What is click fraud and how to stop and prevent It

A 7.2-billion-dollar-a-year problem in the digital advertising industry

If you suspect that you’re a victim of click fraud, you’re not alone. Although at first most digital advertisers think click fraud won’t affect their ad campaigns, eventually they notice inaccurate click data in their reports, and discover the vast and complicated topic of click fraud.

For example, Ralph Perrier, our founder, realized in 2004 that 20% of his previous business’s ad budget was wasted because of competitor click fraud attacks. Over the next ten years, the volume of click fraud affecting his business continued to escalate, and more and more of his connections in the digital advertising space were facing similar challenges.

Even if you haven’t been following the rise of click fraud since 2004, you may have noticed click fraudsters making a splash in the news, like this 2016 Forbes article about a Russian click fraud ring running a bot farm and making $5M a day. And this is just the tip of the iceberg: according to a Statista forecast from 2019, costs related to digital advertising fraud worldwide are expected to “grow exponentially within the four years between 2018 and 2022, from 19 billion to 44 billion U.S. dollars.”

What is especially frustrating is that click fraud is rampant in the industry that was supposed to give marketers access to more accurate data than ever before.

Digital ad campaigns make it astonishingly easy to reach your online audience. They are reasonably easy to build, relatively affordable, and provide near-instant feedback. Moreover, they allow for:

Unfortunately, the assumption that every ad click comes from a real person interested in buying your products or services is no longer valid. According to Barry Levine, "...sourced traffic — such as that from PPC or other ad campaigns — is three times as likely to result in fraud, as compared with non-sourced traffic."

While some maintain that “you shouldn’t care about fake clicks,” we don’t believe that losing money to fraudsters should be considered a cost of running online ads.

After developing a solution that helped him block click fraud attacks targeting his previous business, Ralph Perrier realized he could help other advertisers overcome the same challenge — and launched ClickGUARD in 2016. Since then, the ClickGUARD team has protected 65,000+ campaigns in over 107 countries from fraudulent clicks, saving over 32 million dollars in 2019 alone.

Competitors manually clicking on your ads to sabotage your campaigns

Sometimes, especially in highly competitive industries, competitors resort to click fraud to get an edge on their rivals. By repeatedly clicking on competitors’ ads, they deplete a company’s PPC budget to prevent potential customers from seeing those ads.

Sometimes, especially in highly competitive industries, competitors resort to click fraud to get an edge on their rivals. By repeatedly clicking on competitors’ ads, they deplete a company’s PPC budget to prevent potential customers from seeing those ads.

The worst part is that it’s not all that difficult to commit this type of fraud: unless you’ve set up protections against such attacks, a pay-per-click ad will show until its daily budget runs out.

If this is the case, competitors can run through your ads very quickly, either by clicking on your ads repeatedly from a single device, or by hiring third parties to coordinate hundreds of clicks across multiple devices (we’ll discuss an example of a click-fraud-as-a-service attack later).

Sometimes it’s possible to identify competitor click fraud by tracking patterns within a particular niche. Here’s how our founder, Ralph Perrier, recalls his experience:

In simple scenarios where non tech-savvy competitors try to sabotage your campaigns, you can recognize competitor clicks by their IP addresses and block them.

Publishers manually boosting ad revenue (with a little help from their friends)

In some cases publishers may be trying to boost their revenue by clicking on ads themselves or profiting from their friends’ clicks (this is a very small-scale threat: if manual — and easily detectable — click fraud reaches high levels, it triggers account suspension on AdSense.

Disgruntled customers trying to get back at a business

Some disgruntled customers go beyond writing bad reviews online. Instead, they repeatedly click on the ads of a particular company.
‍
Fortunately, this is fairly unlikely to happen. And, unless one of your unhappy customers happens to be tech-savvy, it is also easy to identify and stop due to the repetitive nature of clicks.

All told, compared to cybercriminals or click-fraud-as-a-service actors, solo click fraudsters are just a tiny part of the problem.

