There’s no way around it – with conducting business online comes the risk of being exploited by digital fraudsters, especially in the PPC world. And oh, my are there a lot of types of PPC fraud flourishing out there, in cyberspace!

Digital marketers and entrepreneurs are increasingly at risk of becoming victims of PPC fraud even if they don’t know it. The problem of digital fraudsters using fake views, clicks, and likes as money-making schemes is so pervasive that advertisers alone are estimated to lose $44 billion by 2022, according to Statista. (you read that right – billion, with a “B”!)

While you are likely aware of the more prevalent forms of PPC fraud such as click fraud, other, lesser-known techniques are just as deceptive and harmful. In this article, we’ll lay out the different types of PPC fraud and how to prevent them.

What is PPC Fraud?

PPC fraud is an umbrella term that encompasses all the shady practices used to defraud you and your PPC advertising budget.

The most common type of PPC fraud is click fraud. As a refresher, click fraud is when an individual, bot, or automated software repeatedly clicks on pay-per-click (PPC) ads. The clicking is done with no intention of actually using the advertised product or service; rather, the intent is to harm competitor ad budgets or boost publisher’s profits.

Top Types of PPC Fraud

types of PPC fraud

Click fraud can be carried out on a massive scale through click farms, which are made up of large groups of people paid to click on ads or social media posts all day. They usually exist in developing countries and operate through the labor of vulnerable, low-paid workers.

If a company hasn’t set up protections against click fraud, competitors can continually click on pay-per-click ads until the PPC daily budget is depleted, preventing real customers from viewing them. Beyond this, click fraud affects businesses by: 

1) distorting ad campaign metrics so it’s challenging to tell how effective campaigns are; 

2) leading to ineffective campaigns with low ROAS; and 

3) wasting internal time and effort by causing teams to chase non-revenue generating activities.

This might all sound familiar to you, but a lesser-known form of click fraud has been increasing in recent years. Read on to learn about click spam – also known as click flooding – and how it works, as well as other popular types of PPC fraud you should be aware of.

how PPC fraud affects businesses

Click Spam

Click spam is a type of mobile ad fraud. It’s tricky to catch because the fake clicks are attributed to a real user. When a mobile device user opens a webpage or app operated by a fraudster or infected with malware, hitbots or clickbots will start clicking on ads that the user probably doesn’t even see.

By “poaching” real users this way, click spamming allows digital fraudsters to accumulate fake engagement on ads and collect a payout. Click spamming can also be used as a weapon against other advertisers to falsely inflate engagement on their ads and manipulate ad campaign metrics.

For a real-world example, take “DrainerBot.” 

DrainerBot was a massive mobile ad fraud operation that used this tactic on millions of Android users, affecting advertisers and consumers alike. According to the technology company Oracle, the bot used infected code to download invisible video ads on Android devices and click on ads. The infected apps used tons of data, draining battery life and costing smartphone owners hundreds in overage charges.

Sneaky, huh?

Ad Injection

Ad injection is when ads are covertly inserted into a webpage without the owner’s permission. This is usually done through adware, a controversial software that places unwanted ads over existing ads or injects ads on webpages that have no ads at all.

According to a report by the Wall Street Journal, the adware is usually accidentally downloaded through apps that allow users to customize their social media pages with different backgrounds and features. When a user downloads the app to customize their Facebook page, for example, the adware runs rampant in the background, injecting ads overtop the ones Facebook or Google bought.

And it’s not just web giants who are affected. Advertisers and publishers are often unknowing victims of ad injection, and users themselves must deal with privacy and security concerns when it comes to ad injection software. 

PPC Phishing 

Email phishing attacks are nothing new, but you may not be aware of this PPC-specific technique being used.

Search Engine Watch reported on a phishing scam hijacking URLs of well known financial and banking companies. The scam uses these companies’ paid search campaigns to send users to a malware phishing site. Users are likely to click on the ads because they trust the brand, and fraudsters piggyback off that credibility to surreptitiously send the user to a fake website that lures personal information (like login details) out of them. 

