What is Click Fraud? The Ultimate Guide

Online advertising is a huge industry. In fact such is its scale that $144 billion will be spent on paid social and paid search campaigns alone in 2020. But the specter of click fraud hangs over PPC and paid social advertising, despite numerous attempts to shake it off.

In fact, this form of digital ad fraud is one of the biggest ongoing scams online, affecting an estimated 90% of all PPC advertisers.

So, what is click fraud? Is it the same as invalid clicks, or fake clicks? And is there anything you can do as an online marketer to avoid click fraud?

Although it is a big subject, with a lot of variables, we’re going to delve into the murky world of click fraud and discover what it is and how it affects you.

What is Click Fraud?

Click fraud is the act of clicking on an online advertisement, usually with malicious intent. This can be to deplete the advertisers budget in an attempt to remove the ad from the search engine results or to divert the ad spend to a third party or fraudster.

These fake clicks on your paid ads can cost anything from a few pennies to well over one hundred dollars, depending on the CPC (cost per click) of your ad.

Click fraud can affect any form of paid ad, which can include your paid search results, banner ads, video ads or native ad content.

Typically, fake clicks on your PPC ads come from one of these sources:

  • Competitors or malicious persons who wish to run down your ad spend
  • Organised criminals running an ad fraud botnet (more on this later)
  • Web scrapers and other bots crawling the internet for data

A recent study by the University of Baltimore found that, in 2020, global click fraud cost is set to cost marketers $23.7 billion.

To put it into some sort of context, it’s estimated that between 1 in 4 and 1 in 5 clicks on every PPC ad are from non-genuine sources.

Or, more specifically, between one quarter and one fifth of your PPC advertising spend is going to fraudsters or non-genuine online traffic.

Within the scope of click fraud, there are terms such as invalid clicks and ad fraud. Although related, these refer to different things.

What are invalid clicks?

The term ‘invalid clicks’ is usually used by the PPC platforms to refer to any non-genuine click on your paid ads. Although it can be used to refer to fraudulent clicks, it can refer also to:

  • Genuine accidental clicks by site visitors
  • Web crawlers
  • Multiple clicks from the same source

For the PPC networks like Google Ads, Bing or Facebook, it sounds better than referring to fake clicks or click fraud.

But, to be fair to Google and co, invalid clicks covers everything, not just fraud.

So, invalid clicks likely refers to the general volume of fake clicks, or non-genuine clicks. Whereas click fraud or ad fraud refer specifically to those fake clicks with a malicious intent.

How Does Click Fraud Work?

So, how do all of these fake clicks find their way to your paid ads? And why such a high volume of them?

As we’ve already seen, click fraud or invalid clicks come in a variety of flavours, ranging from intentional defrauding to genuine accidents.

We’ll break them down into high volume and low volume.

High volume clicks

Botnets

A network of automated robots, or bots. Botnets are usually pieces of code that are operated remotely via a control and command (C&C) centre.

These networks are usually multiple infected devices such as web browsers, phones or computer servers.

Botnets are often used by organised criminals to commit wide scale ad fraud.

Data Centers

The weaponization of data center traffic represents a large part in the rise of click.

Using data from CHEQ for instance we see that nearly 50% of online ad fraud attacks involve data center bot traffic. Google, for example, identifies publisher fraud, where publishers run software tools in data centers to intentionally mislead advertisers with fake impressions and clicks. In one case, involving a fake click program called Urlspirit, there were more than 6,5000 data-center installations of the software, with each data-center installation running in a separate virtual machine. In aggregate, the data center installations of this software, generated an average of 2,500 fraudulent ad requests per installation per day.

Overall, with most bad bot traffic emanating from data centers, the U.S. remains the “bad bot superpower” with 45.9 percent of bad bot traffic coming from the United States.

Click farms

The image of a click farm is most likely of a warehouse full of people clicking on links for a variety of purposes. Traditionally used to inflate traffic volumes on websites, to repost and share posts online or to boost the perceived popularity of social network profiles.

They’re like a call center, but for fake traffic online.

Click farms are often found in developing nations where wages are much lower. However, in recent years, click farms have been switching to increasingly automated services.

A famous example is a click farm in Thailand which was busted by the police there. This included hundreds of phones and tablets connected to a server running automated processes, mostly clicking on social media links.

