Click fraud occurs when a pay-per-click advertisement is clicked on by a user with malicious or disingenuous intent. Click fraud first came to light in 2005, when several major cases were taken to court.
However, it continues to poison marketing campaigns—and find its way into more and more courtrooms. Juniper Research estimates that click fraud cost advertisers $42 billion in 2019.
This article explains what click fraud is, shows how it can impact your campaigns, and shares ways to reduce its impact on your marketing.
How click fraud works
There are many ways to implement click fraud. Here’s a rundown of causes:
1. Click farms. Some businesses approach companies on the “dark web” to click on ads on their website. The clicks aren’t from potential customers, but they’re often from real people.
These dodgy arrangements are often called click farms. Some networks are highly sophisticated, and organisers disguise their IP addresses. Click farms are often a combination of real people and bots.
2. Competing businesses. Competing businesses may click on each other’s PPC ads to waste money. If you conduct some intricate research (detailed below), you may be able to identify the IP address of competing businesses. If you can—great! Loads of PPC platforms (Google Ads included) allow you to blacklist IP addresses.
Competitive industries, such as insurance, travel, and finance are especially susceptible.
3. Potential buyers. Believe it or not, consumers who highly value particular brands click on competitors’ ads—knowing it will cost them money. Unfortunately, there isn’t much you can do about it.
Loyal buyers of other brands don’t care about your ad budget or your search terms. Thankfully, the effect of these types of clicks on your campaigns is minimal.
4. Automated programs (bots). Perhaps the biggest culprits of click fraud are robots—malicious computer programs (botnets) that automatically scan the internet and subtly carry out clicks, trying to pass as human.
Wired refers to these as “hordes of linked machines controlled by rogue software.” They may be random and created simply to annoy people and businesses.
A recent Imperva Incapsula Bot Traffic Report found that 48.2% of website visits are by humans and 51.8% by robots. (Some 22.9% are “good” robots and 28.9% “bad” robots.)
No matter the cause of click fraud, the losing party is the business paying for the ad. After all, they want potential customers clicking their ads, and each instance of click fraud makes advertising more costly.
So how much should you worry about it?
How much of an impact does click fraud have?
“Click fraud can be extremely unsettling for well-to-do publishers and advertisers on search,’ says Grayson Kemper, Content & Editorial Manager for Clutch, “particularly during a time when many businesses are operating with an incredibly tight budget.”
However, for most small businesses, systemic click fraud is rare, according to Marcus Miller of Bowler Hat:
You may lose some clicks to competitors and window shoppers, but we don’t see much of what we would consider true click fraud.
If traffic seems low quality, we will tweak targeting or, in very rare occasions, block IPs, etc.—but in most instances, this is just not that common.
Typically, just using very tight targeting, not showing ads in countries where there are higher instances of click fraud or click farming, and using paid social—which, as a closed network, seems much less susceptible to click fraud—seems to work.
That said, it’s not all hype, either, as Christian Nicolini, Senior Director of Paid Media at Ignite Visibility, notes:
Most click-fraud cases manifest from third-party display placements. However, we also see affiliate click fraud, competitor click fraud, click farms, and bots. While publishers have drastically improved their security, our team uses a combination of manual and automated tools to combat click fraud.
From a manual response, we create internal reports to collect click timestamps, action timestamps, user agents, IP addresses, and create a master exclusion list of speculative activity. We’ve also experimented with several automation tools, like ClickCease and Clixtell to automate this process at scale.
Our advice to advertisers with smaller budgets: Stick with buying ads on owned properties (e.g., Facebook ads, Gmail, Discovery, search) and monitor your audience targeting in third-party serving environments (e.g., Google Display Network).
Indeed, individual cases and the collective impact is staggering.
There are some major botnets out there. For example, “Chameleon” is estimated to cost advertisers upwards of $6 million every month. Ad Age estimates that $1 out of every $3 spent on PPC is subject to click fraud. FraudLogix said that 50% (yes, 50%) of all ads that gained an impression in 2016 were a result of non-human traffic.
Neil Andrew, Founder of PPC Protect, has endured devastating click fraud:
The whole reason that I founded the company was due to suffering a devastating click-fraud attack that existing technology just couldn’t stop.
I had a range of ecommerce websites in an extremely competitive niche that were being hammered by organised competitors every time I turned on my ads—and Google simply wasn’t detecting or blocking the activity. We spent around £5,000/day and generated around £50,000/day in sales on average. When the fraud hit, that fell to just a few hundred pounds of revenue a day and a ton of wasted spend.
Any business can hire a botnet or, in some cases, even genuine people to maliciously click ads. We found a range of providers, mainly in Russia, that were as low as $100/day to eliminate your competitors from the ad auction.
We tried various pieces of existing technology to solve the issue, including relying on Google’s in-built systems (which is what they recommended to us), but nothing worked. Everything seemed very easy to work around, and, ultimately, Google’s response to us was, “It’s probably just poor targeting,” even though the analytics and data we had proved otherwise.
In the end, we built our own solution and refined it over time, before eventually launching it as a stand-alone SaaS product.
Other than build your own product, what can you do?
How to protect yourself from click fraud
The symptoms of click fraud overlap with those of exceptionally good and bad campaigns. To know whether a sudden change is expected or potentially fraudulent, you must regularly audit your analytics and ad performance.
Keep an eye on some of these data points:
- Dramatic increase in bounce rate for paid clicks. If, historically, the bounce rate for a landing page is in the 20–30% range, but it quickly shoots up to over 60%, that may indicate that something has gone awry. Of course, bounce rate can be affected by other factors (e.g., page speed, web design), so a sudden jump doesn’t guarantee foul play.
