How Competitors Target Retail Sites with Bots and Fake Traffic


Your pay-per-click (PPC) ads are getting tons of clicks… that’s a good sign, right?

Don’t pop the champagne bottle yet.

40% of internet traffic is invalid, consisting of botnets, scrapers, crawlers, click farms, fake accounts, and other forms of invalid traffic (IVT). It can negatively impact your marketing funnel, paid marketing efficiency, on-site conversion rates, and analytics accuracy.

In fact, ad fraud (or click fraud), including competitor click fraud, cost marketers $42 billion in 2021. If you don’t take the right steps to protect your business from IVT, you could spend a lot on online ad campaigns without generating the expected results.

Here’s what you need to know about competitor click fraud and how to detect it to protect your business from losses.

What Is Competitor Click Fraud?

Competitor click fraud occurs when a rival business clicks on your online ads (e.g., on Google Ads paid search results) to send IVT to your website.

While competitor click fraud can affect any business and sector, the eCommerce/retail industry is amongst the hardest hit — incurring a $3.8 billion loss to click fraud in 2020.

Additionally, IVT can pollute your audiences and skew your look-a-like models and automation pixels — decreasing the effectiveness of your overall go-to-market (GTM) strategy.

Why Do Competitors Commit Click Fraud?

The ultimate goal of competitor click fraud is to cost you money and decrease your ability to compete for ad placements. Unscrupulous competitors commit click fraud to drive up the amount you pay for a search term while depleting your PPC ad budget with irrelevant clicks. When you have less money to spend on driving legitimate traffic, you become less competitive and may get pushed out of the market.

11.3% of inbound traffic is fake or fraudulent. Download our Free State of Fake Traffic 2023 report to learn more.

How Does Competitor Click Fraud Work?

Competitor click fraud is more than just your rivals clicking on your online ads whenever they see them to cost you a few dollars here and there. While manual click fraud does occur, most commonly for small businesses, most large-scale competitor click fraud operations utilize sophisticated automated and outsourced methods to evade detection and cause more extensive damage.

In-house Clicks

As noted above, manual click fraud is typically a small business concern. For example, one contractor may purposely click on another’s ad when they are competing for the same listings, and because small business advertising budgets are typically small, it’s possible to fully deplete a PPC budget in this manner. However, there are outlying cases of organized manual click fraud on a greater scale. For instance, a company may have employees from multiple departments and locations click on their competitors’ ads. Even though you won’t find an initiative called “sabotage our rivals” in their marketing plan, there’s often an unspoken understanding baked into the company culture to perpetuate the behavior.

Click Farms or Bot Farms

For companies unwilling to do the dirty work themselves (and with extra budget for fraud) there’s an entire industry based on providing click-fraud-as-a-service. These businesses let your rivals outsource click fraud to click farms, teams of thousands of human workers who purposefully and repeatedly engage in advertisements with no intention of converting. These click farms often market themselves as ‘engagement boosters,’ but click fraud is at the heart of the business model.

Direct revenue schemes, or PTC (paid-to-click) sites, are booming. These services pay tens of thousands of people to click on ads. The business model of PTC sites is generally based on profiting from advertisements clicked on by visitors. Scarlet Clicks, one of the larger Pay-to-Click players, pays workers fractions of a penny per click and claims over one million members. Scarlet Clicks charges ‘advertisers’ a mere $1.50 per 1000 clicks, a volume that can easily cost hundreds in PPC budget.

Click Bot Software

A competitor can also purchase software for committing click fraud —  often for less than $200 a month. These apps vary in sophistication, but at a minimum they usually leverage proxies or VPNs to mimic diverse traffic by constantly switching IP addresses to evade detection. Some click bot providers, like, even boast that they can overcome bot mitigation based on browser fingerprinting and falsify user actions like mouse and scroll patterns to fool reCAPTCHA.


For technically savvy competitors willing to DIY their click fraud, a botnet can be a cheap and effective way to carry out the attack. A botnet is a network of internet devices that have been hijacked by malware to perform a specific task. While most people think of botnets as large and high-profile tools used by sophisticated hackers to carry out DDoS attacks, the truth is that botnets are surprisingly easy to put together. Just search ‘rent a botnet’ on Google, and you’ll get millions of results. A competent bad actor can build a basic botnet in less than an hour, and there are plenty of tools, online vendors, and builder kits available to help expedite the process.

The benefits of using a botnet for click fraud are immense: because the invalid traffic is coming from thousands of different ‘real devices,’ it’s much harder to detect a pattern and identify the fraud. Browser fingerprinting or user behavior analysis can help overcome this challenge, but sophisticated botnets often have built-in defenses against such techniques.

How To Detect Competitor Click Fraud

If you suspect that your PPC campaigns are sabotaged, perform these manual checks to identify fraudulent clicks:

Check IP Addresses

Analyze your website visitor log to see if there are frequent and suspicious clicks from the same IP addresses or locations your campaigns don’t target. If you detect a pattern of repeated clicks from the same IP address, that is likely an instance of basic manual click fraud and can easily be mitigated by blocking the IP or adding it to your ad platform’s exclusion list. High volumes of clicks from regions or timeframes outside of your business’s reach are also a good indicator of invalid traffic.

Review Your Publisher List

Review your publisher list to see if your ads are channeled onto PTC sites. Go to Google Ad’s placement section and look for high-traffic, suspicious websites. Telltale signs of PTC sites include pages covered in ads with sparse and irrelevant content and recently registered domains.

Monitor Campaign Activities

Search your campaign log for suspicious timings or spikes in the number of clicks that don’t result in engagement with your content while showing high bounce rates. Also, traffic from suspicious devices and custom browsers may indicate fraudulent activities.

Identify Patterns

If you suspect you’re a victim of click fraud, you’re probably not alone — your competitors may be under attack as well. You can team up with other local retailers to compare notes and identify patterns to get to the bottom of the issue.

How To Stop Competitor Click Fraud

If you have concluded that you may be a victim of competitor click fraud, you can take actions to mitigate click fraud manually by making your PPC campaigns more airtight:

  • Set up IP and ISP (internet service provider) exclusions.
  • Redirect your ad budget to remarketing campaigns, which only target people who have shown interest in your products or services.
  • Exclude locations, languages, demographics, and devices where suspicious clicks originate from your targeting.
  • Set your ad campaigns to run only on reputable, high-value sites.

However, there’s only so much you can do manually. Tracking down suspicious activities is costly and time-consuming. Not to mention, you’d have already suffered losses by the time you spot suspicious activities.

The good news is that you don’t have to go it alone. You can use fraud protection software to help you detect and block suspicious activities before they put a dent in your ad spend.

For example, CHEQ’s Intelligence Engine runs over 2,000 real-time security challenges on every online visit. When a suspicious IP address, device, or VPN is identified, it’ll automatically be blocked.

CHEQ will  help you continuously identify suspicious traffic sources with these three components:

  • A Bot Mitigation engine uncovers and blocks invalid bot activity using advanced fingerprinting methods and a multi-layered security model.
  • A User Validation engine performs real-time browser tests to root out visitors attempting to mask their identities.
  • A Behavioral Analysis engine detects anomalous activity at both the network and the individual level.

Blocking IVT means you can spend your budget on driving high-quality traffic to maximize revenue opportunities. You can also clean up your data to inform accurate audience segmentation and targeting for future ad campaigns.

Learn more about CHEQ and book a demo to see how we can help you secure your paid marketing.

Latest Posts

Ready to secure your
Go-to-Market efforts?

Get started