Click farms can usually be hired for whatever traffic purpose you require, including committing click fraud.

Web crawlers

The web crawler is an automated bot that is usually running fairly mundane tasks. This can be anything from:

  • Indexing websites for search engines
  • Collecting data on behalf of other software, also known as ‘web scraping’
  • Monitoring the web on behalf of government institutions, for example looking out for fraud

Usually web crawlers are not committing any acts of fraud. But, they can be a regular source of fake clicks or invalid clicks.

Low volume clicks

Business Competitors

Keywords in many industries are both highly competitive and expensive. So, it’s no surprise that business rivals can use a bit of light click fraud to deplete PPC budgets and even knock one company’s ads off the results for the day.

In fact, this is quite a common occurrence, especially in industries such as legal services, on-demand repairs or specialist services (i.e; plumbers, locksmiths, waste disposal) and finance.

In many of these sectors, bids on keywords are regularly over $50, meaning just a few clicks can really hit the pocket hard.

Vindictive parties

People who hold a grudge can easily hit you where it hurts online; in the wallet.

It might be a sacked employee, an estranged ex-partner, or a customer who didn’t like your service. If they spot your ad they can click on it, as many times as they like, putting you out of pocket every time they do.

Accidental or repetitive clicks

We’ve all clicked on a link without realising, only to quickly close the tab or click back when we realise our error.

Fat fingers can be a regular source of invalid clicks. In fact, to their credit, the ad networks do aim to negate these types of clicks and ensure these don’t count towards your PPC ad spend.

In terms of repetitive clicks, a searcher might find your paid ad and click on that instead of entering your domain name in the browser.

One person browsing online could end up clicking your ad numerous times, and they might not even make a sale with your company anyway…!

Malware and click fraud

Now, this requires a special section all of its own. Click fraud from malware is a growing problem, and one that the industry is scrambling to defend against.

Malware is usually a software program such as a web browser extension or app which is infected with a bot, virus or other software infection.

Once on a device, malware can be used remotely to carry out all sorts of digital tasks. This includes coordinated botnet attacks (also known as denial of service or DDoS), ransomware attacks, crypto mining, data theft and click fraud.

In 2020 alone there have been several click fraud malware cases, including Tekya. In fact, during the Coronavirus pandemic, there has been a surge in mobile click fraud of up to 62% with 85% of this total volume coming from mobile devices.

This type of click fraud often uses click injection, or click spamming, to carry out its fraudulent activity. What this means is that the software will have an inbuilt bot which clicks away in the background on hidden ads, embedded ads or can even be used to visit external websites to view those ads too.

You can read more about click injection and how it affects advertisers and device users.

Domain spoofing

When it comes to defrauding advertisers, one of the most common practices is domain spoofing, or website spoofing.

This is where fraudsters create a fake version of an established website with the sole intention of displaying ads to collect the payout.

Some of the most successful ad fraud campaigns have used domain spoofing to devastating effect. Done right, an ad can be hosted on a spoofed site, viewed or clicked on by a bot or click farm worker, and a payout goes to the fraudster.

All without the advertiser or genuine publisher knowing a thing about it.

Despite several attempts by the industry to end website spoofing, it is still the most common way for fraudsters to collect payouts on fake video impressions and display ads.

Examples of Click Fraud

Over the years, there have been several high profile examples of click fraud caught in the act. From sophisticated botnet attacks, to shady competitive practices, there is plenty of evidence of the lengths that fraudsters go to.

Here are five biggest click fraud cases you need to know.

Botnets and organised ad fraud

Using bots and malware to do your click fraud bidding is the most effective way of hitting a high volume of PPC ads. This is usually done by a team of organised hackers and is the biggest ongoing threat in terms of digital ad fraud. There have been dozens of botnets discovered over the years costing millions in wasted spend for marketers.

Competitor click fraud

In some industries, a high cost per click (CPC) coupled with intense competition can result in the perfect conditions for click fraud. And yes, it happens, probably more often than you would think.

