Ever since the mechanics behind ad tech (and digital marketing in general) became effective enough to be considered a reliable source of revenue, there was an issue of shady people getting into it with malicious intent and trying to make use of it the other way around.
Every year, various types of ad fraud eat up large chunks of profits. While the resistance against ad fraud is pushing back, fraudsters are keen to up the game and stakes, and it seems unlikely that ad fraud will ever go away completely. But it gets a hell of a fight.
One type of ad fraud is more common than the rest: click fraud. And while there are many click fraud software options that prevent harm, it's better to keep ourselves informed on the matter.
What is click fraud?
Click fraud is a type of ad fraud that exploits the pay-per-click revenue model by accumulating the number of clicks on ad content in a variety of ways in order to extort additional monetary benefits from advertisers.
Click fraud is one of the most basic types of ad fraud that is commonly used throughout various segments of the industry. Companies that spend upwards of $10,000 per month on Google Ads are estimated to be losing around $15,000 each year to click fraud.
The reason behind click fraud is simple – the pay-per-click model is widely used in the advertising industry, and it is relatively easy to manipulate. It's seen that on paid search campaigns, an average of 14% of clicksare attributed to click fraud.
How click fraud works
In a pay-per-click model, advertisers pay publishers for clicks on their ads. The cost-per-click ratio (the price of the click) depends on the overall performance of an ad's content on a particular ad space calculated through a click-through rate.
Overall, it is an excellent and simple way of generating revenue. Advertisers find publishers through ad networks like Google, whose platforms are relevant to advertisers' target audiences, and put their ads there, expecting the audiences' reactions in the form of clicks. That’s where the click fraud comes in. The key is in the very model itself – it is based on easy-to-rig metrics built around clicks.
Unlike conversions or other on-site actions, clicks are abstract signifiers of an action on a particular piece of content that happened and may or may not lead to further developments regarding conversions. Because of that, clicks are easy to simulate.
It is worth noting that click fraud is much more common on mobile than on desktop environments.
Who is behind click fraud?
There are usually two types of people behind click fraud: competitors and publishers/affiliates.
Competitor click fraud
Competitors are driven by a desire to make ad tech marketing campaigns go south and lose as much money as possible. Competitor click fraud is specifically designed to derail your operation.
Usually, competitor click fraud is more of a blunt instrument than a sophisticated system. It can be sneak sabotage or a thunderous statement. Either way, its goal is more about inflicting damage than squeezing money out of the campaign’s budget.
Publisher and affiliate click fraud
Publisher/affiliate click fraud is a much more complicated beast. In this case, the fraudsters are parasitizing the working system. Their purpose is to siphon as much money as possible without being noticed and blocked out.
Because publishers and affiliates are paid for clicks on an ad, they are interested in keeping the number of clicks high. This is achieved by mixing the actual click flow with the simulated one.
Publisher-related click fraud usually operates at a different scale – which is smaller action-wise, but much more significant in terms of losses, due to being aimed at long-term operation.
Competitor publisher click fraud
The difference from the other types is that this type is aimed at publishers and designed to discredit their platforms. The end purpose of competitor publisher click fraud is to kick the competitor off the ad service due to bad bot traffic.
Types of click fraud
Overall, there are two big categories of click fraud: manual and automated.
Manual click fraud
Manual click fraud is simple. It usually involves the fraudulent party hiring real people to perform clicks on specific ads to bloat the performance figures and receive a bigger revenue cut. It can bring certain results but is nowhere near as efficient as an automated operation.
The extreme form of manual click fraud is so-called click farms that involve big numbers of people clicking on ads all day long.
This type of click fraud might also be well-intentioned, as many publishers use a tactic known as, “Support our website by clicking on ads.” However, these clicks are still ineffectual to a campaign's cause and must be dismissed.
Another type of manual click fraud is forced clicks, where the users are forced to click on ads because they will otherwise be unable to proceed on-site.
Automatic click fraud
Automatic click fraud involves the creation and maintenance of networks of bots designed to perform certain sequences of actions that result in clicks being registered by the systems as legitimate events.
What are bots?
Bots are automated scripts acting as users. In order to maintain a legitimate presence and unique IP address, bot activity comes from devices infected with malware viruses. The infection comes from sneaking malicious software into devices by deception and obfuscation under the guise of legitimate software applications. In the meantime, users are blissfully unaware of what is going on.
