How can I stop click fraud?
In this article, you’ll learn exactly what fraud click is, how to identify the most common types of click fraud, and five preventative measures you can take to protect your ad budget.
As it’s interwoven with this topic I will also focus on non-fraudulent clicks that negatively affect ROAS.
I will try to explain why click fraud is so hard to stop and why it’s an easy revenue stream for organised crime gangs.
I’ll outline the latest strategies businesses are using to protect their ad campaigns from fraudulent clicks, including bot clicks.
Lastly, I will discuss briefly what options are available to help you stop invalid clicks, and to find the right balance between protecting your ad campaigns from click fraud and blocking potential buyers from seeing your ads.
It’s important to discuss ad fraud because according to the World Federation of Advertisers (WFA), the leading global trade body for advertisers, marketing spend lost to advertising fraud is estimated to reach US$50 billion annually by 2025.
Though without proper preventative measures put in place, experts predict that advertising fraud revenues could reach US$150 billion a year.
Fraudulent versus invalid clicks
Google combines unintentional clicks and fraudulent clicks under “invalid clicks.” Here are some examples of invalid clicks: Accidental clicks, for example, when someone double-clicks on an ad.
Then there are clicks and impressions by automated tools or manual clicks intended to increase someone’s advertising costs or stop their advertising.
Along with clicks and impressions by automated tools or manual clicks intended to increase profits for website owners hosting your ads.
The latter two are examples of click fraud, an interaction between a user and a PPC ad with the goal of profiting from charges made to marketers.
Who is responsible for click fraud?
Sometimes people, not click bots, are behind click fraud.
The following sections describe the most common causes of small-scale click fraud attacks.
In these cases, it’s usually not too hard to identify the perpetrators, since they are not very sophisticated, and can be identified by their behavior, IP address, or both.
Competitor click fraud
It has happened that in saturated markets, competitors resort to click fraud to get one over on their rivals.
By repeatedly clicking on competitors’ ads, they harm a company’s PPC budget and prevent potential customers from seeing those ads.
It’s easy to commit this type of fraud. Unless your campaign is set up with the appropriate control against such attacks, a pay-per-click ad will show until its daily budget runs out.
Knowing this, competitors can click your ads repeatedly from a single device, or go one step further and hire third parties to coordinate hundreds of clicks across multiple devices.
How can I stop competitors clicking AdWords?
You can stop competitors clicking adwords by going into your AdWords account and click on a Campaign.
Once inside your AdWords Campaign, click on the Settings tab at the top.
Scroll down to the bottom of the page and underneath Advance Settings, you’ll see a drop-down title called IP Exclusions.
Now type or copy and paste the IP addresses that you want to block in the text field.
Unfortunately each IP address needs to be on a separate line.
Can publishers perform click fraud?
Digital ad fraud does not always come from outside hackers, sometimes it comes from unethical publishers looking to charge advertisers for fake traffic.
Many of these dishonest webpages employ the same click bot methods as outside hackers, but others rely on invisible or hidden ads.
A publisher might charge for an ad that they then only display in a tiny window, which is invisible to a website visitor.
They may also stack multiple ads on top of each other so only one can be seen. Some publishers even display the ads on fraudulent websites, then redirect ad calls so the advertiser sees legitimate sites rather than the fraudulent ones.
Are dissatisfied customers clicking my ads?
Some unhappy customers write bad reviews online, some decide to repeatedly click on the ads for a particular company.
This is the digital equivalent of smashing a car window. It’s annoying and it’s expensive, but it can be easily prevented if you take precautions.
Nevertheless, compared to cybercriminals or click fraud service, disgruntled click fraudsters make up just a tiny fraction of the problem of click fraud.
Organised PPC click fraud
According to the report by the WFA, organized crime members and other criminals are attracted to ad fraud because it offers high payouts at lower risk with relatively little effort since law enforcement is not technologically equipped to regulate the online ad space.
You might remember the case of the group of Russian hackers that made between $3 million and $5 million a day back in 2016, in a bold attack on the advertising industry.
The so-called AFK13, invested heavily in a bot farm, taking up space in data centers so they could manipulate fake traffic from more than 570,000 bots, driving revenue thanks to the pay per click system they exploited.
