What Is Click Fraud? A Look Into the $44 Billion Industry of Fake Clicks
How do you explain to your team that 1 in 4 clicks on your PPC ads are fake?
And these fake clicks generate a staggering $44 billion annually to the perpetrators?
These numbers at first look exaggerated until you speak with advertisers about fake clicks draining their respective ad budgets.
Let’s look at the Global Click Fraud Report:
- Small to medium enterprises (SMEs) lose an average of $14,900 annually to click fraud.
- Digital agencies lose an average of $207,000 to click fraud annually.
- SMEs + businesses with $10m annual turnover lost $705,000 to click fraud every year.
This begs the question: will it ever end?”
No. Click fraud isn't stopping anytime soon; it's actually increasing. Recent stats show a bump from a $35 billion loss in 2021 to $44 billion in 2022.
So, what do you do if you have no option but to run ads? Learn about click fraud and understand the ways in which you can protect your ads.
Here’s all you'll need to know about click fraud, plus resources to ensure an effective ad-budget spend.
What is Click Fraud?
Click fraud is a type of online advertising fraud that involves the fraudulent clicking of PPC ads with the intent of generating fake impressions and charges to advertisers.
Click fraud can also be called pay-per-click fraud or invalid clicks—because they don't convert into actual value for the advertiser.
PPC is called Pay-per-click—it’s an online-advertising form where advertisers are charged based on the number of clicks on their display ads. The concept behind click fraud is ideally based on the number of clicks.
In other words, click fraud is only possible when there are many invalid clicks on an advertiser's PPC ads.
Click fraud is fuelled by 3 motives.
- Publishers looking to defraud advertisers by clicking on ads on their websites.
- Competitors looking to crash advertisers’ ads.
- Click farms practicing ad fraud for monetary gains.
Project 3ve is a good example of a huge click fraud operation that took its toll on the ad industry.
The operation had a record of clicking between 3 billion and 12 billion ads daily at its peak, resulting in advertisers paying $29 million for ads no human ever saw or interacted with.
“We estimate that 3ve generated between 3 billion and 12 billion or more daily ad bid requests at its peak. “
According to Google,
"We started referring to the bot operation as 3ve because our analysis suggested that it was composed of three distinct sub-operations, all of which shared certain similarities but which were specifically designed to commit different kinds of ad fraud. "
If we go back to 2006, we see Google fall victim to a class-action lawsuit resulting in a $90 million settlement to Lane’s Gift & Collectibles. Yahoo led the pack when they settled a $4.5 million class-action lawsuit in 2005.
We could argue that all these are in the past, and there are sophisticated technological advances made in the past decade to prevent scenarios like this. However, the advances have also made the numbers of fraudsters increase and better at masking their identity.
The FBI confirms this with the rate of click-fraud activity increasing daily by 75%.
Additionally, reports from PPC Protect show the increase in click-fraud rates since the pandemic with the four significant findings.
- 11% of all search clicks are fraudulent.
- 36% of all display clicks are fraudulent.
- 17% of all CTV impressions are fraudulent.
- Only 13% of customers had little to no fraudulent activity.
And how much do companies lose to staggering stats like this to click fraud? In a study by PPC Shield, the top 20 PPC ad spenders in Fortune 500 companies spent an average of $3,468,676,319 on PPC ads.
That’s approximately 3.5 billion spent on ads alone. If we work with a rough assumption of 14% click fraud in all online ads, it will result in a $485 million loss for the top 20 companies alone.
That’s $15 million shy of half a billion lost to fraudsters alone. A major issue like this leads us to break down exactly how click fraud works.
How Does Click Fraud Work?
Click fraud occurs when malicious web visitors excessively click on advertisers’ ads without any real intent of engagement.
Depending on the fraudster, click fraud can either be automated via bot or have multiple individuals click on the intended ad—in this case, you have an attack from a click farm.
The process is the same with one goal: to trick the system into thinking you’re a real human looking to purchase a product/service.
Fraudsters have numerous resources for achieving this goal; a popular example is click farms.
Click farms are run by people or bots who click on ads online but have little to no engagement.
Instagram advertisers had their share of online ad fraud in late 2020 when VPN Mentor discovered a click farm in Kazakhstan, Central Asia, was running over 10,000 fake Instagram accounts.
The fraudsters behind this created profiles and rerouted them behind proxies to mask their original location. Each of these accounts will publish posts, view others' posts, follow, react, and engage with profiles.