These PPC phishing scams are dangerous for customers who fall prey to them and threaten to destroy the credibility of trusted brands. 


Viewbotting is a fraudulent way of gaining exposure and viewers in the live streaming community by using bots. 

Illegitimate scripts can inflate the live view count on platforms like Twitch to push a stream to the top of the page and gain even more viewers. This artificial boost gives broadcasters a chance to surpass other streams, reach new subscribers and earn money. Sometimes, viewbotting uses “chatbots” to mimic viewer interaction and make all the fake views seem more real. 

Since the Twitch Partner Program gives streamers the opportunity to earn revenue from ads displayed on their channel, viewbotting is also a form of theft affecting digital advertisers.Certain streamers can play ads on their channel while they live stream and make a commission off the revenue advertisers pay to Twitch. The more viewers a stream has, the more money a broadcaster makes.   

If a streamer is using viewbotting services, those ads aren’t being seen by real people and yet the streamer is still getting paid a commission. This means advertisers are essentially dumping their money into bot views.

Fake Streaming 

Streaming fraud affects platforms like Spotify. Fake streaming inflates the number of play counts on an artist’s song through fake listens via bots, leading to fraudulently “earned” royalties. Fake Spotify streams manipulate the online streaming model by generating fraudulent listens to receive royalties that should have gone to artists who use the system honestly.

Advertisers paying for ad time are cheated by fake Spotify streaming, since the time and space they’re paying for is listened to by robots rather than real people. Similarly, brands that partner with artists assuming their followers and listens are real are duped when it turns out the artist’s reach is much smaller. 

Spotify is cracking down on this, but it’s still a pervasive issue. 

Now, What to Do About All These Types of PPC Fraud? 

Digital fraud is rampant, that’s for sure. But what to do about all these dangerous techniques preying on your ad budgets and campaigns?

How about a Few Success Stories? 

It’s not all doom and deception out there. The good news is that companies are striking back against digital fraudsters – and winning.

In 2016 Twitch filed a lawsuit against several “botmakers” offering viewbotting services to Twitch users. The defendants, a team of seven, were ordered to pay nearly $1.4 million to Twitch in damages for trademark infringement, breach of contract, unfair competition and violation of the Anti-Cybersquatting Consumer Protection Act. This was definitely a win against the viewbotting industry.

And last but certainly not least, the takedown of individuals involved in the infamous Methbot/3ve ad fraud operation. Methbot was an international cybercriminal ring traced to Russia and operating out of data centers in the U.S. and Netherlands making between $3 million and $5 million per day using bots to target the video advertising industry and fraudulently rake in ad revenue. 

An investigation by the FBI, with help from other companies, led to the arrest of several ringleaders including Aleksandr Zhukov. 

Zhukov was apprehended in Bulgaria, and several other cybercriminals involved in the ad-fraud ring were arrested in Malaysia and Estonia. According to the U.S. Department of Justice, the charges against them include wire fraud, computer intrusion, aggravated identity theft and money laundering. 

So What Can You Do? 

As an online marketer or entrepreneur, knowing what schemes to look out for is half the battle.

Now that you’re armed with the knowledge of these different types of PPC fraud, you can further protect your business from this digitized ad-budget weapon by using an anti-click fraud protection program. A trusted anti-fraud partner will wipe out fraudulent activity in the form of fake clicks by monitoring and blocking click fraud threats, protecting your PPC ads and campaigns.

Eliminating digital fraud entirely is impossible – as long as we do business online, there will be fraudsters and cybercriminals conspiring and coming up with new ways to exploit our businesses and attack our budgets. But with awareness and the right tools we can protect ourselves and work to thwart them.  

Check out ClickGUARD, for example. Our automated system will help you make sure your ad data stays clean and your ROAS high.