But, let’s face it, your competitors are aiming for that prime spot too. And in the battle for that prime spot, many competitors are “playing dirty.” Competitors clicking on your Google ads is not something new. In fact, it falls under one of the most significant click fraud threats, constituting 17% of all click fraud.

In this blog article, we’re pulling back the curtain on the mysterious world of competitors clicking on your Google ads. Why they’re doing it and, most crucially, what you can do to steer your ad budget toward genuine users.

What is competitor click fraud?   

The definition of competitor click fraud can clearly explain why competitors click on your Google ads. Competitor click fraud is the practice of competitors clicking repeatedly on your Google ads.

These competitors might be the business’ employees, hired individuals, or even (and most often) automated bots on a mission to hurt the performance of your ads. Later in the article, we will review the methods they use and who’s involved in delivering these clicks.              

Now, let’s focus on what motivates them to cause damage to your ads.  

Why are competitors clicking on your Google ads?     

The end goal of the competitors clicking on your Google ads is simple. They aim to improve their ad performance and effectiveness in one way or another, by any means possible.      

As we mentioned earlier, every marketer’s goal is to see their search ad in the top position, receive more impressions and clicks, or boost website traffic from display ads. Clicking on your ads helps them achieve this in two ways:   

By gathering information about your ads

Competitors might click on your ads to gather valuable insights about your advertising strategy. By analyzing your ad copy, targeting options, and keywords, they can adjust and improve their own campaigns. 

These type of clicks can be considered as a “fair-play” competitive analysis and is not actually fraudulent. However, you should be aware that your ad performance data may indirectly contribute to improving their advertising efforts.        

By draining your ad budget 

And this is the malicious intent behind competitors clicking on your ads that you should be worried about.   

It’s an unethical and unfair strategy where your competitors aim to outperform your ad for the same keywords. And to do this, they don’t just click once or twice a day on your ad. Instead, they repeatedly click on it and can do this for the same or different keywords.   

This practice can rapidly use up your budget, and boom, out of nowhere, their ad will gain an advantage over yours. They can rank better for the same keyword/s and have a higher potential to reach the targeted audience.  

If you want to avoid being that kind of a competitor, read this guide on how to create your perfect (and non-malicious) PPC strategy.

Now, let’s take a closer look at what happens when your ads are targeted with malicious competitors’ clicks. 

How does it impact your advertising budget and campaign performance?   

The number one rule in PPC advertising is that every time someone clicks on your ad, you end up paying for it. You know this, your competitors know this, and when they click on your ad, they know that part of your budget is spent for… nothing.    

Click by click, your campaign budget is gone, and the lifetime of your ad is shortened. And it should be all good as long as this budget is allocated toward potential customers.

But unfortunately, competitors (or the bad bots they’ve hired) are landing on your website or ads. These aren’t the types of ad clicks that bring value. They are not here to learn more about your business or purchase your product or service. Their task is finished as soon as they click your ad.

You’re not just spending your ad budget faster due to these clicks. Your overall campaign performance is decreasing, your ad exposure to real potential customers is limited, and your return on investment (ROI) is decreased.    

Moreover, the fake clicks delivered by competitors pollute your analytics. If you don’t detect this skewed data in time, it will impact your long-term decision-making for both marketing and broader business strategies. 

To summarize, here are the negative effects you’re likely to experience from malicious competitor clicks:  

• Wasted ad budget
• Shortened ad lifespan
• Decreased campaign performance
• Lower ROI (return on investment)
• Polluted analytics
• Affected long-term decision-making

The methods they use   

In general, there are two main methods of how competitors deliver clicks on your Google ads.

1. Manual human clicks 

The first thing that might come to your mind is your competitors or their employees sitting at their desks and deviously clicking on your Google ads. And you’re right; in its most basic form, competitor click form happens when competitors or their employees simply click on your ads manually. 

Another variation involves competitors hiring people (usually workers in click farms) paid to click on ads. This advanced form of manual competitor click fraud is more challenging to detect, as these clickers and click farms employ a combination of techniques, such as VPNs and proxies, to hide their location and IP addresses, making detection more difficult. 

Learn more about click farms and how they contribute to competitor click fraud in this article.

2. Bot clicks 

The next and more advanced form of competitor click fraud is delivered through bots. Bots are software programs that can be used, among others, to click on ads automatically. For example, your competitor can simply purchase a certain number of clicks from a bot farm. Bot farms are places with a lot of devices, like smartphones or computers, installed with the software scripts (the bot), which are used to deliver these clicks in bulk.          

Bot clicks are the most advanced form of this fraud for a few reasons. They are designed to mimic human behavior, and they also use techniques to mask their location, IP, and nature. It’s the most challenging form of fake clicks and the hardest to identify. Consequently, they are often employed for high-value keywords, where the potential impact on your advertising budget is most significant.   

How to recognize if competitors are clicking on your ads?          

Monitoring your Google ads campaign data, as well as website analytics, is everything. Here, you can spot some patterns that usually represent fake traffic. And if you do this regularly, you’ll be able to recognize early signs indicating that competitors are clicking on your Google ads.     

Common signs of competitor clicks on Google ads include:     

• Unusual spikes in click-through rates (CTRs) that deviate from historical patterns
• Sudden surges in clicks originating from specific locations or IP addresses
• Consistent high click volumes without a corresponding increase in genuine conversions or website engagement 
• Click patterns occurring during non-business hours or times when your target audience is typically inactive
• Unexplained fluctuations in bounce rates
• Increases in clicks not accompanied by a proportional rise in the time visitors spend on your site

The sooner you identify such activities, the more efficiently you can implement protective strategies to mitigate potential damage to your campaigns. 

How can you avoid their clicks?   

Stopping this sneaky clicking is not just about saving money; it’s about keeping your ads on the right track by reaching out to a genuine audience and delivering real traffic that has the potential to convert. 