VPN Mentor, in their discovery, reported the incident to the parent company, Facebook. After this discovery, all 10,000 accounts were deactivated from Instagram. There's no record if any of these accounts had the chance to attack an Instagram ad as it was discovered in its early stage.
Still, it's good to entertain the argument that click fraud was its primary intent in the long run.
How Do You Discover Fake Clicks?
Single clicks will most likely not be noticed by the advertiser or publisher, but you'll see immediately when there's a spike. In 8 out of 10 examples, click fraud manifests as a sudden traffic spike.
And in rare cases, the traffic will blend in with your regular traffic. It gets worse when fraudsters reroute traffic IP addresses via different servers in different countries, making it hard for you to track and detect them as fake.
However, click-fraud activity is discovered through bounce rates and overall impressions.
If you notice a sharp traffic spike resulting in a 100% (or close) bounce rate with poor impressions or engagement, then you experienced a click-fraud attack.
A user in Webmasters’ forum had the same experience with a spike in traffic from India lasting about 30 minutes several times per day.
We found a solution from another user, Martin.
And while a solution like Cloudflare Bot Management is a good option, it’s limited in its capabilities to prevent this 100% of the time. Your best option is using a dedicated online fraud solution focused on programmatic advertising and monitoring ad fraud contributors.
What Are The Sources of Click Fraud?
Several sources can be used to fake clicks on your ads. We'll divide them into two areas:
- Sources with high-volume clicks
- Sources with low-volume clicks
Sources With High-Volume Clicks
These sources are responsible for many of the biggest attacks on ad campaigns costing businesses millions in unrealised revenue.
We have click farms on the list again due to their impact on the click fraud activity discovered online. Whether powered by a bot or human, click farms are designed to click on ads multiple times. A popular click-fraud case is the raid of three Chinese nationals called “SA KAEO” in Thailand.
The three ran a click-farm operation using a sock puppet account to falsely boost page views on the social media platform WeChat. They did this by mounting hundreds of phones on metal frames and connecting them to computer monitors.
This is just one of several cases involving click farms and their operations.
We can link bad bots to click farms because of their mode of operations’ similarities. Bad bots, in this case, will run malicious attacks on the publisher's website and take over the ads displayed.
Related: What Are Bad Bots?
That’s only a fraction of how detrimental these can be to advertisers. A report from Helpnet Security broke down the global traffic—in summary, it's safe to say bad bots are taking over.
39% of overall traffic is from bad bots, while 36% comes from humans, and good bots take the remaining 25%.
To make this worse, the traffic coming from bad bots aren't what you'll call traffic but rather, attacks. With the amount of traffic bad bots retain, it’s not surprising to see how they fall under the click fraud category with high-volume clicks.
Think of botnets as a sophisticated network of bad bots run by a bot herder (fraudster). In this ring of bots, vulnerable devices of users are infected with malicious code. Depending on the bot herder, the code can infect other devices, then be used to attack.
Related: What Are Botnets?
These attacks can be replicated on ads simply by changing the intention behind the attack, like the Hyphbot attack on advertisers. Hyphbot was a botnet attack making 1.5 billion requests per day and generating fake traffic from 34,000 premium domains, including premium publishers and more than half a million URLs.
The Hyphbot botnet is massive, as it spans 14 different exchanges and SSPs with multiple devices infected in each network. Think of it as a bot nest filled in a maze of infected devices.
What about the financial aspect of this attack? In Adform's report, a typical gain to Hyphbot fraudsters and loss to advertisers ranges from $262,500 to $1,285,714 per day. You can see that the botnet attacks are business-crumbling if not prevented, controlled, and solved.
Sources With Low Volume Clicks
Sources with low volume clicks are filled with operators with little known capabilities for large-scale attacks. Though they don't yet have the capability for a large-scale attack, that doesn't mean they can't if the opportunity arises.
Competition is good to provide customers with options. But what do you do about vindictive advertising competitors costing you a loss in marketing revenue? Opt for a click-fraud solution, but understand how these competitors work.
Let’s start with this quora question: "what is the most effective way to drain your competitors' AdWords budget?"
Sounds shocking, right? But users like Adam Treboutat argue it’s a common practice in digital marketing.
Quoting Adam, "This isn't click fraud. I have seen legitimate competitors try to exhaust our budget. Unfortunately, it is a common practice in Digital Marketing and one that many brands use.