Automatic click fraud can be further specified with the following subcategories:
Bot traffic: Bots go on targeted websites and create fake impressions. This automated ad traffic allows fraudsters to collect money for non-existing impressions as if they were real. This type of click fraud is really hard to spot, due to unique IP addresses that make every bot look unrelated. However, their activity can be visible later, as there is nothing beyond those imitated impressions.
Click flooding: In this case, bots go on a particular ad and produce an immense number of clicks. This, in turn, derails analytics and seriously undermines the performance results of a campaign. These days, flooding is more frequently used by competitors to discredit their targets and damage their reputations as viable partners.
Cookie stuffing: This tactic is often used in affiliate marketing schemes. Upon sending users onward to affiliate links, multiple third-party cookies are gathered in hopes of bloating the results. Fake cookies come from auxiliary elements of websites (i.e. scripts, pop-ups, and embedded elements such as images).
Toolbar injection: Users install a browser plugin that seems to be a legitimate tool. However, in actuality, there is a sneak piece of malware. This malware manipulates the page code and inserts different ad content (usually a pop-up, most commonly pop-up videos). This drives away clicks to the different advertisers.
Install hijacking/click injection: This type of click fraud is targeted at the attribution of an application installation. It is done through the sneak install of a fraud app disguised as a real one. When the other apps are installed, the fraud app overtakes tracking codes and attributes these installs as one that occurred because of it.
Device ID resetting: This technique is used on device farms with multiple devices. The scheme looks like this: the device downloads an app and clicks on real ads (via script). After that, the device is reset. This goes on again and again. In addition to that, there are also IP-address switches involved to gain the legitimacy of the act.
How to prevent click fraud
The following list of techniques can be helpful in identifying and fighting against click fraud.
Ad Verification is one of the primary tools in keeping ad fraud (click fraud in particular) out of the gate. In a way, it is something of a double fail-safe tool. Basically, it helps to identify cracks in your anti-ad fraud armor.
Ad verification vendors provide performance insights with a variety of metrics, such as viewability and invalid traffic. (The nature of the metrics depends on the specification of the particular campaign.)
With assistance from these tools, you can shut down low-quality publishers and suspicious websites and perform a thorough campaign audit, which can be used in the optimization of a campaign.
Use trusted platforms and check backgrounds
The other way of avoiding the threat of getting under the click fraud attack is through cooperation with trusted advertising platforms with a good track record for being nice and clean in ad tech operations.
In essence, this approach limits the operation to big and established companies like Google, Facebook, Bing, and DoubleClick. However, it adds more certainty about where your ad budget is going and much more confidence in the fact that your ad campaign performance results are plausible and depict real situations.
Honeypots are one of the most effective ways of neutering click bots and exposing the networks behind them.
Here’s how they work. Ad servers use special ads that are not actually ads, but bluffs indistinguishable from the human user.
If a bot happens upon them and takes action, the honeypot sticks with it and does its thing, exposing the bot, and leading to its IP being blocked.
Maintain a blacklist
Keeping an assorted collection of blacklisted IP addresses seems to be a natural reaction toward detected click fraud activity. Maintaining a Blacklist is one of the most consistent ways to contribute to the click fraud neutering cause. It works for suspicious IP addresses, device IDs, and spotted bot signatures.
Blacklists may contain websites, IPs, and device IDs that are considered discredited with various types of fraud spotted.
While this technique works after the fact, it helps to prevent further damage from the exposed IPs and IDs.
Constant metric audit
Metrics are tricky. In order to depict the actual state of things, you need to constantly check metric accuracy and compare the results with several sources. It is never a bad thing to double-check.
When things are put into perspective, it is easier to identify where the trouble starts and take action before lasting damage is done.
Here’s a list of common suspicious activity. These patterns are definite signs of something wrong going on:
A campaign registers unnaturally high click-through rates.
The traffic rates of PPC-enabled pages are drastically higher in comparison with the rest of the website.
There are spikes of activity and suspicious traffic swells at unnatural times for the selected region.
There are high bounce rates, short session times, and minimum time on site.
Switch to more efficient models
Let’s face it – the pay-per-click model is not the most efficient way of doing digital advertising.
While it provides a clear-cut revenue scheme, this model is very fraud-prone. The thing is, clicks are merely abstract signifiers of a particular type of event happening on a specific piece of ad content. On their own, they don’t mean much. What really matters is what happens after the click – whether the conversion occurs, the product is purchased, or an application is downloaded.
Because of that, instead of constantly fighting off various threats and diving deep into stats in order to recognize the bad stuff, it's more reasonable to switch from a pay-per-click to a more tangible model.