Here are some protective measures you can take:   

• Block suspicious IP addresses: Implement filters to block IP addresses showing suspicious click behavior. If you spot multiple clicks from the same IP address, for example, it might be a result of manual clicks from your competitors’ employees.       
• Set daily budget limits: Set daily budget limits for your ad campaigns. While this won’t prevent fraudulent competitor clicks, it can help limit the financial impact by capping the amount that can be spent in a single day.  
• Enable click tracking: Google ads provide this feature to set up click trackers. They allow you to see how many people are clicking on your ads and how many clicks lead to desired actions, such as purchases or sign-ups. If you have this data, it’s easier to detect if competitors are clicking on your ads. 
• Use geo-targeting: Narrow down your ad audience to specific geographic regions. This will reduce the exposure to irrelevant clicks from people or bots hired to deliver clicks.
• Regularly update negative keywords: Refine your negative keywords list to filter out unrelated search queries.     

While these are helpful tactics to minimize competitor clicks on your Google ads, it’s important to acknowledge their limitations. For example, bots and manual clickers can easily change their IP addresses frequently or change their actual location. 

If that’s the case, IP address blocking won’t help much, will it? Let’s see what you can do next.  

The easy way to protect your ads from competitors’ clicks    

Clearly, a click fraud protection tool is the only way to ensure complete and accurate protection of your ads. 

These tools overcome the limitations that come with manual protective measures. They can precisely spot malicious competitors’ clicks and stop them before they affect your budget.

Read this case study of how ClickCease helped a law firm save $65,000+ by preventing competitor clicks. 

If you also want to block competitors from clicking on your Google ads and make the most out of your ad budget, check ClickCease for free. 

Start your free trial.

The post How to Spot and Block Competitor Clicks on Your Google Ads appeared first on ClickCease Blog.

And this is where the importance of IP address blocking comes into play. It’s often the first go-to strategy for many advertisers against the influx of unwanted traffic. The rise of ad fraud, on the other hand, has also increased the awareness of advertisers to protect their ads from fraudulent interactions. 

But why do you need it, and how can you minimize the risks of such interactions on your Google Ads campaigns? Let’s dive into the article and explore this crucial aspect of protecting your ad campaigns and budget.

The importance of blocking IP addresses from your ads 

The rates of fake traffic in paid marketing are growing exponentially. An average business loses 5.9% of its ad budget to fake clicks. That means for every $1000 of ad spend, you’re losing, on average, $59 on ad fraud. This number varies depending on your industry, location, keywords, etc., and can reach 18.9% in some regions.    

There are several reasons why you need to block IP addresses: 

Repetitive clicks

• Issue: Competitors or malicious entities may repeatedly click on your ads without genuine interest, draining your ad budget. 
• Solution: If you block the IP addresses associated with these repetitive clicks, you can ensure that your ads won’t be displayed to them again.    

Bot traffic and click farms 

• Issue: Bots and click farms are common sources of non-genuine ad interactions. Bots are software programs designed to interact with ads in an automated way, while click farms are locations occupied with many devices that are used to generate fake ad clicks, views, or impressions.
• Solution: You can block known click farms’ IP addresses from your Google Ads, and this will prevent them from accessing your ad campaigns in the future.

Paid-to-Click (PTC) sites 

• Issue: PTC sites reward users to click on ads, leading to low-quality traffic that doesn’t convert into meaningful engagement. 
• Solution: Blocking IP addresses linked to PTC sites ensures that your ads are not being clicked by users motivated solely by financial incentives, preserving your ad budget for genuine prospects.

Enhanced analytics accuracy  

• Issue: Inaccurate data due to non-genuine clicks can lead to misguided decision-making and inefficient use of resources.
• Solution: To ensure your data and analytics reflect genuine user interactions only, it’s best to block those suspicious IP addresses.     

Read this article to understand the impact of ad fraud on your ads and business.

How to block IP addresses manually in Google Ads?    

Swift and strategic action is the key when it comes to protecting your Google Ads campaigns from problematic IP addresses. Manually blocking these addresses is a go-to tactic for advertisers seeking immediate action and solutions.  

As soon as you identify repetitive clicks, suspicious behavior, or unwanted engagement, diving into your Google Ads account and initiating manual IP address blocking becomes paramount. This approach ensures that you block the IP addresses causing trouble from further interactions with your ads.

Step-by-step guide 

1. Identify suspicious IP addresses – Regularly monitor your website traffic for unusual patterns. You can do this in your Google Analytics or other web analytics software and track patterns such as repetitive clicks or spikes of clicks at unusual times. Such behaviors usually indicate suspicious activity. 

2. Access your Google Ads account at ads.google.com

3. Navigate to the “Campaigns” icon in the left-hand menu – Click the Campaigns drop-down in the section menu and select “Campaigns.”

4. Choose the specific campaign you want to block IP/s from

5. Access campaign settings – Click on the settings icon (Admin Icon) to access the “Settings” page.  

6. Expand IP exclusions – On the “Settings” page, find and click “Additional settings.” 

7. Click to expand the “IP exclusions” section on the page

8. Enter IP addresses – Within the “IP exclusions” section, input the IP addresses you want to block from seeing your ads.

9. Save your changes – After entering the relevant IP addresses, click “Save” to apply the changes. 

Additional tips for blocking IP addresses in Google Ads   

Enhance your IP address-blocking strategy with these insightful tips to fortify your Google Ads campaigns: 

• Use wildcards for IP address ranges – You can use an asterisk (*) as a wildcard to block entire IP address ranges. For example, entering *192.168. will block all IP addresses in the 192.168.0.0/16 range.

• Be careful when using wildcards – Exercise caution with wildcards, as you can exclude thousands of real users with an incorrect wildcard.   

• Leverage third-party IP exclusion lists – Explore the option of excluding IP addresses through third-party IP exclusion lists. Those are lists obtained and maintained by cybersecurity services that have repositories with IP addresses already known as sources of suspicious or malicious traffic. This approach can provide additional layers of protection against known harmful IP addresses.

• Consider ad fraud protection services – When dealing with a substantial volume of IP addresses to block, consider the efficiency of click fraud and ad fraud protection services. These services are tailored to identify and exclude fraudulent clicks while ensuring no legitimate users will be excluded.  

The limitations of the manual process of IP address blocking

While manual IP address blocking is a handy process to disrupt interactions from malicious sources with your ads, it does come with its limitations. 

Tracking and identifying fraudulent IP addresses takes time, during which your ad budget may already be affected. The process of spotting patterns can be tricky; what seems suspicious might sometimes be genuine users interacting with your ads. 

