This article was originally published July 28th, 2020, it was last updated September 16th, 2022.
Marketing spend on social media platforms is projected to reach $226 billion in 2022. Of all the social media platforms, Facebook is the big beast, with marketing spend on the social media giant reaching $70 billion each year from 8 million advertisers. Despite the rise in spending on paid social media – now third behind TV and paid search, the scale of invalid traffic and bot activity on platforms has been largely hidden. Though there have been long-held concerns about clicks on campaigns and draining of ad budgets, the social media platforms themselves have been relied upon to detect fraudulent clicks and overall invalid activity. It has been their role to credit marketers with losses they may have suffered through automated, bot, or fake account activity.
And while we trust that these platforms do their best to combat invalid traffic, it’s always best to get a second opinion, so let’s take a look at the issue of invalid clicks on Facebook, and examine a few ways that marketers can mitigate invalid traffic and bots from Facebook.
What is Invalid Traffic on Facebook?
Invalid traffic is generally defined as traffic that cannot convert or take meaningful action on your website: think bots, web crawlers, and proxy users. For social media, the Media Rating Council defines invalid traffic as “traffic that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in measurement counts.” Traffic may be considered invalid either because it is result of “non-human traffic, such as spiders, bots, etc., generally known as General Invalid Traffic (GIVT) or because it is “designed to produce fraudulent traffic,” a category typically known as Sophisticated Invalid Traffic (SIVT).
What are Facebook’s policies on click fraud?
Facebook has taken serious proactive approaches to combat click fraud. There are two kinds of clicks that Facebook identifies as invalid:
Clicks from people that don’t “indicate a genuine interest in the ad or show signs of ad testing.” Such as repetitive or accidental clicks and visits.
Clicks generated through means prohibited by Facebook’s terms of service, like fake accounts, bots, scrapers, and browser add-ons.
Facebook will not charge advertisers for clicks that are determined to be invalid, and has some automated means of click fraud prevention, though they have not been made public, but for the most part, the social media giant puts the onus on individual advertisers to discover and call out click fraud. Once click fraud has been reported, Facebook will conduct a manual review of the traffic in question and take appropriate actions.
Common sources of invalid traffic on Facebook
Not uncommon with other paid social media platforms, there are a mixture of reasons for invalid clicks occurring on Facebook.
1. Fake accounts, data centers and bots
The largest source of invalid clicks based on what we see through clients protecting their Facebook spend using CHEQ for PPC, is “data center traffic”. This is consistent with fake and automated bot account activity. The digital advertising industry regulator, the MRC, notes that known data center traffic is “determined to be a consistent source of non-human traffic; not including routing artifacts of legitimate users or virtual machine legitimate browsing.”
Then there are fake accounts. Facebook understands and has taken action against fake accounts, however according to Facebook, 5% of its worldwide monthly active users (MAU) during Q4 2019 and Q1 2020 are not real, according to the company’s Transparency Report 2020. In 2020, for instance the MRC asked Facebook for more information about Facebook’s efforts to monitor fake accounts on the platform and data about ad impressions served to “invalid accounts.”
This particular issue of fake accounts emerges in notorious cases, such as When pro-Putin Russian trolls pushed divisive issues on Facebook ahead of the 2016 US election, they created accounts that pretended to express the views of concerned Americans. In more recent revelations, for instance Roger Stone, a longtime friend and former top adviser to Donald Trump, bought more than 200 fake Facebook accounts according to FBI search warrants.
2. User agent spoofing
Sophisticated fraud also involves user agent spoofing. This involves a mismatch between declared user agent, such as a web browser, and the actual user agent being used to interact with online content.
There is also often cases of marketers using Facebook’s look-alike audiences further retargeting of bots. Facebook lookalike audiences let you reach a large number of people who share the same characteristics as your existing customers. In fact 33% of marketers use retargeting to win customers. However, in many cases, the retargeting efforts merely involved putting good money after bad bots that had engaged with Facebook ads – and which in many cases have indeed clicked or interacted with your Facebook ad post. This requires segmentation to prevent bots being targeted.
4. Click farms and inflated engagement
Click farms are a large and growing problem. This involves individuals with real accounts on Facebook paid to manually like specific pages. In developed countries this can involve paying $1 per 1000 likes. In setting out their opposition to fake likes, Facebook says “People behind these fraudulent activities are rational actors with clear financial motivations. They make their profit by promising and generating Page likes to admins around the world who typically don’t understand the negative implications of purchasing these likes.” For instance sites such as Boost Likes, openly advertise 1000 likes for your page for $75. Or for 100,000 likes the price is $4,200. Boost Likes says it aims to reach English-speaking audiences who can understand posts in English but this “cannot be guaranteed”. The site admits: “we cannot control what kind of people want to like your page with this worldwide audience.”