Organized click fraud criminals

Cybercriminals creating harder-to-detect bot networks

One common practice among cybercriminals is infecting the computers of internet users with malware to create bot networks, or botnets to achieve various nefarious goals. Click fraud is one of them. We've previously written about one example, Redirector. Paco malware.

Unfortunately for advertisers, botnets can avoid detection more efficiently because the clicks they are programmed to perform will come from a range of regular machines with legitimate IP addresses. To detect botnets, you'll need to set up advanced visitor behavior tracking.

Click fraud as a service industry

Click-fraud-as-a-service can have many forms, from low-wage workers clicking on ads to boost publishers’ profits to distributed botnet attacks ordered by unscrupulous competitors.

Click farms — fake likes, fake followers, fake ad clicks

Click farms are located primarily in third-world countries where they employ low-wage workers to generate fake likes or followers on social media — or to click on ads.

Click farms may use a combination of humans and robots, but detecting human traffic is especially challenging, since it’s harder to distinguish click farm workers from good-faith users.

There was no way the clicks could have been human: we would pause our ads and then we would restart them at odd hours. And within a short period of time, the clicks would start again.

And the page didn't even load: there were headless browsers that wouldn’t even allow for the full page to load and bounce back and then click again.

A lot of those clicks were distributed through VPN and proxy networks, which means a lot of it had to have been automated.

Non-fraudulent clicks that affect ad performance

There are some cases when clicks are, strictly speaking, not malicious, but still hurt advertisers, because there is no intent to purchase the advertised product or service. At the same time, they are not accidental, since the users click on them to get to your website. Still, since these clicks do not result in a purchase, they will affect your ROAS.Here are 3 examples of clicks that fall into this category:

Clicks from users who are “just browsing,” but repeatedly click on the ads anyway, or lookie-loos
Clicks from converted customers who click on ads to get to a brand’s website
Clicks outside of selected geolocation

Lookie-loos

Lookie-loos will often conduct multiple web searches and click on an ad numerous times without ever making a purchase.

This may not be alarming for companies that bid on low cost-per-click campaigns, but advertisers running high cost-per-click campaigns will want to prevent lookie-loos from increasing their customer acquisition costs.

By tracking visitor behavior and conversions after an ad click you can distinguish good and bad traffic and exclude sources with low-quality interactions.

Converted customers

In this case, customers search for a particular brand by name and click on a brand ad to get to the website. Blocking ads after conversion might make sense to avoid incurring this type of expenses.

Clicks outside of selected geolocation

As we mentioned above, cybercriminals often use VPNs and proxies to mask their location.

In many cases proxies are used by regular people concerned about their online privacy or trying to bypass internet censorship in certain regions.

VPNs are often used to access region-restricted sites as well. In addition, they encrypt data and so are frequently used to hide browsing activity from third parties, such as when using public Wi-Fi.

Not all proxy or VPN clicks are fraudulent: if searches are varied and naturally distributed, then these are likely regular VPN or proxy server users.

However, regardless of user intention, most proxy clicks affect the accuracy of your ad campaign reports: with proxied IP addresses, generated ad impressions will be based on false location and network data. And, until Google’s geolocation capabilities improve, it might be worthwhile to look into additional methods of protection for your ads.

3 ways click fraud affects your business beyond draining your ad budget

As if invalid clicks depleting your ad budget are not bad enough, fraudulent clicks make it almost impossible to tell how effective ad campaigns really are. Click fraud affects businesses in three additional ways:

Distorted campaign metrics
Low ROAS
Wasted time and effort for internal teams

Running campaigns blind because of distorted campaign metrics

In some cases, false clicks can account for up to 90% of total registered interactions.

When significant amounts of clicks and overall traffic data come from invalid sources, performance metrics become essentially worthless.

Without knowing the source of each click, it’s easy to assume that a campaign failed because it didn’t have the right structure or budget. But very often ad campaigns fail because click fraud prevents them from reaching real customers.