Moreover, sophisticated bots and click farms have their own bag of tricks, smoothly navigating through various IP addresses and locations using proxies and VPNs. 

So, while manual blocking is a step in the right direction, it may not catch all the nuances of the ever-evolving strategies employed by fraudulent actors in the digital space.  

Blocking IP addresses with automated click fraud detection software   

Unlike manual processes, software solutions operate at lightning speed, swiftly detecting and blocking fraudulent IP addresses before they can cause serious damage.  

The advantage lies in their efficiency – automated systems eliminate the need for time-consuming tracking and identification of suspicious IP addresses. Typically, these solutions can catch any fraudulent traffic sources before they even interact with your ad.

Our team at ClickCease, for example, has built a solution that combines over 2,000 behavioral tests to identify suspicious activities, even when there are confusing patterns. This also ensures that you’re not blocking real users.

Automated click fraud detection software can also be used to identify and block sophisticated bots and click farms. It’s known that these entities often use proxies and VPNs to hide their true locations. While it’s hard to identify fraudulent IP addresses that change frequently, advanced click fraud detection software can still identify and block them effectively.

You can try ClickCease’s 7-day free trial to experience firsthand how it can help you save money on your ad budget and improve the overall performance of your ad campaigns. ClickCease is easy to use and can be integrated with existing Google Ads campaigns to efficiently help you with the IP address-blocking process.  

Sign up for ClickCease’s free trial today and ensure that your ads reach the right audience and deliver the results you desire.        

FAQs:

What are the common suspicious patterns to look for when identifying IP addresses?  

If you regularly track your ad campaign’s analytics, several common patterns can indicate that an IP address, or multiple ones, may be involved in suspicious behavior. Look for the following patterns:

• High click-through rates (CTR)
• Large number of clicks from a single IP address
• Large number of clicks from a small number of IP addresses
• Suspicious spikes of clicks occurring consistently at the same time each day
• Unusual device or user patterns, like clicks without mouse movements

If you spot any of these patterns, it might be a sign that you need to block those IP addresses and minimize the impact of fraudulent activities.  

Does blocking IP addresses impact my ad’s performance?   

Blocking IP addresses can be a helpful tool for improving your ad performance, but it’s important to use it carefully. Blocking invalid traffic, such as clicks from bots or competitors, can lead to a better click-through rate (CTR), conversion rate, and cost-per-click (CPC).        

However, blocking legitimate traffic is risky if you don’t do it carefully. Only block IP addresses that you’re sure are invalid or unwanted. If you’re unsure whether or not to block a certain IP address, consider using a third-party tool to help you identify and block invalid traffic.

What happens if I accidentally block a valid IP address?    

Blocking a valid IP address in Google Ads can have unintended consequences, including reduced ad reach and missing out on potential customers. If you suspect you have blocked a legitimate user’s IP address, you can amend this in your Google Ads settings and remove the IP address from the exclusion list.     

The post Defend Your Google Ads: The Art of IP Address Blocking appeared first on ClickCease Blog.

Where do these fake views come from?

View bots. 

These bots can be hired for relatively little money to boost the viewing figures on any video channel, from YouTube or Instagram to Twitch or TikTok.

What are view bots?

View bots, as the name suggests, are bots programmed to watch videos to inflate viewer count numbers. They can be used on virtually any platform where video is played or even on music streaming sites. 

A view bot doesn’t just view whatever activity is occurring on the screen at any time. It also views media such as banner ads, pre or post-roll video ads, and other paid elements. 

This form of a bot is relatively complex, as its goal is to avoid being detected by sophisticated filters on video platforms. 

There’s a high demand for these bots, which is why they are easy to find and are widely used. When searching for ‘view bots,’ there are hundreds of results on the organic search pages. 

And, yes, if you’re wondering whether view botting is against the TOS (Terms of Service), it is, but this doesn’t stop people from buying these very affordable bot packages. In fact, many of them offer free trials, so you don’t even need to pay to inflate your views.   

Why do people use view bots?

The biggest objective of any YouTube or Twitch creator is to get more views. The more views they get, the more money they make, and that’s all the motivation they need to use view bots. 

And this is where many people saw an opportunity, making it easy for creators to purchase a YouTube, or a Twitch view bot. There are even Facebook live view bots that can drastically increase viewer numbers on live videos on Facebook.     

Newbie creators on video platforms are particularly susceptible to using them as they look to grow their subscriber base and convince the algorithms to show more people their videos.  

It also doesn’t hurt them that a view bot isn’t difficult to set up. You can find websites like ViewerLabs and UseViral that walk you through setting up a view bot for your YouTube channel. Many are quite affordable (UseViral offers 10,000 views for a little over $100).   

Although most of us think of social media sites like TikTok, YouTube, or Twitch, there are also other view-based sites such as esports platforms where you can unleash a view bot.

And as this form of online entertainment is increasingly popular with younger audiences, marketers are looking to streaming services or even metaverse games to run their ad campaigns.

How do view bots affect advertisers?

Perhaps the most obvious impact for advertisers is in cost-per-mile (CPM) advertising. If you’re paying per 1000 impressions, and around 15-20% of those impressions are fake, you’re leaking money.  

Referred to as both click fraud and ad fraud (although the two terms mean slightly different things), the impact on the global marketing industry is estimated at around $40 billion each year and growing.       

Impression fraud also means your ad spend is exhausted faster, often meaning you’re missing out on genuine ad opportunities.

Another issue is that the inflated view metrics skew your ad data, effectively making your video ads or banner ads seem more successful than they are.

And in an age of influencer marketing, embellished videos and stream views also artificially inflate the value of an influencer. When you consider that the definition of an influencer is someone with a few thousand followers and that those followers could cost someone just a few hundred bucks, the cost of this deception to marketers can mount up.  

Would you be happy paying your ad budget to target an audience of click farm robots?

Read this guide to understand how you can protect your marketing efforts from fraudulent bots.

Types of view bots

‘View bot’ is a blanket term for a wide range of bots that are programmed to help inflate video metrics. Most obviously, these bots click on videos and raise the view count. But they can do other things as well.   

Live stream bots

Some vIew bots can also hop on Twitch and Facebook live streams to make it seem like the streamer has a wider audience base. The goal here is to draw in more people to join the stream. Streaming farms are becoming increasingly popular as a way to artificially inflate the number of viewers or listeners on live streams.

