What is Click Fraud? The Ultimate Guide
Cyber Risks & Threats | May 15, 2023
Online advertising is a huge industry. Actually, it’s so big that $616 billion was spent on digital advertising in 2022 alone, according to statista.com. Despite the numerous attempts to be stopped, click fraud is still a serious threat to paid advertisers. In fact, this form of digital ad fraud is one of the biggest ongoing scams online, affecting an estimated 90% of all PPC campaigns.
So, what is click fraud? Is it the same as invalid clicks or fake clicks? And can you do anything as an online marketer to avoid click fraud?
Although it is a big subject with a lot of variables, we’re going to delve into the murky world of click fraud and discover what it is and how it affects you.
What is Click Fraud?
Click fraud is the act of clicking on an online advertisement, usually with malicious intent. This can be with the goal of depleting the competitor’s advertising budget and removing their ad from the search engine results sooner. Other fraudsters may aim to direct fake clicks on ads displayed on their own or third-party websites to earn from the ad spend.
These fake clicks on your paid ads can cost anything from a few pennies to well over one hundred dollars, depending on your ad’s CPC (cost per click).
Click fraud can affect any form of paid ads, which can include your paid search results, banner ads, video ads, or native ad content.
Usually, fake clicks on your PPC ads come from one of these sources:
- Competitors or malicious persons who wish to run down your ad spend
- Organized criminals running an ad fraud botnet (more on this later)
- Web scrapers and other bots crawling the internet for data
In our recent State of Fake Traffic 2023 report, we determined that fake traffic, including click fraud, cost advertisers approximately $35.7 billion in 2022.
To provide some context, we discovered that over 11% of all website visitors are invalid, and for users interacting with advertisements off-site, that number may be closer to one in five.
That means 10-20% of your PPC advertising spend is going to fraudsters or non-genuine online traffic.
Within the scope of click fraud, there are terms such as invalid clicks and ad fraud. Although related, these refer to different things.
What are invalid clicks?
The term ‘invalid clicks’ is usually used by the PPC platforms to refer to any non-genuine click on your paid ads. Although it can be used to refer to fraudulent clicks, it can also refer to:
- Genuine accidental clicks by site visitors
- Web crawlers
- Multiple clicks from the same source
For the PPC networks like Google Ads, Bing, or Facebook, it sounds better than referring to fake clicks or click fraud.
But, to be fair to Google and Co, invalid clicks cover everything, not just fraud.
So, invalid clicks likely refer to the general volume of non-genuine clicks. Whereas click fraud or ad fraud refers specifically to those fake clicks with malicious intent.
How Does Click Fraud Work?
So, how do all of these fake clicks find their way to your paid ads? And why such a high volume of them?
As we’ve already seen, click fraud, or invalid clicks come in a variety of flavors, ranging from intentional defrauding to genuine accidents.
We’ll break them down into high volume and low volume.
High volume clicks
A network of automated robots, or bots. Botnets are usually pieces of code that are operated remotely via a control and command (C&C) center.
These networks are usually multiple infected devices such as web browsers, phones, or computer servers.
Botnets are often used by organized criminals to commit wide-scale ad fraud.
The weaponization of data center traffic represents a large part in the rise of clicks.
Using data from CHEQ, for instance, we see that 10% of online ad fraud attacks involve data center bot traffic. Google, for example, identifies publisher fraud, where publishers run software tools in data centers to intentionally mislead advertisers with fake impressions and clicks.
In one case involving a fake click program called Urlspirit, there were more than 6,5000 data-center installations of the software, with each data-center installation running in a separate virtual machine. In aggregate, the data center installations of this software generated an average of 2,500 fraudulent ad requests per installation per day.
The image of a click farm is most likely of a warehouse full of people clicking on links for a variety of purposes. Traditionally used to inflate traffic volumes on websites, to repost and share posts online, or to boost the perceived popularity of social network profiles.
They’re like a call center but for fake traffic online.
Click farms are often found in developing nations where wages are much lower. However, in recent years, click farms have been switching to increasingly automated services.
A famous example is a click farm in Thailand which was busted by the police there. This included hundreds of phones and tablets connected to a server running automated processes, mostly clicking on social media links.