When campaign optimization is based on guesswork or inaccurate data, marketers might end up spending time on tasks with little or no return. For example, they may decide to start optimizing high-traffic, low-performance campaigns in hopes of improving conversion rates, instead of solving the root problem — fraudulent clicks distorting campaign results.

Ineffective campaigns with low ROAS

Just like unethical competitors or lookie-loos, robots will never make a real purchase. This means invalid clicks will increase the cost of each conversion and affect your ability to find leads online.

Without blocking robots, you’ll end up overpaying for the conversions you get — while missing additional chances to get in front of your real audience.

Wasted time and effort for internal teams

In addition to distorting your ad campaign metrics, fraudulent clicks can lead your team to focus on non-revenue generating activities.

For example, your sales team may end up pursuing bogus prospects acquired through click bot traffic designed to mimic user behavior by filling out lead forms.

Does this sound too pessimistic?

This Seer Interactive article, “Google Ads Removes Search Terms for 28% of Paid Search Budgets”, was published only 3 months after Daniel Zrust’s post:

There is no doubt that PPC ads can help you achieve your business goals, but there are many systemic inefficiencies that decrease the effectiveness of your PPC ads and leave digital advertising open to click fraud risks.

Given how much fraudsters stand to gain by developing more and more sophisticated bots and new workarounds to stay ahead of the curve, it’s not likely that the advertising industry is going to get rid of fraudulent clicks overnight.

For one thing, investigation of complex cyber-crimes requires significant efforts and in-depth knowledge. To make matters worse, click fraud actors are notorious for setting up and running click fraud operations from abroad, which makes prosecuting them even harder. What’s more, in some countries the laws or regulating entities needed to stop fraudsters simply don’t exist yet.

Is it time to be done with PPC ads?

Industry estimates show that digital advertising is not likely to be replaced by other types of ads, click fraud or not: eMarketer’s 2020 forecast is that “display spending will increase by 5.3% to $179.39 billion … digital ad spending will grow 2.4% worldwide.”

We agree that digital advertising is not likely to be replaced by any other kind of advertising, especially given that for many businesses, e-commerce and digital advertising have become their lifeline to finding customers while sheltering in place.

As Margaret Hoffman, Paid Media Strategist at Brainlabs, says in her PPC Hero post “Click & Bot Fraud: The Spookiest Specters of PPC”: "even though it’s frightening to think about what creeps could be stealing your advertising dollars, it’s not a reason to stop PPC completely. ... Just like you wouldn’t close down your brick and mortar store for fear of shoplifting, you wouldn’t stop doing digital advertising."

Still, just as brick-and-mortar store owners put security measures in place to discourage shoplifting, digital advertisers can protect their budgets from fraudulent clicks.

A 7.2-billion-What any business running digital ads can do to fight click frauddollar-a-year problem in the digital advertising industry

There are many things any digital marketer can do to reduce the risk of becoming a victim of click fraud, from supporting fraud-fighting initiatives on the industry level to raising internal awareness of click fraud issues on the company level, and implementing a variety of tactics to minimize click fraud risk on the campaign level.

Make use of industry initiatives to eliminate click fraud

The Trustworthy Accountability Group (TAG) was created by the American Association of Advertising Agencies (4A’s), Association of National Advertisers (ANA), and Interactive Advertising Bureau (IAB) to “focus on four core areas: eliminating fraudulent digital advertising traffic, combating malware, fighting ad-supported Internet piracy to promote brand integrity, and promoting brand safety through greater transparency.”

TAG works towards establishing an all-around healthy and transparent marketing ecosystem.

Among other initiatives, TAG has developed Certified Against Fraud Guidelines that will start being enforced in January 2022. The TAG certification program was launched in 2016 “to combat invalid traffic in the digital advertising supply chain.” Its searchable database of certified agencies, tech providers, and publishers is available here.

In addition, TAG publishes benchmark reports on invalid clicks, regional snapshots, and best practices.