Chats and engagement bots

People see through views without engagement pretty easily, so many YouTube view bots have been programmed to engage as well. However, the engagements are flat and, well, unengaging. You’ll usually see this with Instagram and Facebook comments too. We’ll talk more about these in a bit.

Engagement groups

Although these aren’t view bots in the traditional sense, engagement groups act as a sort of human view bot.

Instead of getting a YouTube view bot that is prohibited by the TOS, creators often sign up with communities where they watch and engage with each other’s videos. For creators, they get the metrics of more views and comments.    

But for advertisers, this is non-genuine human traffic with a very low chance of converting. And to add to this, engagement groups may also click on ads within videos, blogs, or other content to inflate the payout for the creator. In short, they commit click fraud.

What is click fraud? Learn more in our guide…

Chat impersonation bots

Another form of view bot, chat impersonation, is often presented as a way to ‘prank’ your friends on their live streams. But, of course, these bots are often bought to increase engagement on live streams or videos.

Like other forms of view bots, these chat impersonators also affect ad impressions and distort view metrics. 

Creators risk a lot by using view bots

Fraudulently inflating your engagement is against the terms of service on all of the major platforms, including YouTube, Twitch, TikTok, and Meta (Facebook/Instagram). Content creators who are caught run the risk of: 

• Getting their videos taken down
• Losing the ability to monetize their content
• Being banned from the platform altogether

Twitch takes an aggressive approach against view botting. Besides banning creators, the platform has a history of suing bot creators. 

For example, In 2018, Twitch won a $1.37 million lawsuit against Michael and Katherine Anjomi, creators of a view bot. 

Trust issues

Bots on YouTube and other platforms don’t just rob advertisers of their ad revenue; they also make a fool out of real users. Many people follow creators online because of the social proof that thousands of others enjoy their content.

When these creators get busted, they don’t just lose their videos; they often lose the trust of their subscriber base.

Take Pink Sparkles, a Twitch streamer who got banned after mistakenly flashing her bot software on-screen during a Twitch stream. This, in addition to other violations, earned her an instant ban from the platform.

Meanwhile, on Instagram, around half of all influencers on the platform are knowingly engaging in forms of fraud, such as buying subscribers and viewers.

And when an influencer is discovered to be using fake followers or bots, it can seriously damage their status.

Amongst all these, there are several ways you can spot a fake profile and a view bot on social media.

How can you spot a view bot account? 

Here are three quick ways to identify a profile with view bots on any platform.

1. Low chat with high views

These are the biggest giveaways that someone doesn’t have real views. The average view-to-chat ratio varies between platforms and the kind of content being shared. However, a video with thousands of views and a few dozen comments usually means one of two things: the video is promoted, or the profile uses view bots.

2. Generic comments

We mentioned this earlier. Some sophisticated and higher-priced view bots will also engage with comments. However, the comments are prescripted, generic, and usually appear repeatedly. 

Look out for comments that require zero thought and seem to appear regularly. Typical examples include: 

• I love your stream
• Awesome
• This looks great

3. Low subscribers

A realistic YouTube subscriber/view ratio is 8-12%. That means accounts with 10,000 subscribers can expect 800 to 1,200 views per video. Of course, these numbers will fluctuate, but when you start to see 7,000 consistent views on a channel with 10,000 subscribers, you know it’s not just real viewers.

What can you do about view bots?

If you advertise on any video-based platform, the chances are that your ads are exposed to view bots in some capacity.

Considering that between 40-50% of all internet traffic is non-human, this presents a major headache for marketing budgets. And yes, although platforms such as YouTube and Twitch do use filters to block bots on their sites, the truth is a large amount of non-human traffic still gets through.

Research from ClickCease shows that an average of 14% of all Google Ads clicks are non-genuine. Even on Facebook and Instagram, fake profiles (including view bots) are responsible for a big slice of the ad spend.

ClickCease’s industry-leading fraud prevention software blocks bots, including view bots, on your Facebook, Instagram, and YouTube ad campaigns. Whether you’re running pre-roll or post-roll video ads, paying for display ads on YouTube, or any other form of video marketing, blocking bots can save your ad campaign.

Sign up for a free trial of ClickCease to run an audit on your ads.

FAQs: 

What is viewbotting on Twitch?

Viewbotting on Twitch is the practice of artificially boosting a streamer’s viewer count through the use of automated bots. These bots are fake accounts created to simulate human-like views on live streams on the platform. 

The primary motivation behind viewbotting is to create a false perception of popularity and success, potentially attracting more genuine viewers, followers, and sponsors.

Is viewbotting illegal?

Viewbotting is against the terms of service of most video and streaming platforms, but it is not illegal in most jurisdictions. However, viewbotting can have significant consequences for streamers who engage in it. Any account caught using viewbots is subject to suspension or termination.

While viewbotting is not currently illegal in most jurisdictions, it is a form of fraud, as it can be used to mislead advertisers and viewers. For example, a streamer who uses view bots may be able to get more sponsorship deals or donations from viewers who believe that the streamer has a large audience.

The post What Are View Bots & How Do They Affect Your Ads? appeared first on ClickCease Blog.

But if you run online ads, you’ve probably also heard of ad fraud or click fraud.

And, if you’ve seen any news or data on the subject of click fraud, you’ll know that it cost the digital marketing industry $188 billion in 2023 alone. This number is expected to keep growing by about 14% annually until 2028. 

In short, a lot of money goes missing from the marketing ecosystem thanks to ad fraud and click fraud.

But what is ad fraud, and what is click fraud? Before we go on, let’s define what these two forms of marketing fraud mean and what’s the difference between them.  

Ad fraud – a definition

Ad fraud is any form of fraudulent activity that increases engagement numbers on pay-per-click (PPC) ads online. Fraudsters usually aim to artificially inflate the number of impressions, clicks, or conversions to deceive advertisers into paying for non-existent interactions. 

A simple example explanation for ad fraud is when a publisher hosts ads on their website or app and then uses fake traffic to inflate the number of impressions or clicks.   