The most viable option is cost-per-action. This model takes things a step further. Instead of paying for clicks, advertisers pay for actions that occur on an advertiser's platform after the click (i.e. registering, downloading something, or filling out a form).
While no models are fraud-proof, cost-per-action provides more tangible metrics that keep fraudulent activity out of the equation and pay only for relevant results.
Adjust targeting operation
If click fraud episodes occur frequently and there are clear tendencies regarding which elements of ad content are affected, it means you need to take more strategic action. You need to readjust your targeting and shift focus to more reliable audience segments.
One of the reasons why click fraud is enabled is insufficient targeting that includes suspicious and unreliable audience segments from problematic geographic regions where click farms are usually situated.
In order to take them out of the equation, make a couple of tweaks in your campaign settings and exclude certain regions and languages from the targeting operation. This can go as far as to block specific cities and zip codes.
Targeting adjustment is often combined with maintaining the IP, ID, and bot blacklists previously covered.
Best click fraud software
So we know that detecting and preventing click fraud is crucial to cut losses. But how do we label software as click fraud software?
To qualify for inclusion in the Click Fraud category, a product must:
Gather data across sources in order to identify and warn advertisers of click fraud activity
Offer dashboards and controls to monitor PPC fraud.
* Below are the top five leading click fraud software solutions from G2’s Fall 2022 Grid® Report. Some reviews may be edited for clarity.
AppsFlyer is the top-voted choice for professionals who are seeking innovative, privacy-preserving fraud protection. It aims to provide exceptional experiences to its customers while upholding their privacy.
What users like: "The USP of Appsflyer is that it is very user-friendly for the Marketeers and affiliates. Regarding the data, the reports and dispositions are very apt and easy to understand. Another plus point is the support system of Appsflyer. It is very swift and helpful."
CHEQ ClickCease is a click fraud detection, prevention, and protection service software. ClickCease offers real-time campaign monitoring to make sure the bad bots don't bite.
What users like: "We highly value ClickCease as a tool for our agency's clients. Especially the clients that face very high CPCs and great competition save a lot of money by filtering out clicks from irrelevant traffic sources. We as an agency also value the personal support and assistance from the ClickCease team"
What users dislike: "I would love to see an option to apply settings across the whole account as well as individually per campaign. Also, if the average CPC could be pulled in automatically from Google Ads, that would be a great time saver. The option to block/allow certain regions/counties, as well as countries, would be fantastic."
CHEQ Paradome helps you recognize and fight fake traffic, and protects your CPCs from wrecking your budget. Paradome is designed as a cybersecurity platform specifically for marketers.
What users like: "Real-time click fraud and spam blocker protection. Great if you do a lot of paid campaigns on various platforms such as Google Ads/Display/Bing. It also monitors organic fraudulent traffic as well."
You can monitor click fraud and traffic activity in real time with Lunio. This software is great for filtering out click fraud activity based on the data it collects.
What users like: "Lunio helps manage click fraud for our clients' Google Ads accounts and is effective. Clients love the added benefits that our agency is able to provide by using Lunio and the customer service is top tier with our answers being addressed quickly."
Singular provides marketers with a birds-eye view of marketing ROI and traffic data, along with amazing fraud protection.
What users like: "The experience with Singular has been excellent. Starting from their customer support which has been very helpful during the onboarding process to the perfect integration they have with all services and all these at a correct price. If you are looking for a partner that delivers high-quality attribution and a complete view of all your ad data, look no more."
Click fraud is one of the more elaborate types of ad fraud out there. It exploits unsuspecting users and, as a result, manages to wreak havoc on marketing campaigns with significant losses.
One of the key things to remember about click fraud is that it isn’t going away. It is one of those things that will always turn up one way or another, but that doesn’t mean you have to kneel before it. Quite the opposite, actually.
If you apply a set of the aforementioned techniques, the impact of click fraud on you will be significantly lessened and, in some cases, even neutered.
Want to know more about keeping your organization's data safe? Read more on how encryption is a must-have in today's digital landscape.
Catch the phish before it bites
Keep phishing attempts at bay with email anti-spam software.
Volodymyr Bilyk is a content marketing manager at The APP Solutions. He likes to explore and explain the hows, whats, and whys of the world of technology, and he can't live without challenging himself to know more. He moonlights as a fiction writer and explorer of the further regions of language. His most recent book is entitled, "Roadrage."
Catch the phish before it bites
Keep phishing attempts at bay with email anti-spam software.