Click Fraud: Definition, Types, Prevention, & More
Click fraud is a bigger deal than you may realize. Nearly 20% of total digital ad spend was wasted in 2016, 78% of marketers list click fraud as their top concern, and according to Click Guardian, $7.2 billion was lost to click fraud between 2016 and 2018.
One of the most notorious click fraud operations of all time — known as Methbot, was at one point defrauding $3-$5 million a day from falsified video ads through an enormously elaborate network of ISPs and URLs. They also faked clicks, mouse movements, and social network login information to masquerade as engaged human consumers and built specific code countermeasures against ad tech companies.
That’s an incredible amount of cash lost, and most of that burden falls on the shoulders of advertisers and publishers. Advertising platforms still collect short-term profits from fraud because they are the network handling the transactions between advertisers and publishers — regardless if either side is fraudulent.
Today, we’re going to cover the basics of click fraud and what your business can do to prevent it.
What Is Click Fraud?
Click fraud is any type of mechanism, strategy, software, or action that manipulates clicks in the digital ad ecosystem for financial gain.
Major forms of click fraud include bots that repeatedly click on ads, which spike costs and plummet conversion rates and fraudulent networks of faux sites displaying and clicking on their own ads.
While it is an issue most commonly discussed in the realm of search engine ads like Google Ads, click fraud is not restricted to Google Ads.
What Are Invalid Clicks?
Invalid clicks are a way to describe any click that wasn’t performed with real intent by an actual user.
This is most often used to describe clicks from bots or other malicious software. If a sea of clicks is coming from a single group of IP addresses, it’s a good bet they are bots performing invalid clicks.
How Is Click Fraud Detected?
Because click fraud is an umbrella term, the ways in which it is detected depend on the type of click fraud being committed, but let’s take Google Ads for example.
Google has a deep anti-fraud system, including actual metrics where you can see how many of the clicks your ad received were fraudulent. These clicks are flagged by Google if they behave suspiciously by clicking incredible amounts within a short window or say when a group of 100 users does the same exact action on your site in the same way (down to the way the user scrolls across the screen).
You aren’t charged for these clicks if they are flagged as invalid, and if you have been charged, Google will credit your account.
Is Click Fraud Illegal?
There is no doubt that people who create bots or actively work to scam the digital advertising ecosystem are criminals, but the law hasn’t caught up everywhere yet. It is already a felony in some states like California, and lobbyists are working to get federal anti-click fraud laws in place[*].
And with the global nature of our internet, many of these enterprises can affect American advertising from overseas — complicating the legal nature and reparations available.
Major Types of Click Fraud You Need to Be Aware of
Here are the major types of click fraud you may be a victim of:
Competitor Click Fraud
This is when a competitor, typically in high-cost and customer lifetime value spaces, repeatedly clicks on your ads to exhaust your advertising budget. Industries like law, construction, and enterprise SaaS are most at risk for competitor click fraud.
Customer Click Fraud
Customer click fraud is the least nefarious of the group. This is either when frustrated customers want to “make you pay” by deliberately clicking your ads or when customers simply choose to get to your site via an ad instead of an organic link. Bidding on your own business keyword can be useful if you have competitors bidding against you, but if after analyzing your business keyword placements you find there aren’t any other businesses bidding for it, then you can exclude it from your ad campaigns to save a bit of cash.
Publisher Click Fraud
There are many types of publisher click fraud. Fraudsters can set up “fake” websites to bid for ad inventory and then make you pay for those impressions via bots or crowdsourced users. They could also run more legitimate sites but mask their users’ IP addresses to claim that their users are more demographically relevant than they actually are. This type of fraud is most common in advertising spaces where businesses don’t have as much transparency around their ad placements.
Here are a few other examples of publisher fraud:
- Crowdsource fraud is when sites specifically request their users to click through an ad to support their business — resulting in many clicks but few users who actually have an interest in your product.
- Incentivized traffic fraud is an evolved form of crowdsourced fraud and occurs when a publisher offers a user rewards for clicking through ads[*].
- Click farm fraud is when publishers employ people to click through ads with no intent of purchasing.
- Redirect fraud is when fraudsters send users to an advertisement link but then immediately redirect back to the original page, resulting in an ad click without the user expressing interest or viewing any of the ad content at all.
- Botnet fraud is the most organized of all, with potentially millions of compromised computers and IP addresses being utilized to game the system through illegitimate clicks and impressions. These are enormous enterprises run by sophisticated cybercrime syndicates and are pursued by major tech companies constantly.
How Can I Tell if I Am Being Targeted by Click Fraud?
The best click fraud passes by unnoticed, but if you notice any of these signs you should take your time to check your ads and adjust as needed:
- Brief flashes of extremely high click-through-rates or clicks.
- Massive spikes in the number of clicks without a change in the budget.
- Higher than normal activity on high-price keywords.
- Significant conversion rate or click rate differences on keywords that are effectively the same thing (e.g. “marketing agency Nashville” and “marketing agencies Nashville”).