They may also use other sneaky methods, such as layering multiple ads on top of each other, to collect a payout on multiple ad impressions instead of one. Or, worse still, hiding multiple ads in tiny unviewable iframes, often 1×1 pixels.  

We’re also hearing more about apps that host malware and inflate the ad payout for the developer.

Another more insidious form of ad fraud is when the publisher falsifies a bid request, collecting a payout for ads that never appear anywhere.  

We also have a complete guide to ad fraud…

Click fraud – a definition

The main difference between click fraud and ad fraud lies in their respective targets. Ad fraud exclusively targets paid online ads, whereas click fraud extends its reach to include organic content, such as links on social media platforms or within apps. 

Fake traffic, such as bots and click farms, can often be used to click your links, apps, buttons, or ads. The reasons can be varied, like compromising your marketing efforts, gaining a competitive advantage, or making money from your promoted links or ads.

A common example of click fraud is where an affiliate marketing partner will use click bots to boost the clicks on your product link they place throughout their content.

Read our guide to click fraud…

How do ad fraud operators make money?

Although there are different methods of ad fraud, the result is often the same. Advertisers pay, and the fraudulent party misrepresents either the ad placement or their authenticity and collects the payout.

For example:

Fake website traffic

The easiest way for ad fraudsters to make money is to create a website and apply for a publisher account on an ad platform. Once accepted, they can then host display ads or any other form of paid media. It’s then just a simple step to inflate their traffic.  

This inflated traffic is often hired from a bot farm/click farm, or if the site owner is particularly tech-savvy, they may use a botnet for hire.

By doing this, they simply collect a nice fat paycheck from the ad platform every month. Inflated by fake traffic, of course.

Hidden ads

What if your ad was displayed on a website or app, but no one ever saw it? That’s the issue with hidden ads.  

Ad fraud operators can use a number of methods to pack as many ads into their website real estate as possible. Common methods include:

• Unviewable ad placements, e.g., 1×1 pixel frames
• Ad stacking – where the top ad is viewed, but there are multiple ads hidden underneath, collecting a multiplied payout for one impression
• Displaying the ad outside of the viewable area – for example, on a hidden sidebar
• Background ad loading – the Drainerbot malware generated impressions on video ads even when the app was running in the background

In-app malware

Ads within mobile apps have become the new frontier for ad fraud. As over 50% of internet traffic is now mobile, it makes sense for fraudsters to leverage these apps and cram them full of fake clicks. There are a number of ways apps can be used to deliver inflated or completely fake traffic – such as using click spam or click injection. 

These are methods where the software amplifies each organic/genuine click, so it seems like there are multiple clicks on the hidden ads.

Other forms of malware use install hijacking or clickjacking, which is where an app will claim credit for an organic app install.

Read more about forms of app malware and ad fraud here.

Falsified bid requests

Some websites don’t even bother to host the ads or mess about with web traffic. Instead, they use an existing publisher ID to falsify records of ad placements.

These falsified bid requests will likely come from a genuine website or app. The account will have been verified but will have never hosted these ads.  

In short, they collect a payout for extra ad placements that have never seen the light of day.

Who is behind ad fraud?

The catch-all term ‘fraudsters’ is often used in articles discussing ad fraud. But who are these fraudsters? And why are they being so blatant and stealing your ad budget?

Some of the answers are obvious, but some may surprise you…

1. Organized criminal networks

In recent years, we’ve seen the takedown of networks running sophisticated ad fraud networks, for example, Methbot and Hyphbot.

As the poster boys for ad fraud, both these campaigns made off with eye-watering amounts of money. Ad fraud campaigns like this are a huge threat to the digital industry and are rightly singled out for their impact and the sheer audacity of their operations.

Often run by a mixture of hackers and other experienced criminals, this network will set up a complex system of spoofed websites and botnets to perform ad fraud 24/7. In fact, some of these criminal networks have been accused of working with certain ad platforms to increase the perceived traffic and, therefore, the value of the ad placements.  

Although there have been fewer headlines about these organized criminal networks in recent years, there are still plenty of them out there.   

2. Black hat marketers

Black hat marketers use shady marketing practices to inflate ad traffic or boost a website profile. And as a result of this, they often use ad fraud as a tactic to impress their clients.  

For example, a website publisher might want to improve their web traffic. They approach a seller advertising a service such as ‘get organic traffic fast,’ which is, of course, not going to be quality traffic.

Their website traffic increases by thousands, all bots or forced redirects. The client sees an improved payout from their ad networks and is happy to pay their shady marketing team to carry on.

3. Casual ad fraud

Building a website and hosting ads is not difficult. Many ad platforms will allow you to run ads on a site with barely any traffic. Others require a certain traffic or content threshold to be reached.  

Google, for example, is quite strict on its content specifications and website quality for publishers.

But once ads are being hosted on a site, a publisher can use any number of methods to inflate their ad payout. The most common of these methods is buying fake traffic, which can be easily found online for incredibly low prices.

These sites may even host plagiarised content or, more likely, be built as link farms.  

Sites built as link farms often host low-quality content or guest posts, have absurdly high domain authority and deliver traffic volumes that would envy many established publishers.

The secret is? It’s all paid traffic – and those ad impressions are almost 100% non-human.

4. Ad networks

You may have noticed there are A LOT of ad networks out there. Some claim to offer stratospheric levels of ad traffic – even if you’ve never heard of them and you’re pretty sure no major publisher uses them either.

These ad networks may have little to no fraud monitoring or blocking and will also likely not care about traffic quality to publishers. They may not be performing ad fraud themselves, but their low levels of filtering enable ad fraud on their network.

Consider also the Uber lawsuit, where Uber alleged that one of the ad networks they were using to promote their product was using ad fraud practices. The case went against the ad network, finding that they had used click flooding and fake traffic to inflate their revenue. (source)

5. Paid-to-click (PTC) sites

Working from home has become more than just a buzzword. Jobs offering easy ways to make money working from home have really bloomed in the post-pandemic landscape. And none more so than paid-to-click (PTC) websites.  

These sites, with names like Scarlet Clix, NeoBux, and Swagbucks, offer people pennies per click – but then people aren’t just clicking once. Workers can make $10 to $20 per day simply by viewing ads or clicking on ad banners.

Bear in mind that most of the world lives on less than $10 a day – so clicking ads for a payout is a tempting proposition for many.