In one example, highly competitive B2B software vendors see invalid click rates at 9%. Callum McKeefery Founder & CEO of REVIEWS.io, which offers a solution allowing clients of a business to review their product or service online, says: “This has happened to us a lot. A competitor has continuously clicked on our paid ad. There was one device in Melbourne, Australia that clicked on our ad, once every couple of days, but on really expensive keywords. These keywords cost between $13 and $19 a click. Competitors are doing this on hundreds of devices.”

Law firm throws the book at click fraud

American firm JustLaw are a digital marketing agency for law firms. While managing the ad campaigns for a DUI firm, JustLaw CEO Stephan Futeral spotted a high volume of unusual click activity on their PPC ads.

By using click fraud detection software he managed to boost his conversion rates by 97%! With an average CPC of $50, Stephan noted that by blocking the fraudulent clicks on these ads he saved his client over $11,000 in a month.

Click fraud legal cases

Although prosecutions for click fraud are still relatively rare, there have been several high profile cases which highlight the issue.

Facebook vs LionMobi & JediMobi

Highlighting the issue of click injection and click spoofing malware, Facebook discovered that software from two developers was being used to click on FB ads in apps.

The developers, LionMobi and JediMobi, two separate developers from Hong Kong and Singapore, are accused of creating apps which contained malware to click on ads. The defendants actually claimed that the code may have come from an SDK, rather from themselves.

As of 2020, a settlement is yet to be decided.

Fabio Gasperini

Italian national Fabio Gasperini was accused of creating a botnet which clicked on pay per click ads and allowed him to access computers remotely.

Although Gasperini was acquitted in 2018, he was prosecuted for the lesser charge of computer intrusion.

In pursuing a conviction, the case was dismissed for containing vagueness, insufficient proof and evidence obtained incorrectly. This highlights a key problem with pressing charges against alleged click fraud conspirators, as obtaining solid digital proof can be a hindrance to passing a guilty sentence.

The Methbot gang

One of the few successful prosecutions for ad fraud, Kazakh nationals Yevgeny Timchenko and Sergey Ovsyannikov were sentenced to prison sentences in the US for their roles in the Methbot and 3ve bot campaigns.

Aleksandr Zhukov was also charged with his part in the 3ve ad fraud campaign.

There were also charges for Russian associates Mikhail Andreev, Boris Timokhin, Denis Avdeev and Dmitry Novikov, although they remain at large.

Motogolf.com vs Top Shelf

The impact of click fraud on businesses is highlighted in the ongoing case of Las-Vegas based Online golf equipment retailer Motogolf.com, in the US District court of Nevada. The sports retailer sued a competitor, alleging they violated federal and state law by repeatedly clicking on Motogolf’s pay-per-click online Google ads. According to the court complaint, once viewers have clicked the set number of ads in a given day, the ads become “exhausted” and are no longer visible for potential customers. Beyond the immediate cost of the problem, Motogolf is also claims it is losing “valuable demographic data about prospective customers”. The problem cost the company at least $5000, according to Motogolf. The golf retailer alleges in its complaint that its competitor employees used various electronic devices to intentionally click on Motogolf’s online pay-per-click ads “in an illegitimate manner calculated to cause damage to Motogolf.”

Sectors most affected by click fraud

Click fraud is thought to affect anything up to a quarter of all clicks on pay per click ads. For some industries, the fraudulent click volume can be even higher, costing billions for some sectors, based on analysis by the University of Baltimore and CHEQ.

We see that ecommerce will lose $3.8 billion to the problem. Education PPC advertisers are set to lose $830 million. Legal marketers are losing $193 million a year. Medical and healthcare marketers will lose $196 million, and online travel is set to lose $2.6 billion. In fact, during the Covid-19 pandemic, click fraud surged by an average of 14%. This at a time when business was struggling.

Click Fraud: Mobile vs Desktop

 In an analysis of 1.8 billion clicks, 14% of paid search traffic was fraudulent. Of this fraud, 85% involves click fraud using mobile devices, compared to desktop click fraud (15%). The study found that Android devices play the largest part in rising mobile click fraud, accounting for more than three-quarters (81%) of mobile-based invalid clicks compared to 19% on IOS devices. Android mobile click fraud also increased during the period of COVID-19 when companies with their backs against the wall, engaged in greater levels of click fraud.