5. Facebook’s Audience Network
Facebook’s Audience Network, which advertisers use to extend their Facebook campaigns to third-party sites and apps, can be a conduit for ad fraud. LionMobi and JediMobi for instance were banned from the Audience Network by Facebook, which refunded impacted advertisers in March 2019. These frauds often use click injection, where fraudulent developers get their apps installed on as many phones as possible – in this case, both developers peddled their apps in the Google Play store – and insert ad network SDKs into the apps. From there, they generate fake traffic, users, activity, ad viewing and clicks in their apps, collecting money for ad views from ad networks such as Audience Network. Outside sites can increase their own ad revenue by buying traffic, that is bots that repeatedly load pages to manufacture ad impressions out of thin air.
Facebook clicks: In context
Since its inception, Facebook has faced challenges from invalid clicks and deploys a dedicated and talented team of engineers and legal personnel to fight the problem. This has kept the platform above many other comparable advertising ecosystems. Facebook’s Director of Product Management Rob Leathern says the challenge in tackling the problem is the sheer number of fraud attempts combined with the multiple forms it can take.
“You have to defend a variety of different channels, whereas [attackers] can always focus their efforts into one particular area,” Leathern said. “And many of these adversaries are well-funded and persistent.”
Facebook’s invalid clicks may be far lower than many parts of the online ecosystem, in particular display advertising, though hundreds of enterprise clients have begun using CHEQ for PPC given the instant savings through further reducing invalid clicks, avoiding bots and reaching only real customers. It also provides a similar service for other paid social media networks such as Instagram, Twitter, and LinkedIn as well as fast-rising Pinterest ad campaigns. In launching CHEQ for PPC, CHEQ CEO Guy Tytunovich, said “Google, Facebook and other PPC platforms do a good job in fighting fraud, and yet, there’s still an issue there, because there’s an inherent problem with solving it when you’re the biggest sitting duck on the internet.”
What enforcement actions has Facebook taken against fake clicks?
Like all social media platforms, Facebook has a fake traffic problem, but unlike some others, Meta has been very aggressive in combating click farms and other sources of invalid traffic. Below are just a few of the enforcement actions taken by Facebook in recent years:
2016: Fake Facebook accounts pushed divisive issues ahead of the 2016 election through the creation of accounts purporting to express the views of concerned Americans.
August 7 2019: Facebook files lawsuits against two app developers accused of generating fraudulent revenue, LionMobi — based in Hong Kong, and JediMobi — based in Singapore — generated “unearned payouts” from Facebook advertising.
October 2019: Facebook agrees a $40 million settlement with Facebook advertisers for the inflated video metrics which they incorrectly provided (between 2015 and 2016)
December 5 2019: Facebook takes action against iLike Ad Media which deceived people into installing malware compromising people’s Facebook accounts. This involved running deceptive ads through “cloaking”, disguising the destination of the link in ads by displaying one version of an ad’s landing page to Facebook’s systems and a different version to Facebook users.
April 9, 2020 Facebook court action against Leadcloak, Basant Gajjar, for software and services running deceptive ads, including scams related to COVID 19 and cryptocurrency.
How can You Block bots from Facebook?
Trying to combat fake traffic on your own can be a difficult proposition, but there are some best practices for manual bot mitigation. First of all, it’s important to consider your targeting parameters, and to keep them as narrow as possible to limit exposure to fake traffic. Likewise, consider limiting ad runtimes only to hours you know your buyers will be active during. Monitoring your site traffic for unusual Facebook referrals will also provide insight. Fraudulent traffic usually takes certain patterns–large numbers of clicks with low conversions, rapid clicks from one IP address, etc.– that can give it away. Once you’ve identified suspicious traffic, an investigation into packet headers can provide corroborating details. Finally, report your findings to Facebook, and wait on a manual investigation.
Of course, that level of work isn’t exactly scalable, especially when all of your hard work and investigation is essentially hinging on Facebooks terms for bot mitigation. For a more effective solution, consider a comprehensive go-to-market security platform, which can help automatically detect and block invalid traffic in real-time, whether the source is social media, organic traffic, or direct.
Cheq Paradome leverages thousands of security challenges to evaluate site traffic in real-time, determine whether a visitor is legitimate, suspicious, or invalid, and take appropriate action in blocking or redirecting that user. For paid traffic, Paradome automatically updates IP exclusion lists to reflect the constantly changing threat landscape, saving you valuable time and ad spend.
Book a demo today to see how Cheq Paradome can lower your CPA and protect your go-to-market efforts.