How much exactly does this cost the ad industry? In 2020, the PTC sites paid out an estimated $12 million. In the grand scheme of the $42 billion ad fraud industry, this is nothing.

But there are also countless other scam PTC sites that pop up and disappear without paying their click workers.

6. The fake web

Another deeper issue that impacts the global digital marketing industry is the proliferation of non-human traffic and tools.  

Developers use bots and web scrapers to test their new software. The average web user might also use ad-blocking software or tools like AdNauseam that click ads as a method of obfuscation.  

Hackers and black hat marketers constantly crawl the web to harvest data or find vulnerabilities. So, the sheer volume of potential invalid traffic is huge – even without looking at the genuine fraud listed above.

Oh, and it just keeps getting bigger.

Is ad fraud a cybercrime?

As ad fraud is theft, it is, by definition, a cybercrime. However, is it intentional? And more importantly, is it illegal? 

As we’ve seen, ad fraud doesn’t necessarily occur because of malicious intent. A black hat marketer who just wants to inflate their site traffic isn’t necessarily focused on ad revenue – but might be delivering results to a paying client using methods that produce or enable fake traffic.

Saying that plenty of ad fraud occurs specifically for monetary gain.  

Most legal cases around ad fraud focus on wire fraud, deception, and illegal access to databases and systems. No one has (yet) been charged with committing ad fraud specifically.  

High-profile cases mostly focus on the money laundering aspect, although a famous case by Microsoft against a team of alleged ad fraudsters did focus on the ‘improper use of ads to profit by fraud.’

The damage that ad fraud causes to businesses

According to the ad fraud definition, it’s an online threat that affects PPC advertisers and platforms. As such, it’s expected that it primarily impacts advertisers’ pockets negatively. 

They dedicate a certain amount (often significant) of their marketing budget to digital paid ads and expect, in return, to see some positive metrics. A high click-through rate (CTR), followed by website visits and, of course, conversions, leads to a higher return on investment (ROI) from the particular campaign. 

However, when fraudsters attack, advertisers pay for fake interactions instead of reaching potential customers. Naturally, the financial damage is the most concerning one for PPC  advertisers and business owners.      

But there’s more than just losing money as a result of ad fraud. The irrelevant clicks are distorting both marketing and business analytics, leading to making uninformed decisions, missed business opportunities, and even a compromised brand reputation.     

In a nutshell, we can classify the main consequences of both click fraud and ad fraud into the following categories:

• Financial losses
• Ineffective ad campaigns
• Distorted analytics
• Decreased ROI
• Uninformed decision making
• Missed business opportunities
• Compromised brand reputation

How much does your ad campaign lose to ad fraud?

Ad fraud impacts ad campaigns differently. This often depends on the cost of keywords, the industry’s competitiveness, and even your geographic location. 

In-depth research from CHEQ reveals that the Gambling and Gaming sector faces the highest fraud rates at 49.1%, while Advertising and Marketing see a lower 7.9%. 

It’s hard to put an exact number on how much you are losing to ad fraud. But between 1 in 4 and 1 in 5 clicks are non-genuine. 

It’s hard to put an exact number on how much you are losing to ad fraud. But between 1 in 4 and 1 in 5 clicks are non-genuine.

Protecting your ad campaigns

With over $42 billion lost to ad fraud and click fraud in 2021, digital marketers no longer see it as a niche concern.  

Making sure your ad budget doesn’t fall into the wallets of ad fraudsters means taking precautions.

ClickCease offers the industry standard in ad fraud and click fraud protection, protecting Google, Microsoft, and Meta for Business (Facebook) ads. 

Want to know how much fake traffic affects your ads?     

Use ClickCease’s free trial to run a traffic audit and find out exactly how much you’re losing to ad fraud.

The post How Much is Ad Fraud Stealing From Your Business? appeared first on ClickCease Blog.

In this guide, we will take an in-depth look at the growth of digital marketing. We’ll explain what is click fraud in cyber security  – who it affects, and what you can do to stop it.

Contents

Chapter One Why Click Fraud Matters	Chapter Two The History Of PPC	Chapter Three How Click Fraud Works
Chapter Four Infamous Click Fraud Cases	Chapter Five Preventing Invalid Clicks	Chapter Six The Best Way To Block Fraud

Click Fraud: What Is It & Why Does It Matter?

Digital marketing, and pay-per-click ads, in particular, have become the go-to methods of advertising for most businesses. Everyone from small business owners to global corporations can take advantage of this access to a huge market online. 

With over 4 billion people in the world connected to the internet on a daily basis, and nearly 2 billion of those buying something online each year, a well-targeted PPC campaign is the difference between sinking and swimming. Add in the fact that there are 9 billion searches on Google every day, and you’ll understand how big a deal pay-per-click advertising is. With this huge volume of traffic, and money, comes an obvious target for fraud. And click fraud has now come to be the most costly form of fraud committed each year. Just as a result of ad fraud (the most common form of click fraud), businesses are losing $100 billion globally in online advertising, surpassing credit card fraud at $30 billion. 

What is click fraud?

Click fraud is the act of clicking on online content, including organic or paid ads online, with malicious or vindictive intent. For instance, it could take place on a display ad or a sponsored search result, on links you publish on your social media accounts, or rake clicks across your website.

This can be to deplete the advertisers’ marketing budget, damage the performance or reach of the ad, or even steal the cost of that click for yourself (a practice known as ad fraud).

When it comes to click fraud on organic content – like fake clicks on your social media posts or generating fake website traffic – fraudsters may aim to gain a competitive advantage, overwhelm your website, or hurt your online efforts by injecting fake data into your analytics. 

We will look more in-depth at the sources and motives for click fraud later in this article. But suffice it to say, there is a huge industry that has grown around defrauding programmatic ads and advertisers.

From paid-to-click apps (PTC apps), to click farms, generating large volumes of fake clicks is easier than ever.In fact, the issue of click farms is widely reported, with many of them selling their services to inflate likes and followers on social media. But this same technique can also be used for criminal gain, with millions of dollars at stake for enterprising gangs who know how to make click fraud pay using complex technological solutions and malware.

What is ad fraud?