- Abnormal number of clicks and impressions. A successful ad campaign will increase pageviews and impressions, but an unusual increase in clicks and impressions—like hundreds of clicks pouring in with “(not set)” as the location—may signal click fraud.
- Low or non-existent conversions. Lower-than-expected conversions on your campaigns can also be a sign of click fraud. If a competitor is using a click farm to manipulate your advertising efforts, the people or bots behind the attack aren’t going to buy your product or service.
In every instance, historical data is essential. Not every ad campaign will be a massive success—detecting click fraud in an analytics audit requires a comparison to baseline expectations.
If you suspect click fraud, report the suspicious activity to your ad platform. In many cases, you’ll receive credit if click fraud is proven or suspected.
Here are a few other steps you can take.
1. Take a proactive approach to prevention.
The easiest way to deal with click fraud is to prevent it. While protection methods aren’t foolproof, they can reduce or even eliminate damaging attacks.
Sharpen your ad targeting. The more specific your ad targeting, the less likely click fraud is to occur. Target specific countries or locations where your target audience is most active.
If you do 98% of your business in the United States and Europe, for example, consider excluding countries outside of those locations to reduce your risk. You can still reach that tiny subset of buyers via other channels—without risking your entire ad spend.
Choose high-quality placements for display ads. Generally speaking, higher quality ad placements are less susceptible to bots and other forms of click fraud. They also cost more.
If you suspect certain websites are sending you fraudulent clicks, you can exclude them from display placements:
Know your competition. In a fair and ethical advertising landscape, you wouldn’t have to worry about your competition using shady tactics—like clicking your ads—to hurt your business.
Of course, some companies simply don’t play by the rules. Competitors may even click your ads just to get an idea of what your landing pages look like or what copy you’re using. That still costs you money.
Knowing the major players in your space and commonly targeted keywords can help you monitor clicks from the IP addresses of your competitors. Tools such as Ispionage or Spyfu can help you gather some of that intel.
2. Block sketchy IP addresses.
You can block specific IP addresses—including your competitors’—from viewing your ads.
While blocking IP addresses in Google Ads is simple, identifying them requires evaluating your server logs. Google Analytics no longer allows you to see the IP addresses of visitors to your site, and Google Ads never has (since it constitutes personally identifiable information).
Navah Hopkins, Director of Paid Media at Hennessey Digital, recommends software to support manual efforts to refine targeting:
Block IP addresses causing invalid clicks with software (clickcease.com is a great one) or manually block them in your campaigns.
Usually, click fraud comes from an unexpected location, which means your location targeting wasn’t as specific as you might have thought.
A reverse look-up of a questionable IP address can often help you determine if it’s likely click fraud. For example, if you suddenly notice hundreds of clicks from rural Idaho—and you sell beachwear—you can block that set of addresses.
Still, blocking IP addresses isn’t a perfect solution. You may block legitimate customers—like that one couple in Idaho prepping for their honeymoon—from seeing your ads. It’s risk vs. reward.
3. Consider click-fraud software.
Tackling click fraud on your own may not be the most effective solution. Software can help. (The landscape is ever-growing.)
ClickCease is another popular tool that helps monitor bots, click farms, and your competition. PPC Protect uses AI to help clients hide ads from botnets and other vicious online robots.
If you’re in the market for software, here are a few things to keep in mind:
- Do they work with your go-to ad platforms? Some click-fraud tools specialize in Google Ads, while others monitor and protect a wider range of platforms. (Platforms themselves also have limitations—Microsoft Ads, for example, doesn’t allow automatic IP blocking by third-party tools that detect click fraud; Google Ads does.)
- Is there a free trial? In the case of click-fraud software, trials can be especially helpful. You can test the software immediately on several campaigns to see its impact. (Free trials may also be useful diagnostic tools to identify the scope of click fraud in your campaigns.)
- Does their model align with your budget? Some tools cover only a limited amount of ad spend each month.
Think of click-fraud tools as a way to supplement manual efforts and built-in platform protections. As James Norquay, Director of Prosperity Media, summarizes:
If you notice a large volume of clicks from the same IP address and during a similar time period, this is a sign to investigate.
Google and other platforms should take action to limit the clicks from users who do not have a legitimate browsing history, as simple safeguards like this can help prevent click fraud.
Many software solutions are also available in the space to prevent click fraud, such as ClickGuard, so marketing professionals have options to monitor their campaigns using third-party tools.
4. Use audiences to prequalify impressions and clicks on suspicious publishers.
If you set your ads to target and observe, the only folks who will have access to your ads are people in your audience lists. Yes, there need to be 1,000 people in a 30-day period for the list to work, but it can be a powerful way to protect your marketing dollars.
In many cases, click fraud is actually a targeting mistake. The average brand doesn’t sit there clicking on competitors’ ads. Even if they did, the ad networks would flag them for suspicious activity and begin counting those clicks as invalid (crediting you back the spend).
The best way to prevent click fraud is to regularly audit your campaigns and analytics, ensuring traffic is coming from intended sources, and you haven’t left yourself open to a targeting mishap.
Even with some manual monitoring and software, you’ll never prevent click fraud completely. Any marketing strategy that relies heavily on PPC—or any single channel—for acquisition is at risk. Diversifying your marketing spend is an essential hedge.
Click fraud costs businesses billions of dollars a year. While it can be frustratingly difficult to prove click fraud, investing in some baseline protections can help make every ad dollar count.
Realistically, the chances of large-scale click fraud are small (depending on your niche). But small businesses aren’t in a position to start long, expensive legal battles with giant corporations.
PPC is still a useful digital marketing channel. However, diversifying your acquisition channels can help reduce your risks and makes sense—even if click fraud is a minor concern.