Understanding click fraud
“Fraudulent clicks” and “invalid clicks” — what’s the difference (and does it really matter)?
Google combines unintentional clicks and fraudulent clicks under “invalid clicks.” Here are some examples of invalid clicks:
- Accidental clicks, for example, when someone double-clicks on an ad
- Clicks and impressions by automated tools or manual clicks intended to increase someone's advertising costs or stop their advertising
- Clicks and impressions by automated tools or manual clicks intended to increase profits for website owners hosting your ads
Out of the examples listed above, the latter two are examples of click fraud — an interaction between a user and a PPC ad with the goal of profiting from charges made to marketers.
Who’s behind fraudulent clicks?
Sometimes humans, not bots, are behind click fraud. The following sections describe the most common cases of small-scale click fraud attacks. In these cases, it’s usually not too hard to identify the bad actors, since they’re not likely to be very sophisticated — and can be identified by their behavior, IP address, or both.
Competitors manually clicking on your ads to sabotage your campaigns
Sometimes, especially in highly competitive industries, competitors resort to click fraud to get an edge on their rivals. By repeatedly clicking on competitors’ ads, they deplete a company’s PPC budget to prevent potential customers from seeing those ads.
The worst part is that it’s not all that difficult to commit this type of fraud: unless you’ve set up protections against such attacks, a pay-per-click ad will show until its daily budget runs out.
If this is the case, competitors can run through your ads very quickly, either by clicking on your ads repeatedly from a single device, or by hiring third parties to coordinate hundreds of clicks across multiple devices (we’ll discuss an example of a click-fraud-as-a-service attack later).
Sometimes it’s possible to identify competitor click fraud by tracking patterns within a particular niche. Here’s how our founder, Ralph Perrier, recalls his experience:
When everybody else's budget would run out, there'd be one or two particular vendors that would advertise only during that period of time. As soon as everybody else replenishes their budget, they would bow out of the auctions again, and the fraudulent clicks would start again.
And then they started up again, as soon as everybody else's budget ran out.
There were some very nontechnical, but obvious patterns within the niche that clearly would point to you who was behind it all.
In simple scenarios where non tech-savvy competitors try to sabotage your campaigns, you can recognize competitor clicks by their IP addresses and block them.
Publishers manually boosting ad revenue (with a little help from their friends)
In some cases publishers may be trying to boost their revenue by clicking on ads themselves or profiting from their friends’ clicks (this is a very small-scale threat: if manual — and easily detectable — click fraud reaches high levels, it triggers
account suspension on AdSense.
Disgruntled customers trying to get back at a business
Some disgruntled customers go beyond writing bad reviews online. Instead, they repeatedly click on the ads of a particular company.
Fortunately, this is fairly unlikely to happen. And, unless one of your unhappy customers happens to be tech-savvy, it is also easy to identify and stop due to the repetitive nature of clicks.
All told, compared to cybercriminals or click-fraud-as-a-service actors, solo click fraudsters are just a tiny part of the problem.
Organized click fraud criminals
Cybercriminals use software to generate profit for their illegal enterprises, which can include click fraud. Below are some examples of how criminals can profit from fraudulent clicks — they are not mutually exclusive, and can overlap.
Criminals profiting from fraudulent bot clicks
Criminals often rely on bot traffic to generate profits at scale. According to this Invesp
infographic, bots, or applications that perform automated tasks, account for 56% of website traffic. However, not all of those bots visit websites with malicious intent.
Good bots help monitor a website’s health, make sure it’s included in search engine results, and share its content via social media. Good crawlers check for broken links, capture SEO data, follow RSS feeds, and identify security vulnerabilities.
Bad bots engaging in click fraud are designed specifically to click on ads. One of the common signs of bot attacks are unusual peaks in clicks outside of the targeted geo-location. Another way bad actors avoid detection is by masking their physical location with VPNs and proxy services or simply "anonymizing" their IP address.
Over the years, they’ve become harder to spot. Sophisticated robots designed to mimic human behavior can spoof their device type, accept and remember cookies, simulate mouse movement, and even fill out forms. According to Michael Vizard, quoting Radware 2020
report findings, “
well over half (58%) of the malicious bots tracked in February ... can now mimic human behavior.”