These bots “watched” as many as 300 million video ads a day, with an average payout of $13.04 per thousand faked views. And the fraudsters ordered their bot army to replicate the actions of real people, with fake clicks and mouse movements.
Unfortunately for advertisers, criminals using adwords bots can avoid detection because the clicks they are programmed to perform will come from a range of regular machines with legitimate IP addresses.
To detect bots, you’ll need to set up advanced behavior data tracking.
Malware and click fraud
This requires a special mention. Click fraud from malware is a growing problem and one that the industry is scrambling to understand and prevent.
Malware is usually a software program such as a web browser extension or app which is infected with a bot, virus or other software infection.
Once on a device, malware can be used remotely to carry out coordinated botnet attacks (also known as a denial of service or DDoS), ransomware attacks, crypto mining, data theft and click fraud.
In 2020 alone, there were several click fraud malware cases, including Tekya. Indeed, during the Coronavirus pandemic, there has been a surge in mobile click fraud.
This type of click fraud often uses click injection, or click spamming, to carry out its fraudulent activity.
What this means is that the software will have an inbuilt bot that clicks away in the background on hidden ads, embedded ads, or can even be used to visit external websites to view those ads too.
Non-fraudulent clicks that affect ad performance
There are also cases when clicks are not done in bad faith.
But still adversely affect advertising spend, because there is no intent to purchase the advertised product or service.
However, they are not accidental, since people click on the placement ads to get to your website.
3 examples of clicks that fall into this category:
- Clicks from people who are just browsing, but click on ads anyway aka window shoppers
- Clicks from existing customers who click on ads to get to your website
- Clicks from outside of your targeted location
Window shoppers
Window shoppers will often conduct multiple web searches and click on numerous ads without ever making a purchase.
This may not be alarming for companies that bid on low cost-per-click campaigns, but companies running high cost-per-click campaigns will want to prevent window shoppers from driving up their acq cost.
By tracking visitor behavior and conversions after an ad click you can distinguish between good and bad traffic and exclude sources with low-quality interactions.
If certain actors seem to arrive from a certain URL it might be worth adding this to your Google ads placement exclusion list.
Existing customers
This refers to customers who, for example, search for say ‘Adidas’ and click on a brand ad to get to the website.
Blocking ads after conversion might make sense to avoid incurring this type of expenses.
As with the above example, if existing customers are repeatedly arriving from a certain URL you can include this website in your placement exclusion list.
Clicks outside selected geolocations
As we mentioned above, cybercriminals often use VPNs and proxies to mask their location.
Often, proxies are used by regular people concerned about their online privacy or who are trying to bypass internet censorship in certain regions.
VPNs are often used to access region-restricted sites as well.
If searches are scattered and naturally distributed, then these are likely regular VPN or proxy server users.
However, regardless of user intention, most proxy clicks affect the accuracy of your ad campaign reports, with proxied IP addresses, generated ad impressions will be based on false location and network data.
Is your industry at risk of click fraud?
There are two criteria that establish the likelihood that an industry will be affected by AdWords fraud are:
- The amount of online traffic
- The cost-per-click of relevant keywords
Thus the following industries are at risk: finance, family, and food. These three industries encompass a wide variety of sub-industries, including business services, banking, retail, hospitality, healthcare, and food manufacturing.
Stop AdWords click fraud
As if invalid clicks depleting your ad budget are not bad enough, fraudulent clicks make it almost impossible to tell how effective ad campaigns are.
Google AdWords fraud affects businesses in two additional ways:
- Distorted campaign metrics
- Wasted time and effort for internal teams
Running campaigns in the dark because of misleading metrics
When clicks and overall traffic data comes from invalid sources, performance metrics are effectively worthless.
Without knowing the source of each click, it’s easy to assume that a campaign failed because it didn’t have the right structure, content or an insufficient budget.
But very often ad campaigns fail because click fraud prevented the ads from reaching genuine customers.
When campaign optimization is based on guesswork or inaccurate data, marketers might end up spending time on tasks with little or no return.
For example, they may decide to start optimizing high-traffic, low-performance campaigns in the hope of improving conversion rates, instead of solving the root cause of the problem: fraudulent clicks distorting campaign results.
Wasted resources
In addition to distorting ad campaign metrics, fraudulent clicks can lead your team to focus on non-revenue generating activities.