The practice of ad fraud is an organised form of click fraud. Ad fraud is often used to fraudulently inflate the payout for website publishers, mobile app developers, or on social posts or videos.

Often when referring to click fraud, people use the term ad fraud interchangeably. However, where click fraud can be either accidental (for example from bad ad placement) or malicious; for example, rivals aiming to deplete your marketing budget; ad fraud is usually intended to line the pockets of the fraudster.

Is click fraud really that big a problem? 

The actual rates of fraud vary based on:

• Your industry
• Geographic location
• Time of year

Our research paper found that the average rate of click fraud across the campaigns we protect here at ClickCease is 14%. 

However, there is a huge variation of fraudulent ad clicks within that, depending on the industry. For example, the industries with the highest volume of fraud were found to be:

• Photography – 65%
• Pest Control – 62%
• Locksmith – 53%
• Plumbing – 46%
• Waste Removal – 44%

Other notable industries subject to high levels of click fraud include real estate (31%), financial services (20%), and legal and law services (14%).

The truth is, click fraud affects almost every industry, with 90% of all campaigns on Google Ads being impacted in some capacity.

In this guide we’ll be taking an in-depth look at the world of marketing, what click fraud is, and how it can cause you a real headache.

And more importantly, we’ll show you how you can fight back and prevent click fraud on your online marketing operations.

A Brief History of PPC

Where were you on the 6th of August 1991? Well, you may or may not have even been born, but that’s the day the World Wide Web ran its first web page.

Tim Berners Lee, a British computer scientist who had been working at CERN in Switzerland, proposed that by networking computers via phone connections, we could share data around the world.

First web page released to the world wide web that was released in 1991 by Time Berners Lee

It took a few years for it to catch on, with browsers becoming available for the Commodore Amiga, Unix, Windows, and Mac OS in 1993.

Does anyone remember Netscape?

The birth of online advertising

But it was in 1994 that much of the online activity that you might recognize today started to happen. With around 11 million American households equipped to get online, we saw the White House launch a web presence; the first online purchase – a pepperoni pizza from Pizza Hut; the launch of Yahoo! – which was the Google of its day; the first piece of spam mail and… The first-ever online banner ad.

American telecoms company AT&T paid $30,000 to the website HotWired.com (now Wired.com) to place an HTML banner ad on their homepage. The incredibly simple design said:

“Have you ever clicked your mouse right here?” with an arrow pointing to a separate piece of text saying: “You Will.”

Once they clicked on the banner, users were taken to a landing page that took them on a tour of the world’s greatest museums. So it wasn’t even a blatant sales campaign but was designed to encourage engagement and build AT&T as an information brand. An early form of content marketing…

That banner had a 44% click-through rate!

By contrast, today’s marketers are happy to see a click-through rate of around 0.5%.

Of course, we internet users see countless display ads, videos, and sponsored search results a day. But at the time, the process was unique. A way for websites to monetize their content so they could pay writers? Who would think that would catch on? But sure enough banner ads became one of the most popular forms of online advertising, with sites like Time getting in on the act, and with companies paying anything up to thousands of dollars to place their banner ads on websites.

Targeted and sponsored ads

With banner ads becoming commonplace, advertisers started to wonder if there were ways to target specific demographics. Up to this point, advertisers had simply hired space on whichever web page they wanted, and their ads would be displayed for a set amount of time.

An advertising company called WebConnect was one of the first to pioneer tracking user activity online and using algorithms to change the adverts shown on a web page. Before this, a banner ad was static for the duration of the advertising contract. By using WebConnect, a company could add their banner ad to a variety of different websites based on price and demographics.

Another breakthrough was being able to rotate banner ads on websites to avoid ‘banner fatigue.’ Once a site visitor had been shown a banner two or three times, the banner would change, a clever tactic designed to catch the attention and maximize the chances of a click-through.

In 1996 came DoubleClick, another online advertising agency that made it easy for companies to find the right site and for websites to make money from ads. In fact, DoubleClick’s ability to give websites easy access to advertisers caused a rapid expansion in the number of websites offering advertising space.

Add in the ability for advertisers to track their ROAS and to customize their ad spend by focusing on high-performing websites, and you had the fuel to the fire for online marketing.

The software underpinning this was D.A.R.T (Dynamic Advertising, Reporting, and Targeting) which gave advertisers an easy way to see where their money was going. DoubleClick was also one of the first sites to bring in a new pricing model for online advertising; CPM or Cost per Mille, meaning advertisers were now paying for the ad’s performance, not just for its placement.

The rise and rise (and rise) of Google

Around this time, two students at Stanford University, called Larry Page, and Sergey Brin were developing a piece of code that was designed to make sense of all of the websites that were popping up every day. Their program, ‘Backrub’, was part of their mission to organize the masses of information that the internet was spawning by categorizing links.

Sites like Yahoo!, Excite, Lycos, AOL, and AltaVista were the search engines of choice for most internet users in the 90s. And although they worked, their algorithms were perhaps too simplistic for the growing World Wide Web.

For example, Yahoo! required a team of real people to input websites into its database so that when you ran a search, it would show in the results. If you hadn’t submitted your website to Yahoo!, then it wasn’t going to show up.

At the time, Yahoo’s technique was a revolutionary approach and one that put a huge strain on sites like Excite and AltaVista which used simple text searches to find results.

But Page and Brin had worked out a way to map the relevancy of a website to a user’s search terms by a complex web of link crawling, keyword analysis, and PageRank, or relevancy. At a relatively early point, the project got renamed Google, and with an investment of $100,000 from the co-founder of Sun Microsystems, Andy Bechtolsheim, the Google project began its ascendency.

Although early websites like Yahoo and Lycos also offered a sort of online directory, news pages, and weather reports, Google kept it simple. Their thing was search results, and the more the word got out about how effective Google was, the more they grew.

At some point between 2000-2001, Google became the dominant search engine, and the phrase ‘Google it’ was born. Even Yahoo! switched its search engine over to Google to make sure people didn’t stop using Yahoo!

Google gives birth to AdWords and AdSense

Having cornered the marketplace with effective search results, Google had to monetize. Between August and October 2000, Google launched its Premium Sponsorships and AdWords platforms.

