What is Click Fraud? How it Works, Examples, and Red Flags
Cyber Risks & Threats | January 29, 2024
Online advertising is a huge industry. Actually, it’s so big that over $600 billion was spent on digital advertising in 2023 alone, and it’s projected to reach $740.3 billion in 2024. Despite the numerous attempts to stop it, click fraud is still a serious threat to paid advertisers. In fact, this form of digital ad fraud is one of the biggest ongoing scams online, affecting an estimated 90% of all PPC campaigns.
So, what is click fraud? How does it affect your marketing and business? And can you, as an online marketer, do anything to avoid click fraud?
Although it is a big subject with a lot of variables, we’re going to delve into the murky world of click fraud and discover what it is and how it affects you.
What is click fraud?
The term click fraud refers to any form of fake click (or other form of interaction, like views or impressions) on online content. Those are clicks that can’t result in any positive outcome, like purchase or lead. Instead, they pollute your analytics and leave financial and reputational implications on your business.
Most often, click fraud affects online ads (ad fraud). This can be with the goal of depleting the competitor’s advertising budget and removing their ad from the search engine results sooner. Other fraudsters may aim to direct fake clicks on ads displayed on their own or third-party websites to earn from the ad budget.
These fake clicks on your paid ads can cost anything from a few pennies to well over one hundred dollars, depending on your ad’s CPC (cost per click).
Click fraud isn’t limited to paid ads only; it can also impact your organic digital marketing efforts. For example, fraudsters might be hired to create fake clicks on your competitors’ links in organic search results. This can artificially boost their SEO rankings, reducing your website’s organic traffic.
In some cases, fraudsters might even leave fake comments on your social media, trying to harm your brand reputation.
In a nutshell, click fraud can harm your business in various ways – from wasting ad budget and reducing legitimate user traffic to impacting revenue due to fake clicks. It’s a sneaky tactic that businesses need to be aware of and protect against.
Some click fraud statistics
In our State of Fake Traffic 2023 report, we determined that fake traffic, including click fraud, cost advertisers approximately $35.7 billion in 2022.
To provide some context, we discovered that over 11% of all website visitors are invalid, and for users interacting with advertisements off-site, that number may be closer to one in five.
That means 10-20% of your PPC advertising spend is going to fraudsters or non-genuine online traffic.
How does click fraud work?
So, how do all of these fake clicks find their way to your digital activities? And why such a high volume of them?
As we’ve already seen, click fraud, comes in a variety of flavors, ranging from intentional defrauding to genuine accidents.
We’ll break them down into high volume and low volume.
High volume clicks
A network of automated robots, or bots. Botnets are usually pieces of code that are operated remotely via a control and command (C&C) center. Organized criminals use them to carry out click fraud at a large scale and deliver high volumes of bot traffic.
These networks are usually multiple infected devices such as web browsers, phones, or computer servers.
Learn more about botnet in this article.
The weaponization of data center traffic plays a large part in the rise of fraudulent clicks.
Using data from CHEQ, for instance, we see that 10% of online ad fraud attacks involve data center bot traffic. Google, for example, identifies publisher fraud, where publishers run software tools in data centers to intentionally mislead advertisers with fake impressions and clicks.
In one case involving a fake click program called Urlspirit, there were more than 6,5000 data-center installations of the software, with each data-center installation running in a separate virtual machine. In aggregate, the data center installations of this software generated an average of 2,500 fraudulent ad requests per installation per day.
The image of a click farm is most likely of a warehouse full of people clicking on links for a variety of purposes. Traditionally used to inflate traffic volumes on websites, to repost and share posts online, or to boost the perceived popularity of social network profiles.
They’re like a call center but for fake traffic online.
Click farms are often found in developing nations where wages are much lower. However, in recent years, click farms have been switching to increasingly automated services.
A famous example is a click farm in Thailand which was busted by the police there. This included hundreds of phones and tablets connected to a server running automated processes, mostly clicking on social media links.
Click farms can usually be hired for whatever traffic purpose you require, including committing click fraud.
The web crawler is an automated bot that is usually running quite mundane tasks. This can be anything from:
- Indexing websites for search engines
- Collecting data on behalf of other software, also known as ‘web scraping’
- Monitoring the web on behalf of government institutions, for example, looking out for fraud
Usually, web crawlers are not committing any acts of fraud. But they can be a regular source of fraudulent clicks.
Low volume clicks
Keywords in many industries are both highly competitive and expensive. So, it’s no surprise that business rivals can use a bit of light click fraud to deplete PPC budgets and even knock one company’s ads off the search engine results for the day.
In fact, this is quite a common occurrence, especially in industries such as legal services, on-demand repairs or specialist services (i.e., plumbers, locksmiths, waste disposal), and finance.