So, with all those clicks on your PPC ads, you’d think it would be easy to spot click fraud on your ad campaigns. To the naked eye, it can be tricky to spot, but there are some obvious signs that can help you. See for instance, our guide, How to Filter Invalid Clicks in Google Ads.

If you consistently see one or more of the following warning signals happening to your pay per click ads then you might need to look at ways to minimise your exposure.

High bounce rates

There can be many reasons a visitor clicks your link and then clicks back within a few seconds. It might not be what they’re looking for after all, or maybe your landing page was slow to load or badly designed. These issues can be fixed with some better wording on your ads and a bit of a landing page tweak.

For PPC ads on Google’s Adwords, a reasonable bounce rate is around 40-50%. If you’re seeing bounce rates lower than that, you’re doing well. Anything over 60-70% means you might need to look at your ad, and if this doesn’t change anything, look at how to stop those invalid clicks.

Surges in impressions and clicks

Of course, you want your ads to lots of impressions, or lots of clicks. This indicates that you’re doing something right after all.

Surges in impressions and clicks can result from a successful offline ad campaign, seasonal trends and other external factors that can be hard to quantify.

But a surge coupled with one of the other factors on this list might suggest fraudulent activity.

Peaks in clicks or impressions at strange times, such as the middle of the night, might suggest traffic coming from overseas. Which, if you don’t target foreign shores, could be suspicious.

High traffic, but low conversions

Lots of clicks equals lots of conversions, right? Not necessarily. If you regularly see a low conversion rate, again, it might be worth looking at your ad first.

Consider features such as your call to action or how easy it is for your site visitors to complete the required action (check out, get in touch etc).

If you’re seeing surges in volumes of traffic and no corresponding rise in conversions, this is a big red flag.

Unusual location

So, I mentioned the peaks in traffic from overseas, which might not be so strange if you’re an internationally focused company.

But, sometimes even locally targeted ads can see traffic from an unusual location. By using VPNs (virtual private networks), users can get around location settings and view ads meant for a targeted audience. For instance in one case of an enterprise DIY ecommerce site, a client for CHEQ for PPC, our cybersecurity technology discovered campaigns on paid search and paid social achieve 14,000 invalid clicks from VPN used to mask location. The actual location primarily from China and Malaysia (masking their location as UK buyers) which is considered invalid by the client as they do not ship to these regions.

If you’re regularly seeing traffic on your ads coming from some obscure country, dig into the IP address and consider using software to block fraudulent traffic.

How to Prevent Click Fraud on Your Ads

All of this probably has you asking, what is being done to prevent click fraud? And, is there anything I should be doing to prevent fraud or invalid clicks on my paid ads?

To answer the first question, yes there are initiatives to stop click fraud, and many of the PPC platforms do offer some protections.

Google, for example, has a dedicated team who work to identify and prevent invalid clicks around the clock.

Manual methods for preventing click fraud

There are manual methods, which can be useful to reduce your exposure to click fraud or invalid clicks. However, most of these are practices that you should be using anyway if you’re running pay per click ads.

Geo targeting

If you’re targeting your ads worldwide, you are probably throwing your ad budget down the drain anyway. It’s always best to target specific locations with localised campaigns, which allows you greater control over your ad spend and your PPC ads.

As part of this, you can also exclude certain areas which might be hotbeds of fraudulent activity.

IP address exclusions

You can monitor the IP addresses that are clicking on your paid ads, and if you see suspicious activity, you can add these addresses to an exclusion list.

Timing

Leaving your ads running 24/7? This is probably not the best way to get value for money on your pay per click advertising. Instead, choose the best times to target your ads and you’ll be able to limit your exposure to fraud AND get a better return on ad spend.

Real-time click fraud prevention across all platforms

Who has time to manually tweak your pay per click advertising to avoid click fraud? That’s where anti-click fraud prevention software comes into play.

CHEQ for PPC offers the most comprehensive protection against click fraud, protecting pay per click campaigns of all shapes and sizes. What’s more, unlike other fraud prevention software, CHEQ doesn’t just block invalid clicks on Google. CHEQ for PPC provides a complete click fraud prevention solution for any platform you spend money, including FacebookPinterest, LinkedIn Microsoft, Snapchat, and others.

Get a demo to eliminate click fraud with CHEQ for PPC.