Click farms can usually be hired for whatever traffic purpose you require, including committing click fraud.
The web crawler is an automated bot that is usually running quite mundane tasks. This can be anything from:
- Indexing websites for search engines
- Collecting data on behalf of other software, also known as ‘web scraping’
- Monitoring the web on behalf of government institutions, for example, looking out for fraud
Usually, web crawlers are not committing any acts of fraud. But they can be a regular source of fake clicks or invalid clicks.
Low volume clicks
Keywords in many industries are both highly competitive and expensive. So, it’s no surprise that business rivals can use a bit of light click fraud to deplete PPC budgets and even knock one company’s ads off the results for the day.
In fact, this is quite a common occurrence, especially in industries such as legal services, on-demand repairs or specialist services (i.e., plumbers, locksmiths, waste disposal), and finance.
In many of these sectors, keyword bids are regularly over $50, meaning just a few clicks can hit the pocket hard.
People who are seeking some kind of ‘revenge’ can easily hit you where it hurts online; in the wallet.
It might be a sacked employee, an estranged ex-partner, or a customer who didn’t like your service. If they spot your ad, they can click on it as many times as they like, draining your budget every time they do.
Accidental or repetitive clicks
We’ve all clicked on a link without realizing it, only to quickly close the tab or click back when we realize our error.
Fat fingers can be a regular source of invalid clicks. In fact, to their credit, the ad networks strive to prevent these types of clicks from being counted toward your PPC ad spend.
Another form of accidental clicks could be if someone find your website through the paid ad and click on that instead of entering your domain name in the browser.
In terms of repetitive clicks, one person browsing online could end up clicking your ad numerous times, and they might not even make a sale with your company anyway…!
Malware and click fraud
Now, this requires a special section all of its own. Click fraud from malware is a growing problem and one that the industry is struggling to defend against.
Malware is usually a software program, such as a web browser extension or app, that is infected with a bot, virus, or other software infection.
Once on a device, malware can be controlled remotely to carry out all sorts of digital tasks. This includes coordinated botnet attacks (also known as denial of service or DDoS), ransomware attacks, crypto mining, data theft, and click fraud.
In 2022 alone, there have been several click fraud malware cases, including a large-scale click fraud campaign targeted at gamers. In fact, click-hijacking attacks grew 125% year-over-year from 2021 to 2022.
This type of click fraud often uses click injection, or click spamming, to carry out its fraudulent activity. This means that the software will have an inbuilt bot that clicks away in the background on hidden ads and embedded ads or can even be used to visit external websites to view those ads too.
You can read more about click injection and how it affects advertisers and device users.
When it comes to defrauding advertisers, one of the most common practices is domain spoofing or website spoofing.
This is where fraudsters create a fake version of an established website with the sole intention of displaying ads to collect the payout.
Some of the most successful ad fraud campaigns have used domain spoofing to devastating effect. Done right, an ad can be hosted on a spoofed site, viewed or clicked on by a bot or click farm worker, and a payout goes to the fraudster.
All without the advertiser or genuine publisher knowing a thing about it.
Despite several attempts by the industry to end website spoofing, it is still the most common way for fraudsters to collect payouts on fake video impressions and display ads.
Examples of Click Fraud
Over the years, several high-profile examples of click fraud were exposed. From sophisticated botnet attacks to shady competitive practices, there is plenty of evidence of the lengths fraudsters go to.
Botnets and organized ad fraud
Using bots and malware to do click fraud bidding is the most effective way fraudulent advertisers hit a high volume of PPC ads. This is usually done by a team of organized hackers and is the biggest ongoing threat in terms of digital ad fraud. Over the years, dozens of botnets have been discovered, costing millions in wasted spend for marketers.
Competitor click fraud
In some industries, a high cost per click (CPC) coupled with intense competition can result in the perfect conditions for click fraud. And yes, it happens, probably more often than you would think.