In many of these sectors, keyword bids are regularly over $50, meaning just a few clicks can hit the pocket hard.
People who are seeking some kind of ‘revenge’ can easily hit you where it hurts online – in the wallet.
It might be a sacked employee, an estranged ex-partner, or a customer who didn’t like your service. If they spot your ad, they can click on it as many times as they like, draining your advertising budget every time they do.
Accidental or repetitive clicks
We’ve all clicked on a link without realizing it, only to quickly close the tab or click back when we realized our error.
Fat fingers can be a regular source of invalid clicks. In fact, to their credit, the ad networks strive to prevent these types of clicks from being counted toward your PPC ad spend.
Another form of accidental clicks could be if someone finds your website through the paid ad and clicks on that instead of entering your domain name in the browser.
In terms of repetitive clicks, one person browsing online could end up clicking your ad numerous times, and they might not even make a sale with your company anyway…!
Malware and click fraud
Now, this requires a special section all of its own. Click fraud from malware is a growing problem and one that the industry is struggling to defend against.
Malware is usually a software program, such as a web browser extension or app, that is infected with a bot, virus, or other software infection.
Once on a device, malware can be controlled remotely to carry out all sorts of digital tasks. This includes coordinated botnet attacks (also known as denial of service or DDoS), ransomware attacks, crypto mining, data theft, and click fraud.
In 2022 alone, there have been several click fraud malware cases, including a large-scale click fraud campaign targeted at gamers. In fact, click-hijacking attacks grew 125% year-over-year from 2021 to 2022.
This type of click fraud often uses click injection, or click spamming, to carry out its fraudulent activity. This means that the software will have an inbuilt bot that clicks away in the background on hidden ads and embedded ads or can even be used to visit external websites to view those ads too.
You can read more about click injection and how it affects advertisers and device users.
When it comes to defrauding advertisers, one of the most common practices is domain spoofing or website spoofing.
This is where fraudsters create a fake version of an established website with the sole intention of displaying ads to collect the payout.
Some of the most successful ad fraud campaigns have used domain spoofing to devastating effect. Done right, an ad can be hosted on a spoofed site, viewed or clicked on by a bot or click farm worker, and a payout goes to the fraudster.
All without the advertiser or genuine publisher knowing a thing about it.
Despite several attempts by the industry to end website spoofing, it is still the most common way for fraudsters to collect payouts on fake video impressions and display ads.
Examples of Click Fraud
Over the years, several high-profile examples of click fraud were exposed. From sophisticated botnet attacks to shady competitive practices, there is plenty of evidence of the lengths fraudsters go to.
Botnets and organized ad fraud
Using bots and malware to do click fraud bidding is the most effective way fraudulent advertisers hit a high volume of ad campaigns. This is usually done by a team of organized hackers and is the biggest ongoing threat in terms of digital fraud. Over the years, dozens of botnets have been discovered, costing millions in wasted spend for marketers.
Competitor click fraud
In more competitive industries, like retail or SaaS, a high cost per click (CPC) coupled with intense competition can result in the perfect conditions for click fraud. And yes, it happens, probably more often than you would think.
In one example, highly competitive B2B software vendors see invalid click rates at 9%. Callum McKeefery, Founder & CEO of REVIEWS.io, which offers a solution allowing business clients to review their product or service online, says: “This has happened to us a lot. A competitor has continuously clicked on our paid ad. There was one device in Melbourne, Australia that clicked on our ad once every couple of days, but on really expensive keywords. These keywords cost between $13 and $19 a click. Competitors are doing this on hundreds of devices.”
Law firm throws the book at click fraud
American firm JustLaw is a digital marketing agency for law firms. While managing the ad campaigns for a DUI firm, JustLaw CEO Stephan Futeral spotted a high volume of unusual click activity on their PPC ads.
By using click fraud detection software, he managed to boost his conversion rates by 97%! With an average CPC of $50, Stephan noted that by blocking the fraudulent clicks on these ads, he saved his client over $11,000 in a month.
Click fraud legal cases
Although prosecutions for click fraud are still relatively rare, there have been several high-profile cases that highlight the issue.
Facebook vs LionMobi & JediMobi
Highlighting the issue of click injection and click spoofing malware, Facebook discovered that software from two developers was being used to click on FB ads in apps.
The developers, LionMobi and JediMobi, two separate developers from Hong Kong and Singapore, are accused of creating apps that contain malware to click on ads. The defendants actually claimed that the code might have come from an SDK rather than from themselves.
As of 2020, a settlement is yet to be decided.
The LeoTerra case
The LeoTerra case is a prime example of harmful click fraud that ended with legal consequences for the fraudsters. It involved server-side ad insertion (SSAI), a sophisticated technique where fake ad inventory is created and injected into legitimate websites and apps. In LeoTerra’s case, the scheme targeted connected TVs (CTVs).