Cybercriminals creating harder-to-detect bot networks
One common practice among cybercriminals is infecting the computers of internet users with
malware to create bot networks, or
botnets to achieve various nefarious goals. Click fraud is one of them. We've previously written about one example,
Redirector.Paco malware.
Unfortunately for advertisers, botnets can avoid detection more efficiently because the clicks they are programmed to perform will come from a range of regular machines with legitimate IP addresses. To detect botnets, you'll need to set up advanced visitor behavior tracking.
Bad actors joining advertising networks as shady publishers
In this case criminals profit from fraudulent clicks through websites specifically set up to host ads.
At first they bombard their newly created websites with huge amounts of bot-generated traffic. Once they have the required statistics, the criminals join ad networks as publishers and start profiting from false clicks.
In most cases, such websites are easy to identify by strange-sounding domains, low-effort or copy-pasted content, and an overabundance of ads.
Click fraud as a service industry
Click-fraud-as-a-service can have many forms, from low-wage workers clicking on ads to boost publishers’ profits to distributed botnet attacks ordered by unscrupulous competitors.
Click farms — fake likes, fake followers, fake ad clicks
Click farms are located primarily in third-world countries where they employ low-wage workers to generate fake likes or followers on social media — or to click on ads.
Click farms may use a combination of humans and robots, but detecting human traffic is especially challenging, since it’s harder to distinguish click farm workers from good-faith users.
Bots and crawlers for hire
While cybercriminals use botnets and bots to their own advantage, they also offer their services to interested parties, such as competitors ready
to gain an unfair advantage for their digital ads.
This is how Ralph Perrier, our founder, describes his experience of encountering a competitor’s automated click fraud attack in 2004:
It just seemed very well coordinated that while my budget would run out immediately within minutes, other individuals would then start their campaigns.
The idea behind their actions was that once you completely drain someone's budget, that removes them from the auction. So that when you get online, you have less competition and you’re paying less per click, and there's less competition for customers to choose from.
I noticed that time spent on site was significantly less than usual: you'd get clicks and they'd spend less than two or three seconds on the website.
There was no way the clicks could have been human: we would pause our ads and then we would restart them at odd hours. And within a short period of time, the clicks would start again.
And the page didn't even load: there were headless browsers that wouldn’t even allow for the full page to load and bounce back and then click again.
A lot of those clicks were distributed through VPN and proxy networks, which means a lot of it had to have been automated.
Non-fraudulent clicks that affect ad performance
There are some cases when clicks are, strictly speaking, not malicious, but still hurt advertisers, because there is no intent to purchase the advertised product or service. At the same time, they are not accidental, since the users click on them to get to your website. Still, since these clicks do not result in a purchase, they will affect your ROAS.
Here are 3 examples of clicks that fall into this category:
- Clicks from users who are “just browsing,” but repeatedly click on the ads anyway, or lookie-loos
- Clicks from converted customers who click on ads to get to a brand’s website
- Clicks outside of selected geolocation
Lookie-loos
Lookie-loos will often conduct multiple web searches and click on an ad numerous times without ever making a purchase.
This may not be alarming for companies that bid on low cost-per-click campaigns, but advertisers running high cost-per-click campaigns will want to prevent lookie-loos from increasing their customer acquisition costs.
By tracking visitor behavior and conversions after an ad click you can distinguish good and bad traffic and exclude sources with low-quality interactions.
Converted customers
In this case, customers search for a particular brand by name and click on a brand ad to get to the website. Blocking ads after conversion might make sense to avoid incurring this type of expenses.
Clicks outside of selected geolocation
As we mentioned above, cybercriminals often use VPNs and proxies to mask their location.
In many cases proxies are used by regular people concerned about their online privacy or trying to bypass internet censorship in certain regions.
VPNs are often used to access region-restricted sites as well. In addition, they encrypt data and so are frequently used to hide browsing activity from third parties, such as when using public Wi-Fi.
Not all proxy or VPN clicks are fraudulent: if searches are varied and naturally
distributed, then these are likely regular VPN or proxy server users.
However, regardless of user intention, most proxy clicks affect the accuracy of your ad campaign reports: with proxied IP addresses, generated ad impressions will be based on false location and network data. And, until Google’s geolocation capabilities
improve, it might be worthwhile to look into additional methods of protection for your ads.