The Ultimate Guide to Invalid, Bot, and Fake User Clicks


If you run any form of online customer acquisition campaign, you’ll have seen references to invalid clicks, or invalid traffic. Often shortened to IVT, the term invalid clicks refers to any form of non-genuine click on your paid links.

However, behind this seemingly innocuous term is a whole world of complex activity and behaviors.

What is an invalid click?

The definition of invalid traffic in social media has been set out by the Media Rating Council, The media industry’s measurement watchdog says:

“Invalid Traffic is defined generally as traffic that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in measurement counts. Among the reasons why ad traffic may be deemed invalid is it is a result of non-human traffic (spiders, bots, etc.) or activity designed to produce fraudulent traffic.”

Google Ads consider an invalid click to be:

  • Web scrapers, bot clickers, or other automated software
  • Intentional malicious clicks by human users
  • Accidental clicks by human users

Facebook considers two different types of clicks invalid:

  • Clicks from people who don’t indicate a genuine interest in the ad or show signs of ad testing. This includes repetitive or accidental clicks and visits from the Facebook corporate network.
  • Clicks generated through prohibited means, such as fake accounts, bots, scrapers, browser add-ons, or other methods that don’t follow Facebook Terms.

How much web traffic is invalid?

Data suggests that 45% of all internet traffic is automated, often from bots and web scrapers, including so-called “good bots.” Good bots automate tasks such as web crawling, updating sports scores and weather, and a host of other things that make the web easier to use.

Bad bots are used by bad actors and fraudsters to carry out account hijacking, web scraping, stealing financial data, DDOS attacks, and draining billions in advertising spend across display, PPC, and paid social media campaigns.

Different sectors see different rates of invalid clicks specifically on paid customer acquisition campaigns, for instance, 6% in education funnels, 3% in automotive demand gen campaigns, and 7% invalid clicks in SaaS campaigns.

Sources of invalid clicks

Fake users and bots responsible for invalid clicks attacking paid customer acquisition are diverse. These 19 sources of invalid clicks are:

  • Spambots
  • Scrapers
  • Automation Tools
  • Frequency Capping
  • Abnormal rate limit
  • Excessive rate limit
  • Disabled JavaScript
  • Behavioral anomalies
  • Click Farms
  • Malicious Bots
  • False Representation
  • Account takeovers
  • Data Centers
  • VPNs
  • Proxy
  • Disabled Cookies
  • Click Hijacking
  • Network Anomalies
  • Known Bots (PPC Crawlers)

Higher threat invalid clicks

Higher threat invalid clicks in the context of customer acquisition normally mean bots or malicious users. These are considered extremely high business risks. The business of business is to make money, and the average conversion rate of any bot is close to zero and, in any case, significantly less than the general population conversion rate.

The Media Rating Council (MRC) specifically defines high-risk or “sophisticated invalid traffic” attacks on digital marketing spend as deploying advanced methodologies. This includes bots and crawlers pretending to be legitimate users, deliberate manipulation of data, and use of hijacked devices. The ability of bots and malicious users to deploy scale and sophistication has only increased during the period of COVID-19. Previous recessions show a direct correlation between a fall in economic output and a rise in fraud. This has continued since COVID-19 hit. In particular, publishers have felt the brunt of malvertising attacks between April and June 2020–  they were estimated to have lost about 9% of their pageviews through hijacked sessions. The gig economy built around fake impressions and selling of invalid clicks has soared by up to 41%.

For most fraudsters, the automation tools used to unleash millions of invalid clicks are evolving without them having to do much work. Fraudsters just have to hide and rewrite certain elements in order to evade more and more tests. Bot-makers create millions of headless browsers that can simulate all human-like actions, such as mouse movement, page scrolling, and clicks, to load webpages and cause ad impressions that appear human. Malicious SDKs for advanced and AI-powered click injection are sold on the Dark Web to the public for a low price to perpetrate customer acquisition fraud.

Leading criminal lawyer Arkady Bukh, a New York-based attorney with a history of representing suspected hackers and ad fraud perpetrators from Eastern Europe, including those involved in the “Methbot” case, says the growth in sophistication by bad actors unleashing invalid clicks is marked. “There is widespread fraud from huge amounts of traffic getting directed through botnets. Before, it was boys and girls in Russia sitting in boiler rooms, clicking manual clicks in order to get apparent traffic to defraud affiliates. Now it’s done by bots.” In the case concluded in 2021, the FBI successfully prosecuted Russian cybercriminals involving a sophisticated customer acquisition fraud scheme to defraud brands, ad platforms, and others in the U.S. digital advertising industry out of more than $7 million.

Lower invalid click threat risks

Lower-level invalid clicks also carry a serious risk of not converting. This makes them just as problematic as the more sophisticated attacks, if not as out-and-out evil. This is the case for known bots, such as PPC crawlers.

These clicks may not aim to be malicious but still do significant damage. To take one example, Disabled JavaScript is a major and growing challenge. Those with JavaScript disabled on their browser are, in most cases, not able to convert into a paying customers during shopping visits on sites.

Lower invalid click threat risks-

Users are being ushered to landing pages, whether it is a new sofa, or car, whose settings meant they were literally unable to see certain features, add to their cart or see prices. But without analyzing these clicks, e-commerce sites lost tens of thousands of dollars until bringing in CHEQ for PPC to uncover this customer acquisition obstacle.