The scam was uncovered in July 2020, where the investigations uncovered a scheme that is part of an extensive operation of SSAI schemes known as OctoBot. The scheme used online device information sources where they download lists of devices and incorporate the device information inside their falsified ad requests. This makes it appear as if their fraudulent traffic is coming from millions of different devices.
At its peak, LeoTerra spoofed up to 20.5 million unique CTV devices per day, generating billions of fake ad impressions. In the first half of 2022 alone, three new variants of the LeoTerra scheme were identified. These three variants have spoofed more than 92 million devices during H1 and up to 3.5 million device signatures each day.
The sheer scale of this case highlights the need for better security measures and detection tools to combat sophisticated click fraud schemes and maintain trust in the digital advertising industry.
Italian national Fabio Gasperini was accused of creating a botnet that clicked on PPC ads and allowed him to access computers remotely.
Although Gasperini was acquitted in 2018, he was prosecuted for the lesser charge of computer intrusion.
In pursuing a conviction, the case was dismissed for containing vagueness, insufficient proof, and evidence obtained incorrectly. This highlights a key problem with pressing charges against alleged click fraud conspirators, as obtaining solid digital proof can be a hindrance to passing a guilty sentence.
The Methbot gang
In one of the few successful prosecutions for ad fraud, Kazakh nationals Yevgeny Timchenko and Sergey Ovsyannikov were sentenced to prison sentences in the US for their roles in the Methbot and 3ve bot campaigns.
Aleksandr Zhukov was also charged with his part in the 3ve ad fraud campaign.
There were also charges for Russian associates Mikhail Andreev, Boris Timokhin, Denis Avdeev, and Dmitry Novikov, although they remain at large.
Motogolf.com vs Top Shelf
The impact of click fraud on businesses is highlighted in the case of Las Vegas-based online golf equipment retailer Motogolf.com in the US District Court of Nevada.
The sports retailer sued a competitor, alleging they violated federal and state law by repeatedly clicking on Motogolf’s pay-per-click online Google ads. According to the court complaint, once viewers have clicked the set number of ads in a given day, the ads become “exhausted” and are no longer visible to potential customers.
Beyond the immediate cost of the problem, Motogolf also claims it is losing “valuable demographic data about prospective customers.” The problem cost the company at least $5000, according to Motogolf. The golf retailer claims in its complaint that its competitor employees used various electronic devices to intentionally click on Motogolf’s online pay-per-click ads “in an illegitimate manner calculated to cause damage to Motogolf.”
Sectors most affected by click fraud
Click fraud can affect up to a quarter of all clicks on pay-per-click (PPC) ads. For some industries, the fraudulent click volume can be even higher, costing billions for some sectors, based on analysis by the University of Baltimore and CHEQ.
We see that eCommerce lost $3.8 billion to the problem in 2020 alone. Education PPC advertisers suffered $830 million. Legal marketers grappled with an annual setback of $193 million, while medical and healthcare advertisers saw their losses reach $196 million, and online travel faced an impact of $2.6 billion.
Click Fraud: Mobile vs. Desktop
In an analysis of 1.8 billion clicks, 14% of paid search traffic was fraudulent. Of this fraud, 85% involves click fraud using mobile devices, compared to desktop click fraud (15%). The study found that Android devices play the largest part in rising mobile click fraud, accounting for more than three-quarters (81%) of mobile-based invalid clicks compared to 19% on IOS devices.
So, with all those clicks on your PPC ads, you’d think it would be easy to spot click fraud on your ad campaigns. To the naked eye, it can be tricky to spot, but there are some obvious signs that can help you. See, for instance, our guide, How to Filter Invalid Clicks in Google Ads.
The red flags of click fraud
If you consistently see one or more of the following warning signals happening to your PPC ads, you might need to look at ways to minimize your exposure.
High bounce rates
There can be many reasons a visitor clicks your link and then clicks back within a few seconds. It might not be what they’re looking for after all, or maybe your landing page was slow to load or badly designed. These issues can be fixed with some better wording on your ads and a bit of a landing page tweak.
For PPC ads on Google’s Ads, a reasonable bounce rate is around 40-50%. If you’re seeing bounce rates lower than that, you’re doing well. Anything over 60-70% means you might need to look at your ad, and if this doesn’t change anything, look at how to stop those fraudulent clicks.
Spikes in impressions and clicks
Of course, you want your ads to have lots of impressions or lots of clicks. This indicates that you’re doing something right after all.
These spikes in impressions and clicks can be a result of a successful offline ad campaign, seasonal trends, and other external factors that can be hard to quantify.