Despite the scale of click fraud and its effect on digital ad spend, this problem remains relatively obscure: according to the Google Trends charts above, it hasn’t been top-of-mind for marketers for quite some time.

Demonstrating how invalid clicks deplete your budget and skew your data is the first step in getting a go-ahead to fight the problem and develop effective strategies against them.

Here’s what digital marketers can do to increase internal click fraud awareness:

Use the following tactics to fight click fraud — without any additional software spend

As a first step in stopping click fraud, any business running PPC ads can use the following tactics to protect their campaigns:

Run daytime campaigns (until you fully understand how to identify fraudulent click sources)

A study carried out by the ANA and White Ops suggests that a large portion of illegitimate traffic occurs outside of normal business hours, between midnight and 7 am.

You can diminish the risk of wasting your budget on fraudulent clicks by running daytime-only campaigns.

Of course, this solution is not ideal if your audience is online after midnight, but for many industries it is one of the easiest ways to significantly reduce instances of click fraud. And, once you learn how to identify legitimate traffic sources, you can set up a nighttime campaign with settings protecting it from invalid clicks.

Block specific IPs and ISP network ranges

It’s not uncommon for malicious sources to hijack specific ranges within an ISP network. A sudden influx of clicks from the same IP address or disproportionate amounts of ad traffic from a certain ISP can be a sign of suspicious activity.

You can easily find information about the associated IP addresses to block the ISP’s network range and avoid some of the fraudulent clicks. You can find all IP and IP range exclusions under campaign settings (left sidebar menu) and block up to 500 IP addresses or IP address ranges for each campaign in Google Ads.

Bear in mind that blocking ISP network ranges is risky: you can exclude some real people who might have become your buyers. But, if done right, blocking IPs and ISP ranges can save your campaign budget.

Implement micro-blacklisting or micro-whitelisting

In very specific cases, different pages on a publishing platform may provide different types of traffic. Micro-blacklisting is the practice of excluding very specific URLs to block individual pages that don’t bring in any profitable traffic.

However, your ads could be gaining impressions from thousands of sites, and blacklisted domains may end up being replaced by just as many new fake sites.

Instead of excluding certain domains, you can make a list of several hundred domains that you trust and would like your ads to be placed on.

Domains can be managed in the placements settings on Google Ads.

According to Larry Kim, employing this strategy could reduce your fraudulent clicks in the Google Display Network by up to 90%. It does, however, require a lot of manual work.

Know your industry and run regular paid click audits

Even though technological advances make it harder to do so, it remains possible to identify real users by their behavioral patterns.

Once you know what your buyer’s digital journey looks like, you can use this information to protect yourself from click fraud.

In other words, if you know the behavioral patterns of your buyers, you can learn to identify anomalies.

For example, if most of your customers fill out a form one week after being shown an initial ad, an influx of forms submitted by users who were shown the ad seconds before the form submission is likely to be a fraudulent attack.

Understanding the industry you are in and how exposed it is to click fraud can help build awareness around click fraud risk.

This information, in addition to regular paid clicks audits, can help you spot false traffic patterns and build an effective defense system for your marketing campaigns.

What to do when you know you’re not catching every fraudulent click — or don’t have time to do it all

Implementing the tactics listed above will help you limit the impact of fraudulent clicks on your ad campaigns.

As a data-driven marketer, you might already be using some or most of them. The trouble is that even if you’re already analyzing click data, blacklisting or whitelisting specific domains, and logging IPs, sometimes you just don’t have access to all the data you need.

Moreover, hands-on tracking across dozens or hundreds of campaigns is too time- and effort-consuming to be an option.

If this is the case, using third-party protection tools is the answer.

What can realistically be done to stop click fraud with third-party solutions

The unfortunate truth is that no solution can eliminate all invalid clicks once and for all.

Click fraud protection and prevention tools are by definition reactive, not proactive. When click fraudsters come up with new ways to rob advertisers, these tools need to play catch-up with those new approaches.

Still, third-party solutions can eliminate the majority of fraudulent clicks and impressions.