In one example, highly competitive B2B software vendors see invalid click rates at 9%. Callum McKeefery, Founder & CEO of REVIEWS.io, which offers a solution allowing business clients to review their product or service online, says: “This has happened to us a lot. A competitor has continuously clicked on our paid ad. There was one device in Melbourne, Australia, that clicked on our ad once every couple of days, but on really expensive keywords. These keywords cost between $13 and $19 a click. Competitors are doing this on hundreds of devices.”
Law firm throws the book at click fraud
American firm JustLaw is a digital marketing agency for law firms. While managing the ad campaigns for a DUI firm, JustLaw CEO Stephan Futeral spotted a high volume of unusual click activity on their PPC ads.
By using click fraud detection software, he managed to boost his conversion rates by 97%! With an average CPC of $50, Stephan noted that by blocking the fraudulent clicks on these ads, he saved his client over $11,000 in a month.
Click fraud legal cases
Although prosecutions for click fraud are still relatively rare, there have been several high-profile cases that highlight the issue.
Facebook vs LionMobi & JediMobi
Highlighting the issue of click injection and click spoofing malware, Facebook discovered that software from two developers was being used to click on FB ads in apps.
The developers, LionMobi and JediMobi, two separate developers from Hong Kong and Singapore, are accused of creating apps that contain malware to click on ads. The defendants actually claimed that the code might have come from an SDK, rather than from themselves.
As of 2020, a settlement is yet to be decided.
Italian national Fabio Gasperini was accused of creating a botnet that clicked on PPC ads and allowed him to access computers remotely.
Although Gasperini was acquitted in 2018, he was prosecuted for the lesser charge of computer intrusion.
In pursuing a conviction, the case was dismissed for containing vagueness, insufficient proof, and evidence obtained incorrectly. This highlights a key problem with pressing charges against alleged click fraud conspirators, as obtaining solid digital proof can be a hindrance to passing a guilty sentence.
The Methbot gang
In one of the few successful prosecutions for ad fraud, Kazakh nationals Yevgeny Timchenko and Sergey Ovsyannikov were sentenced to prison sentences in the US for their roles in the Methbot and 3ve bot campaigns.
Aleksandr Zhukov was also charged with his part in the 3ve ad fraud campaign.
There were also charges for Russian associates Mikhail Andreev, Boris Timokhin, Denis Avdeev, and Dmitry Novikov, although they remain at large.
Motogolf.com vs Top Shelf
The impact of click fraud on businesses is highlighted in the case of Las-Vegas based Online golf equipment retailer Motogolf.com in the US District Court of Nevada.
The sports retailer sued a competitor, alleging they violated federal and state law by repeatedly clicking on Motogolf’s pay-per-click online Google ads. According to the court complaint, once viewers have clicked the set number of ads in a given day, the ads become “exhausted” and are no longer visible to potential customers.
Beyond the immediate cost of the problem, Motogolf also claims it is losing “valuable demographic data about prospective customers.” The problem cost the company at least $5000, according to Motogolf. The golf retailer claims in its complaint that its competitor employees used various electronic devices to intentionally click on Motogolf’s online pay-per-click ads “in an illegitimate manner calculated to cause damage to Motogolf.”
Sectors most affected by click fraud
Click fraud can affect up to a quarter of all clicks on pay-per-click (PPC) ads. For some industries, the fraudulent click volume can be even higher, costing billions for some sectors, based on analysis by the University of Baltimore and CHEQ.
We see that eCommerce will lose $3.8 billion to the problem. Education PPC advertisers are set to lose $830 million. Legal marketers are losing $193 million a year. Medical and healthcare marketers will lose $196 million, and online travel is set to lose $2.6 billion. In fact, during the Covid-19 pandemic, click fraud increased by an average of 14%. This was at a time when businesses were struggling.
Click Fraud: Mobile vs. Desktop
In an analysis of 1.8 billion clicks, 14% of paid search traffic was fraudulent. Of this fraud, 85% involves click fraud using mobile devices, compared to desktop click fraud (15%). The study found that Android devices play the largest part in rising mobile click fraud, accounting for more than three-quarters (81%) of mobile-based invalid clicks compared to 19% on IOS devices.
So, with all those clicks on your PPC ads, you’d think it would be easy to spot click fraud on your ad campaigns. To the naked eye, it can be tricky to spot, but there are some obvious signs that can help you. See, for instance, our guide, How to Filter Invalid Clicks in Google Ads.
