embed in their website – if the publisher’s content sends visitors to the brand website, and then the visitors make a purchase, the publisher makes a commission.
An ad hijacker will take this legitimate link, and build a Paid Search Ad around it that’s identical to the brand’s own PPC ads. The user clicks the link, and lands on the brand’s website as normal – but the hijacker is earning commission on faked PPC ads.
Ad hijackers use Google Ads targeting tools to help them evade detection, keeping to times and locations outside of the brand’s targeting strategy to fly under the radar.
Click Fraud Method 5 – The Many Webs of Placement Fraud
Placement fraud (also known as ‘content-driven fraud’) is a term used to describe a wide variety of click fraud methods, all resulting in the direct payment of your ad budget to a fraudulent publisher.
- Ghost sites are the simplest (and most common) method of placement fraud. Ad inventory is sold for empty sites, containing only other ads. Bots are then used to generate fake clicks on the ads.
- Spoofing uses a ‘spoofed’ website, carefully designed to mimic the website of a reputable business. These spoofed websites can be used for many different criminal activities – users can be subjected to phishing attacks or malware, and ad inventory sold on the site can be exploited with fake clicks. Spoofed websites are commonly combined with other spoofed content, like spoofed emails, to draw visitors in. You may have been smart (or lucky) enough to avoid visiting a spoofed website, but you’ve definitely encountered a spoofed email – your spam folder is probably full of them.
- Pixel stuffing/Ad stacking. These techniques are used by fraudulent publishers to steal from CPM ad campaigns, where advertisers are charged for impressions, rather than clicks. However, they can also be combined with fake clicks to increase the amounts stolen.
Pixel stuffing shrinks each ad on the page down to a single pixel, invisible to the human eye. The system still registers an impression for each page visit, even though no one could have possibly seen the ad.
Ad stacking overlays ads on top of each other, with the same net result as pixel stuffing – impressions are registered, despite the fact no human visitor ever saw the ad.
As you can imagine, this list of click fraud methods is far from exhaustive. When you consider how many digital marketing channels are available, and the levels and varieties of fraud linked with each one, it’s obviously not a topic you can summarize fully in a blog article.
And each click fraud method leaves a different trail of clues in the data. CTV fraud will result in an observable spike in impressions. Ad hijacking will result in a drop in impressions. Trying to identify and neutralize every possible source of click fraud across your digital marketing would quickly become a full-time job.
And for us, it is. ClickGUARD goves you the power to eliminate click fraud from every vulnerability in your ads, regardless of what click fraud methods are used.
Click Fraud Methods – FAQs
How Do You Do Clicking Fraud?
It couldn’t be easier to waste a company’s ad budget. Just click on their ads, and you’ll cost them money every time you do so. You can do it manually, or use code scripts to automate the process (i.e. a bot).u003cbru003eFor your malicious actions to be considered fraud (in a court of law), you’d need to be actually making money as a result. This would involve a lot more work – unless the ads belonged to your business competitor, in which case it could be argued that you profited from their loss.
How Do You Identify Click Fraud?
There’s often two key indicators that click fraud has occurred – high volume of ad clicks, and low conversions from those clicks.u003cbru003eHowever, those clicks could be spread across a wide number of campaigns, making the high volume of clicks harder to spot. And depending on how you’ve set up your ads, fraudsters can generate ‘no value’ conversions, like filling out forms, that don’t actually bring your business any money.u003cbru003eTo make matters even more complicated, some click fraud methods wouldn’t produce either of these indicators. For example, if your Paid Search Ads are being mimicked by a rogue affiliate publisher, you’d actually see a u003cemu003ereductionu003c/emu003e in your impressions and clicks.u003cbru003eIf your business is being consistently targeted, click fraud protection with ClickGUARD is the only sure way to identify and block click fraud.
Can You Go to Jail for Click Fraud?
Click fraud is a crime, punishable by law. In practice, it’s very difficult for successful legal action to be taken against click fraud. Online space is very hard to police effectively, and gathering evidence is problematic. However, click fraud activity has been successfully prosecuted, and the perpetrators have been fined and even imprisoned. The most recent high-profile click fraud prosecution was theu003ca href=u0022http://www.clickguard.com/ppc-news/methbot-the-2021-update/u0022 target=u0022_blanku0022 rel=u0022noreferrer noopeneru0022u003e Methbotu003c/au003e case.