- Spikes of traffic from particular geographic areas that you weren’t specifically targeting.
- A simultaneous increase in click-through-rate and a decrease in conversion rates (e.g. an 18% CTR with a 0.2% conversion rate).
- A significant spike in bounce rate even though you’re getting more clicks.
- Traffic spikes during typically quiet times (e.g. a 4 AM spike of two thousand users that only viewed one page).
- The exact same user behavior metrics for hundreds or thousands of users (e.g. you have 7,000 users who all went the exact same pages, spent three seconds on each page, and clicked one time).
It’s impossible to collect an exhaustive list of signs because of the sheer magnitude of ways click fraud can occur, but many of the symptoms will be in this ballpark.
Best Practices for Managing Click Fraud
There is no silver bullet for eliminating click fraud, but there are many tactics you can use to reduce the risk of extreme damages and decrease your overall losses that may occur from click fraud.
1. Know your baseline metrics and keep a steady eye on your accounts.
Half the battle is simply paying attention. If you know what your account can reasonably expect from an ad platform — in terms of a successful campaign and an unsuccessful campaign — you’ll notice the outliers and examine them accordingly. And if you have an internal team, it could be worth reminding them of the danger of click fraud so it stays top of mind.
2. Keep an eye on your invalid click rates in Google and reach out to them if necessary.
Google has a sophisticated and active anti-fraud division, consisting of over 180 filters, a massive database of blacklisted IPs and URLs, and a devoted team designed to proactively reduce ad fraud. Their algorithm recognizes and flags suspicious user behavior based on pattern recognition and user behavior metrics.
While Google does a decent job of refunding you for invalid clicks, it’s smart to keep an eye on your invalid click rates within the Google Ads platform, and if you notice a big spike that hasn’t been resolved, you can flag that behavior and try to get their team involved.
3. Consider expanding your advertising budget beyond search engine ads.
Search engine ads like Google and Bing are fantastic, but if you haven’t expanded to other platforms and mediums such as direct affiliate marketing (e.g. Instagram), print media, direct mail, and event marketing, you should consider diversifying your efforts. You could also consider personalized opt-in value exchange ads with direct publisher relationships.
4. Analyze your existing traffic for issues.
If you’re a U.S.-based business that doesn’t ship internationally but is receiving a lot of traffic via your paid search from international cities, then consider restricting your ad campaigns or blocking certain regions.
5. Invest in SEO and content marketing to attract more organic traffic.
Paid advertising is a fantastic resource that should and can be used to spur growth and drive traffic, but you can also divest your marketing efforts to include organic efforts such as content marketing. These strategies take longer to see results from, but having organic traffic from blogging and other content efforts can do wonders for businesses and become evergreen sources of qualified traffic.
6. Check out your paid traffic referral URLs.
If you’re using Google Ads on the display network, hop in Google Analytics and check out where your paid traffic is coming from. Are the top sites legitimate? Are they relevant? If the sites are full of small, scammy-looking referral sites, then that’s a sign of fraud.
7. Use click fraud protection services.
There are many companies that specialize in ad fraud reduction, but these are only worth the investment if you have a significant ad budget. They use automated detection systems and proprietary algorithms to analyze traffic and spot ad fraud.
8. Make sure your tracking is airtight.
Regardless of ad fraud, if you can trust with absolute certainty the effectiveness of your return of ad spend based on sound metrics between your ad platform and your payment software, then you can make smarter decisions around your marketing decisions. It can be tempting to blame ad fraud for a bad ROAS (return on ad spend), but the ecosystem is still plenty healthy enough to make great profits from smart digital advertising. In short, don’t immediately blame ad fraud for bad campaign results.
9. Analyze your traffic’s IP addresses.
Some fraud attacks come in groups of similar IP addresses. Look for high rates of click actions but low rates of conversion actions and exclude them with filters.
10. Exclude hours with fraudulent spikes from your targeting.
It’s possible that a click farm is paying people to click on ads, and you could be a victim of those at specific hours during the day. If you notice at 2:00 AM a burst of expensive, low-converting traffic, then utilize an ad schedule and remove that time slot from your campaign.
The bottom line? There is only so much you can do.
With the ability of bad-faith actors to create proxy servers, set up legitimate ISPs that bypass all known browser fingerprinting, etc., it’s virtually impossible to stop entirely these days. Your best is to use a combination of the strategies above and accept some degree of ad fraud into your natural costs of digital advertising.
The Future of Advertising
How can we move beyond a flawed advertising ecosystem?
To go beyond ad fraud, we must fundamentally reimagine our existing digital ad systems. The ideal ecosystem puts user data in the hands of people and operates on a completely opt-in basis. Furthermore, blockchain technology enables users to receive compensation upon verified ad impressions. This eliminates malpractice, rewards honest, innovative brands, and transfers control and financial value from tech giants back to users.
That’s exactly what we’re building.
See how Permission.io is fundamentally restructuring how we interact with digital ads.
Originally published at https://permission.io on October 6, 2020.