If you consistently see one or more of the following warning signals happening to your PPC ads, you might need to look at ways to minimize your exposure.
High bounce rates
There can be many reasons a visitor clicks your link and then clicks back within a few seconds. It might not be what they’re looking for after all, or maybe your landing page was slow to load or badly designed. These issues can be fixed with some better wording on your ads and a bit of a landing page tweak.
For PPC ads on Google’s Ads, a reasonable bounce rate is around 40-50%. If you’re seeing bounce rates lower than that, you’re doing well. Anything over 60-70% means you might need to look at your ad, and if this doesn’t change anything, look at how to stop those invalid clicks.
Spikes in impressions and clicks
Of course, you want your ads to have lots of impressions or lots of clicks. This indicates that you’re doing something right after all.
These spikes in impressions and clicks can be a result of a successful offline ad campaign, seasonal trends, and other external factors that can be hard to quantify.
But a spike coupled with one of the other factors on this list might suggest fraudulent activity.
Peaks in clicks or impressions at strange times, such as the middle of the night, might suggest traffic coming from overseas. Which, if you don’t target foreign shores, could be suspicious.
High traffic but low conversions
Lots of clicks equals lots of conversions, right? Not necessarily. If you regularly see a low conversion rate, again, it might be worth looking at your ad first.
Consider features such as your call to action or how easy it is for your site visitors to complete the required action (check out, get in touch, etc.).
If you’re seeing spikes in traffic volumes and no corresponding rise in conversions, this is a big red flag.
So, I mentioned the peaks in traffic from overseas, which might not be so strange if you’re an internationally focused company.
But, sometimes, even locally targeted ads can see traffic from an unusual location. By using VPNs (virtual private networks), users can get around location settings and view ads meant for a targeted audience.
For instance, in one case of an enterprise DIY eCommerce site, a client for CHEQ for PPC, our cybersecurity technology discovered campaigns on paid search and paid social who achieved 14,000 invalid clicks from VPN used to mask location. The actual location is primarily from China and Malaysia (masking their location as UK buyers), which is considered invalid by the client as they do not ship to these regions.
If you’re regularly seeing traffic on your ads coming from some obscure country, dig into the IP address and consider using software to block fraudulent traffic.
How to Prevent Click Fraud on Your Ads
All of this probably has you asking, what is being done to prevent click fraud? And is there anything I should do to prevent fraud or invalid clicks on my paid ads?
To answer the first question, yes, there are initiatives to stop click fraud, and many PPC platforms offer some protections.
Google, for example, has a dedicated team who works to identify and prevent invalid clicks around the clock.
Manual methods for preventing click fraud
And here’s the answer to the second question. There are manual methods that can be useful to reduce your exposure to click fraud or invalid clicks.
However, most of these are practices you should use anyway if you’re running pay-per-click (PPC) ads.
If you’re targeting your ads worldwide, you probably throw your ad budget down the drain anyway. It’s always best to target specific locations with localized campaigns, which allows you greater control over your ad spend and your PPC ads.
As part of this, you can also exclude certain areas that might be fraudulent activity hotbeds.
IP address exclusions
You can monitor the IP addresses that are clicking on your paid ads, and if you see suspicious activity, you can add these addresses to an exclusion list.
Leaving your ads running 24/7? This is probably not the best way to get value for money on your pay-per-click advertising. Instead, choose the best times to target your ads, and you’ll be able to limit your exposure to fraud AND get a better return on ad spend.
Automated real-time click fraud prevention across all platforms
Who has time to manually tweak your PPC advertising to avoid click fraud? That’s where anti-click fraud prevention software comes into play.
CHEQ for PPC offers the most comprehensive protection against click fraud, protecting PPC campaigns of all shapes and sizes. What’s more, unlike other fraud prevention software, CHEQ doesn’t just block invalid clicks on Google. CHEQ for PPC provides a complete click fraud prevention solution for any platform you spend money on, including Facebook, Pinterest, LinkedIn, Microsoft, Snapchat, and others.
Want to protect your sites and ads? Click here to Request a Demo.