"The number one way to exhaust a competitors' Adwords budget is to bid on the same keywords that your competitor is bidding on. This increases the competition for that keyword and forces your competitor to pay more money to stay in the auction. The downside to any competitor strategy is spending additional money to take them down. So you really need to weigh the benefits of exhausting a competitors' budget versus maximizing your own ROI."
We can assume that a large part of competitor click fraud works by bidding on similar keywords as competitors, then repeatedly clicking on their ads to exhaust them quickly.
We discovered it's so common that advertisers in the Google Ad forum hold regular discussions about it.
Users share their experiences on how competitor click fraud works and how it affects them.
Some users claim Google is quick to find competitor click fraud, but that also has its limits.
And on the other end, a user gave detailed information about how competitor click fraud affects the ad industry.
While this user's point is valid, it overlooks the option for a click-fraud detection company.
Click fraud detection is only a fraction of click fraud; prevention and security are necessary. That’s why we recommend opting for a click-fraud solution that fully secures you.
Invalid Clicks via Human Error
If someone visits Google and types in a keyword you're currently bidding on and mistakenly clicks on your ad then bounces back, the click is counted as an invalid click via human error.
This is because the click is likely unintentional. However, It's difficult to include this on the list of click-fraud sources because the number of clicks from these sources will be low or non-existent.
On the other hand, be cautious by monitoring clicks and impressions from different IP addresses to detect if it's actually via human error or an impending click-fraud attack.
Understanding these sources gives you a closer look into what running ads entails.
There’s more involved than simply creating an ad account—you must closely monitor it for best results.
How To Prevent Click Fraud
Preventing click fraud is how many companies are staying a step ahead of fraudsters. The latest reports from Prof. Cavazo, an economist at the University of Baltimore, and the cybersecurity firm, CHEQ, estimate the cost of click fraud will hit $46 billion in 2022.
With a staggering number like this, it’s obvious businesses already running or planning to run ads are at risk of draining their advertising budget with no ROI.
This makes click-fraud prevention a priority. Here are 5 ways to avoid click fraud.
1. Monitor Your Ads
Unfortunately, the era of plug-n-play has made most things difficult, and running ads is one of them. Google Ads, for example, give you the freedom to get real-time analysis of how your ads are performing.
Since we’re talking about pay-per-click ads, focus on the ratio of clicks to conversions.
Knowing the average conversion rate of PPC ads and clicks per ad in your industry is helpful.
Let’s say you’re getting confusing numbers on your ads—a good example is a 78% CTR with a 0.03% conversion. With that number, there’s definitely a problem in your ads that needs immediate checking.
2. Set Up IP Restrictions
Depending on your ad's targeting, you'll be exposed to different traffic sources coming from countless IP addresses.
Some of these IPs will be good traffic, and some bad with a high probability of an attack if they notice your ad is vulnerable.
If you notice spikes in your traffic from specific sources or multiple sources simultaneously, then get it checked and verify its origin. If your investigation yields the traffic producing fake and invalid clicks, restrict these IPs immediately or block them from your domains and subdomains.
Here’s a snapshot from PPC Expo showing an IP excluded from an ad campaign.
3. Set Time-Offs For Your Ads (Daypartying)
Regardless of how "good" your ads are, you shouldn't run them 24/7. Your ads don't convert the entire day, so only set it to run when they’re likely to convert.
This keeps your campaign objectives in line with your budget and lets you quickly see their activities.
A good technique to do this is called “daypartying,” which is a pay-per-click advertising technique that involves scheduling ads for certain days and times to effectively engage your target audience. This technique gives you the best possible conversions while still targeting the right audience.
Ad platforms such as Google and Facebook support daypartying, as they allow you to schedule your ads based on your ideal run time.
4. Switch to Click Fraud Solution Provider
Often, sophisticated click-fraud attacks are beyond your power, and no amount of DIY techniques will put an end to it.
That’s just an indicator of what’s to come when you compare stats showing how spam sites send 10-100 times more traffic to advertising exchanges than real sites.
How do you prevent 10-100 times your normal traffic—which in this case is fake traffic, from clicking on your ads?
Why Use Edgemesh?
Here’s how we work to protect your ads from invalid clicks. We understand click fraud as based on malicious intent masking under real traffic.
Our solution does an overview of your existing and incoming traffic to your ad and follows through with their interactions from beginning to end.
We use behavioral analysis and machine learning to track all incoming traffic to your website, including clicks, traffic sources, backend lookup, IP monitoring, etc.