For example, your sales team may end up pursuing bogus prospects acquired through click bot traffic designed to mimic user behavior by filling out lead forms.
5 Tips to stop click fraud
For now, you can’t eliminate the risk of PPC fraud. However, you can diminish the chance that it will destroy your advertising campaign. Here are five tips to stop AdWords click fraud.
1. Set different bid prices for content-targeted sites
Reduce your financial risk by controlling the amount you are prepared to pay per click. Limit your exposure by placing caps on your placement of ads on “just any” website relevant to your keywords.
2. Only advertise in specific countries
Less economically developed nations sometimes employ people for the sole purpose of clicking on advertisements.
Don’t run ads in countries where you run the risk of sabotage.
If you’re planning to run a global remarketing initiative through the GDN, make sure you use both positive and negative location targets.
Ad impressions may be limited and the manual geo-targeting setup will take longer, but you should get better quality traffic that’s actually worth buying.
3. Target high-value sites for your ads
As discussed in previous articles, it’s essential that you only place Google ad placements on websites that are high quality and that have the highest chance of a purchase.
Certain low-quality sites are vulnerable to click fraud. A person or a bot may be clicking your ad on these sites to boost the owner’s PPC revenues.
Google allows you to set up ad campaigns that only run ads on the sites you specify, thereby avoiding sites where unethical revenue-generation may occur.
4. Detect click fraud
Detecting click fraud is a challenge. You could attempt to classify invalid click-detection methods under three categories, according to a paper by Nir Kshetri, titled The Economics of Click Fraud.
The first, an anomaly-based approach, considers invalid clicks to be those that deviate significantly from normal predicted behaviors.
To detect this you need to analyze offline data in aggregate for day-to-day activities to record normal behaviors and derive a model (ok not such an easy option).
Instead of defining an invalid click, this approach seeks to define what a normal click is and then determines whether other clicks have a statistically significant deviation from the norm.
However, determining what normal is and how much deviation is significant, poses a problem.
The second rule-based approach uses heuristics to classify valid and invalid clicks based on specific conditions.
For instance, “if two successive clicks occur,” said Kshetri.
“Then the second click is likely to be an invalid one.”
PPC providers can implement session tracking to track a series of requests from the same user across a given period.
If a rule considers a click to be valid, then the click is justifiable if the rule demonstrates that it can occur by means that aren’t prohibited, for example, the click wasn’t generated using bots or a publisher didn’t click on Google’s Ads on his website or has a positive probability of conversion.
Last, “the classifier-based approach is purely operational and employs data mining classifier labels to detect invalid clicks,” reported Kshetri in his publication.
This approach is based on the assumption that past clicking behaviors predict future clicking behaviors.
It carries out this labeling on the basis of past data about valid and invalid click activities.
The approach assumes that an advertiser has past data, which classifies a click as valid or invalid with a certain level of confidence and doesn’t consider the properties of valid or invalid clicks discussed in the previous approaches.
5. Get click fraud prevention software
One of the first lines of defence against click fraud is a comprehensive Google Ads placement exclusion list(s)
This is a list that is added to your Google Ads account before you launch a new campaign.
It will block any URL that you know to be low performing for your ads.
AdShield has just released a click fraud prevention software that works by
- Analyzing billions of placements and click-behavior
- Combining placement data with data on user behavior on the landing page of the advertiser, focusing on conversions/events
- Automatically pre-blocking low-quality websites and apps from your Google AdWords campaigns.
- Directly uploading to your Google Ads account
The click fraud prevention software reveals placement performance for a vast array of advertisers and URLs.
AdShield also maintains vertical-specific exclusion lists.
These lists are updated daily, with new poor performing placements added to different exclusion lists.
Final thoughts
As the digital advertising industry continues to grow, so too will PPC scams.
A savvy business will need to deploy several preventative measures to protect its advertising spend.
To avoid cost per acquisition spiralling, a business will have to get highly targeted with its advertising.
Allowing the Google Display Network to choose where it will show your ad placements without close monitoring and setting parameters is a recipe for wasted advertising dollars.
With the developing sophistication of criminal enterprises, who see click fraud as a bank with no security, advertisers will need to think carefully about how they want to protect their ad campaigns.
There is no way to eliminate all misfiring ads, but you block thousands of wasted URLs and avoid websites that are sinkholes for marketing budgets.