But a spike coupled with one of the other factors on this list might suggest fraudulent activity.
Peaks in clicks or impressions at strange times, such as the middle of the night, might suggest traffic coming from overseas. Which, if you don’t target foreign shores, could be suspicious.
High traffic but low conversions
Lots of clicks equals lots of conversions, right? Not necessarily. If you regularly see a low conversion rate, again, it might be worth looking at your ad first.
Consider features such as your call to action or how easy it is for your site visitors to complete the required action (check out, get in touch, etc.).
If you’re seeing spikes in traffic volumes and no corresponding rise in conversion rates, this is a big red flag.
So, I mentioned the peaks in traffic from overseas, which might not be so strange if you’re an internationally focused company.
But, sometimes, even locally targeted ads can see traffic from an unusual location. By using VPNs (virtual private networks), users can get around location settings and view ads meant for a targeted audience.
For instance, in one case of an enterprise DIY eCommerce site, a client for CHEQ for PPC, our cybersecurity technology discovered campaigns on paid search and paid social that achieved 14,000 fraudulent clicks from VPN used to mask location. The actual location is primarily from China and Malaysia (masking their location as UK buyers), which is considered invalid by the client as they do not ship to these regions.
If you’re regularly seeing traffic on your ads coming from some obscure country, dig into the IP address and consider using software to block fraudulent traffic.
How to prevent click fraud on your ads
All of this probably has you asking, what is being done to prevent click fraud? And is there anything I should do to prevent fraudulent clicks on my paid ads?
To answer the first question, yes, there are initiatives to stop click fraud, and many PPC platforms offer some protections.
Google, for example, has a dedicated team that works to identify and prevent invalid clicks around the clock.
Read this article to understand how you can request a refund from Google Ads.
Manual methods for preventing click fraud
And here’s the answer to the second question. There are manual methods that can be useful to reduce your exposure to click fraud or invalid clicks.
However, most of these are practices you should use anyway if you’re running pay-per-click (PPC) ads.
If you’re targeting your ads worldwide, you probably throw your ad budget down the drain anyway. It’s always best to target specific locations with localized campaigns, which allows you greater control over your ad budget and your PPC ads.
As part of this, you can also exclude certain areas that might be fraudulent activity hotbeds.
IP address exclusions
In the context of click fraud prevention, monitoring IP addresses becomes crucial to identify and mitigate suspicious activity. They can easily reveal fraudulent activities.
For example, if you spot a large volume of clicks or website visits coming from the same IP address, it could indicate click fraud. Or it could be IP addresses from locations that you’re not targeting.
In such cases, you should add those traffic sources by adding them to the exclusion list in your Google Ads account.
Leaving your ads running 24/7? This is probably not the best way to get value for money on your pay-per-click advertising. Instead, choose the best times to target your ads, and you’ll be able to limit your exposure to fraud AND get a better return on ad spend.
Automated real-time click fraud prevention across all platforms
Who has time to manually tweak your PPC advertising to avoid click fraud? That’s where anti-click fraud prevention software comes into play.
CHEQ for PPC offers the most comprehensive protection against click fraud, protecting PPC campaigns of all shapes and sizes. What’s more, unlike other fraud prevention software, CHEQ doesn’t just block invalid clicks on Google. CHEQ for PPC provides a complete click fraud prevention solution for any platform you spend money on, including Facebook, Pinterest, LinkedIn, Microsoft, Snapchat, and others.
Want to protect your sites and ads against click fraud? Click here to Request a Demo.
What are invalid clicks?
The term ‘invalid clicks’ is usually used by the PPC platforms to refer to any non-genuine click on your paid ads. Although it can be used to refer to fraudulent clicks, it can also refer to:
- Genuine accidental clicks by site visitors
- Web crawlers
- Multiple clicks from the same source
For PPC networks like Google Ads, Bing, or Facebook, it sounds better than referring to fake clicks or click fraud.
But, to be fair to Google and Co, invalid clicks cover everything, not just fraud.
So, invalid clicks likely refer to the general volume of non-genuine clicks. Whereas click fraud or ad fraud refers specifically to those fake clicks with malicious intent.
How does Google detect click fraud?
Google has a process in place that detects click fraud. Any click that is not driven by a genuine user interest is classified by Google as an invalid click, and it won’t charge you for that.
Its mechanisms detect activities such as repetitive clicks from the same source, accidental clicks on an ad due to factors like poor ad placement, or bot clicks triggered by either legitimate bot crawlers or malicious bots.
While these measures only confirm Google’s commitment to its advertisers, large volumes of fraudulent clicks are still slipping through. Many marketers agree that Google’s parameters do not measure the full extent of click fraud, which increases the need for additional tools specifically designed to combat click fraud.