Bots and fake users on the internet can commonly interact with websites that companies use to run their businesses. This phenomenon – known as the Fake Web – can drain budgets, skew important metrics, infiltrate databases, and generally make it more difficult to run an organization online. The issues caused by the Fake Web can sometimes become difficult to address because there are so many different types of threats that engage with content in different ways. These threats include, but are not limited to: botnets, account hijackers, click farms, carding attackers, and other forms of invalid traffic. Throughout this article, we will focus specifically on the issue of click spamming, how it compares to other types of spam, and what businesses can do to address it.
What is spam?
When some people think of ‘spam,’ images of mass quantities of unwanted emails entering a person’s inbox might come to mind. Email spamming is a very common and long-standing type of spam, but today spambots use a variety of channels – not just email. An example that recently caught the attention of Elon Musk during this attempted Twitter acquisition, was bots spamming users on social media via commenting on posts, sending messages, and otherwise flooding user feeds.
Another type of spam completely is called “click spamming.” This shares some qualities with other forms of spam because it deals with mass quantities of invalid or unwanted actions, however in this case those actions are clicks. Click spamming begins by hijacking another user’s web session or browser in order to impersonate them. The bad actor can then repeatedly click on various links throughout the internet as a legitimate human user, and often go undetected.
Paid ads click spamming
Click spamming can occur on paid advertisements when a malicious user imitates a legitimate human user or gains access to their real click via the installation of malware on their device. The bad actor might then choose to repeatedly click on advertisements in order to drain a company’s budget, access discounts or coupons intended for other users, or enter a website page so they can further infect it or commit additional fraud.
Organic click spamming
Similarly to the click spamming that occurs on paid ads, malicious users can also hijack clicks on organic links as well. Organic links include anything that a regular user might click on that exists outside paid promotions or ads. For example, a link to an article, a link shared on a social media platform, or a link discovered in the non-paid section of a search engine results page.
Who commits click spamming?
Because the action of impersonating another user and taking over their clicks can be done in an automated and programmed way, click spamming is often committed by bots. However, malicious humans can also find ways to enter someone else’s account and take over their clicks. While click spamming is a specific type of action, it can either be done one-by-one by a malicious human or at a large scale across multiple devices by automation tools. Each user and bot may also have different intentions or reasons for click spamming which we will outline in the following paragraph.
Why would anyone commit click spamming?
When a bot or malicious user click spams, they might seek to simply overwhelm a server so that a site crashes and other users can’t access it. This is one way bad actors can sabotage a business’s online operations. These users also frequently seek to gain access to additional information. Maybe they are clicking on a specific ad or link because they want to get behind it and achieve some type of discount or free item. Additionally, click spammers might spam clicks on their own ad, so they can then submit those clicks as invalid to their ad platform, and gain refunds for “fake clicks” that they actually committed themselves. In general, the end game of click spamming is usually to gain either information or funds.
What damage does this cause?
Click spamming can cause headaches, as well as financial and operational issues, for businesses and end-users alike. The following are four examples of some common consequences of click spamming.
Paid advertising damages
When spammers click on the advertisements of other companies on the internet, that organization loses several CPC costs to an invalid user that does not have the intention or ability to convert. That budget is now lost, and cannot be used on legitimate users with a much higher likelihood of becoming customers. Additionally, if click spamming continues to occur, optimizations could become skewed toward additional invalid users, and audiences can become polluted so that they are no longer effective. Even if a click spamming attack only occurs once, the damage can continue by infecting future campaigns through these learned optimizations.
Whether click spamming happens by a hijacker spamming clicks on paid ads, or repeatedly clicking on organic links, that fake user can then arrive on a website where they can continue to damage a brand in a variety of ways. Bots and malicious users may choose to fill out forms, submit actions various times or click around on the site in order to test gated pages or gain information on how the website is set up. If these malicious users are mistaken for users that have a legitimate interest, these actions might cause a company to revamp their website content and creative to better serve these bots, which opens them up for additional future damages as well.
When bots and fake users arrive on a website, they disrupt the company’s analytics and source of truth. Since today most business decisions are made based on data, even a small percentage of invalid traffic can skew metrics and lead to poor decision-making and company performance. Now image bots and fake users are not just occasionally accessing a website, but clicking at rapid speeds and impersonating legitimate users – yes, click spamming – that would cause analytical damage at an even higher rate. For this reason, businesses that care about protecting their business intelligence systems are rightfully concerned about click spamming and other high-volume cyber threats.
Damages to the legitimate user
As previously mentioned, companies are not the only ones who suffer from click spamming. Since click spamming is often committed by a malicious user taking over the clicking actions of a legitimate user or impersonating a regular internet user, that real user suffers damage as well. Their accounts may be flagged for malicious activities, their IP or server could end up blocked from some sites they want to visit, and their overall internet experience could become more limited. Not to mention, if a malicious user was able to hijack their clicks, perhaps they can find a way to hijack additional information about that user which could ultimately lead to account takeover or even identity fraud.
How can businesses identify click spamming?
An initial sign can be an influx of clicks – on a specific ad, a variety of ads, or organic links – from a single user or IP. While a single user might choose to visit a business’s website more than once, it is typically done over time rather than in rapid succession. So if an organization notices strange user behavior on these links and assets, it might be worth it to investigate further. Additionally, since many bad actors continue to commit other types of fraud once they arrive on a website, site operators can check their analytics and heat maps for unusual patterns or user behaviors on-site as well. Awareness is the first step in combating click spamming and protecting both the organization and the end customer.
What can be done if a business is under a click spam attack?
If a company suspects they are currently under a click spam attack, there are some immediate protective measures they can take. First, if the attack appears to be coming from a specific IP or location, they might choose to block that from their advertisements to avoid additional budget drainage. If the click spammer appears to also be taking harmful actions on the website, the company might add a CAPTCHA form or other form and page protections so the user cannot make it further down the funnel. If the invalid user has converted and entered any databases, it is wise to monitor that contact’s behaviors and remove them from any future marketing campaigns or audiences.
How can businesses be more proactive in the future?
While the actions mentioned previously can help avoid a major internal crisis when click spamming is actively occurring, they are all very reactive and tactical actions. Organizations that are looking to be more proactive against click spamming and other cyber attacks should consider installing some type of cybersecurity software. Previously, many companies put this responsibility entirely on the CISO and IT department, but now that it has become more apparent that cyber threats impact businesses holistically, operations and marketing professionals are pushing for better protection as well. Specifically, many organizations are turning to go-to-market security to secure their entire business.