Some sectors such as Igaming also faces the challenge that many of the biggest spending PPC brands see between 15-30% of paid traffic clicks coming from existing users, which is in a broader sense, and invalid click. This often means that a registered or converted user is clicking rather than new users that ads are designed to attract. To take a typical example seen, in some case one user is clicking 500 times in one week on ads. This is not a problem for all verticals but is especially acute for igaming as online gambling is prevented from using audience targeting/audience exclusion on ad platforms with such restrictions increasing. This means many companies cannot exclude returning users. This means they spend millions of dollars on targeting existing customers needlessly. CHEQ has the unique feature which creates controls over the number of clicks coming from each user within a pre-set time and customizing this to the needs of a specific client. The platform can protect the invalid clicks of good users (who have already converted), as well as out-and-out criminals or bots.

The impact of invalid clicks

Why do invalid clicks even matter to your business?

1. Losing hours reaching out to fake leads

Companies spend hours, or days in some cases, reaching out to fake leads generated by bots. This is caused through bots run by ad fraudsters, who end up “converting” into a lead by filling in details on a form (name, email address, phone number). If no email verification is required, the fraudster has no reason to use a real address and can just send random ones. If email verification is required, the fraudster controls the email addresses which he inputs. This can be done in various ways; the fraudster buys bulk addresses, which redirects every email to an email address the fraudster controls.

2. Data and CRM chaos

Data is now considered the “oil” of customer acquisition, but bots are seeing this core data challenged. Bots also send the wider data instruments used by marketers into a frenzy, including heatmaps and chatbots which report back faulty bot traffic. This wrecks the foundation of business-based decisions.

3. Lost revenue opportunities from fake users

Revenue opportunities lost from fake users and bots occurs when a company makes less from operations than expected due to fake or bot users in customer acquisition.

Traditionally, of course, revenue loss projections involve long-term thinking about new regulations or drops in demand. However, staying invisible, and unforeseen are the opportunities lost through fake users and bots filling funnels. The net effect is that companies are leaving money on the table by capturing bot attention instead of real eyeballs. If this spend was invested in real students, the revenue opportunities stand to be in the billions of dollars.

4. Bogus retargeting

Retargeting is very popular – enabling businesses to show your ads to your visitors after they leave and keep your institution top of mind. However, as we see in many campaigns, with click fraud challenges, money ends up retargeting bots, rather than real users, and further money is lost on wasted clicks.

5. Fixing traffic signals delivered to Facebook and Google

Facebook and Google are motivated to get advertisers the best results for their campaigns (so that more and more money is spent on these channels). To reach new customers, brands are reliant on these channels to work effectively (Facebook and Google have a combined market share of 57% of US advertising so can capture a lot of customers). The way it works is that pixels tell these advertising giants which users engage the most. This prompts a call for “lookalikes” to ask for more of these “good” visitors to the site. However, with millions of invalid clicks, brands are inadvertently transmitting the wrong information about good leads, this is hampering paid platforms’ ability to parcel out the best audiences. This hurts organic and paid marketing results long term.

6. Destroying Demand Generation KPIs

The rise of invalid clicks is also causing hell for demand generation leaders across their core business goals: hurting bounce rates, cart abandonment rates, conversion rates, cost of customer acquisition, lifetime value and average order value.

The ultimate guide to Invalid Clicks -

As set out in the terms and conditions of all ad channels from Google to Facebook to Pinterest, all ad channels face the risk of invalid clicks. According to Facebook’s own figures 5% of its worldwide monthly active users during Q4 2019 and Q1 2020 was not real, while it is estimated that 15% of all accounts on Twitter are bots. CHEQ for PPC is the only solution able to block invalid clicks for customer acquisition campaigns across all a company’s campaigns, including on GoogleFacebookTwitterLinkedInSnapchat, and Instagram. Each platform has its unique challenges from the 19 sources of invalid clicks we have laid out. However, the results of poor or no conversion are the same. In an investigation of a LinkedIn campaign, for instance, Ryan Gellis, of global digital ad agency, RMG, said that in trying to promote a webinar to a C-suite audience they saw a number of bot-looking clicks, essentially wasting their daily spend of $500. In Gellis’s words: “Nobody exhibited what I believe is real user behavior on the site after clicking the ad.”

Spotting invalid clicks

Businesses who suspect they have fake users should deploy customer acquisition security. CHEQ, detects and block fake users at scale. However, business can also launch internal checks to map out their most impactful campaigns. Look, for instance, for abnormal spikes in traffic, poorly performing channels, suspicious form fills, and any other piece of data indicating bot activity. Some ways to spot invalid clicks include looking out for non-geographical hits – one in five customer acquisition attacks involves VPNs and proxies hiding the source of invalid clicks. Campaign managers should look out for other spikes, including lots of clicks early in the morning (see our recent report, Ticking Time Bots, revealing the hours when bots click clicks across six sectors), alongside high bounce rates and junk form fills increasing.

In the words of a media agency director working with a top US university facing a barrage of fake clicks, the problem is clear-cut. “Our whole purpose is to drive leads to the college of prospective students to their undergraduate or graduate level education. What we have found across a couple of programs is we are driving leads on the front end, but when we try to qualify them on the back end, some of them were just not the high-quality leads we were looking for.”

While go-to-market teams naturally assume that underperformance is a direct result of bad creative, landing pages and forms, or perhaps poor sales practices, the underworld of invalid clicks is a major and often unknown factor paralysing customer acquisition.

Latest Posts

Block invalid traffic with CHEQ Essentials