Using Premium Sponsorship enabled advertisers to pay to have their company appear at the top of the Google SERPs on a CPM basis. Whereas using AdWords meant that your advert would appear as a text banner on the side of the search results. Although, at the time, Google was still in its relative infancy, the popularity of the service took off quickly.

In 2003 Google launched its AdSense platform, allowing publishers to host advertising on their websites and make money from clicks and views. Like DoubleClick, it revolutionized how website owners could get paid for their content.

Suddenly you didn’t need to be selling anything or even have an online shop… You could set up a blog or information portal, host ads and banners, and get paid. All you needed to do was bring in the traffic.

So by offering the most efficient search results and easily giving people what they were looking for, Google became the dominant search engine. Then by giving businesses a way to maximise their visibility on these search results, they built a growing tide of income that would establish them as one of the world’s biggest tech companies.

And then, by offering publishers a way to host and get paid by adverts, Google became the world’s biggest advertising platform.

With their growth, Google continues to offer highly effective tools to manage, research, and track your advertising spend: Analytics, Trends, and My Business…. Today there are something like 251 Google services, covering everything from productivity and study to entertainment, web browsers, and actual hardware.

The other guys: Facebook, Amazon & Microsoft

As Google grows to become the dominant search engine, other players are doing their thing. As a savvy digital native, you’ve no doubt heard of some quirky start-ups called Facebook and Amazon. Both of these billion-dollar brands have grown, alongside Google, to become the biggest at what they do.

Put simply, Facebook has built itself from a simple platform to connect with friends to the dominant global social media platform with plans to connect EVERYONE. Meta now encompasses Instagram, WhatsApp, and Oculus (virtual reality), with around 2 billion users of its platform every month. 

Amazon has gone from being a bookshop to the world’s online superstore. With acquisitions including Whole Foods, Ring (a home security company), Pillpack (an online pharmacist), and Twitch (gaming and video).

In this history of the internet, this is the first real mention of Microsoft, which has been there the whole time. Their Windows operating system has powered the internet from the start, but their presence away from the OS hasn’t been the most consistent. However, their search engine Bing is still the second biggest search engine, with over 9 billion searches a month. Microsoft also owns LinkedIn, Skype, Nokia, MultiMap, and a whole glut of software companies.

When it comes to PPC campaigns, although Google is the leader in search engines, each of these has its own specialty that can be harnessed.

And that brings us to the issue of click fraud and how it could affect you, the modern marketer.

How Click Fraud Works

As programmatic advertising has become more complex, allowing us different ways to target demographics and a multitude of ways to pay for our advertising, so has click fraud become more sophisticated.

The practice of click fraud

As we’ve seen, there are multiple reasons to commit click fraud or ad fraud. It can occur on any link, whether organic, paid search, social media, in-app promotion, or other forms of digital marketing activities. 

The most common reasons to get fake clicks on your PPC ad campaign are:

• Vindictive competitors or customers who want to negatively impact your online presence or brand reputation in general
• Organized fraudulent developers who have created a way to get paid for clicking your ads, usually using fake publisher inventory
• Malware apps or software created to collect the payout from ads (often with some help from bots)
• Paid-to-click apps that pay users to click or watch ads in exchange for a small reward.

When you consider that the price for some keywords in Google Ads (previously known as AdWords) can be upwards of $50, or over $100 per click, you’ll soon see why multiple fraudulent ad clicks can really start to cause a problem. In fact, even with clicks at a dollar or so each, the volume of click fraud can quickly cause problems for the average marketer.

In 2017 it was estimated that around 1 in every 5 clicks on a PPC ad campaign were fraudulent in some capacity. Since then, the techniques have become more advanced, and the sheer volume of fraudulent activity online has increased. A study by the University of Baltimore and CHEQ found that click fraud cost marketers over $35 billion in 2022. And this is forecasted to reach $100 billion in 2023 and beyond.

What are the main sources of fake clicks or click fraud?

If clicking on someone’s ad repetitively sounds like a lot of hard work, you’d be right. A competitor clicking on your ad five or ten times a day might be a drop in the ocean for your advertising spend, but there are more damaging ad-clicking methods.

High-volume clicks:

Bots and web crawlers

Designed to crawl the web looking for information, usually for spam or data collection purposes. There can be ‘friendly’ bots, that are just looking to scrape contact info, for example. Or deliberately vindictive bots that have the sole purpose of clicking on your ads hundreds or thousands of times to deplete your ad budget.

The issue of bot traffic is a complex one, with bots coming in a huge variety of flavors. Take a look at our guide to bot traffic to understand this issue in more detail.

Click Farms

Either automated setups or human-powered factories designed to click multiple times on specified links. Yes, they do exist, usually in developing countries where people can be paid as little as $5 for 100 clicks.

Click farms are used by all sorts of businesses, often to inflate their following or engagement, and they can be hired to do multiple actions, from liking social media accounts, watching videos, sharing links or information, leaving comments, and, of course, clicking on PPC adverts multiple times.

Although the bulk of click farms can be based in developing countries, there have been increasing instances of click farms based in Europe and the USA. By hooking up phones and tablets to a computer, you can automate the activity of hundreds of people.

We recently carried out our own research about this phenomenon, so read all about click farms here.

Fraud rings and bot networks

Criminal gangs establish a mixture of publisher websites and automated bots to defraud advertisers. One of the best known is Methbot, a highly sophisticated scam bot network with a complex setup that is designed to fraudulently collect the payout on video views using a network of computers. Thought to have originated in Russia, Methbot is estimated to make around $5-6 million each day in fraudulent clicks.

Ad fraud

Publishers create a website designed to host banner and text ads, then channel fake clicks through the website to collect a payout. Ad fraud often involves placing ads on websites with little chance of genuine traffic being able to find it but with the opportunity for the site owner to maximize their income.

As a complex issue with many threads, you can check out our ad fraud guide for more information.

Medium to low volume clicks:

Competitors

Your direct competitor can try and siphon off your PPC budget so that their ad ranks higher for relevant searches. They might just click your ad every time they see it, or they might instruct everyone in the office to click your ad – which could be potentially quite damaging.

Although competitors can try to manually inflate your PPC spend, you might find that this is a temporary measure or occasional practice.

We actually looked recently at a case of competitor click fraud, where a business orchestrated a campaign against local competitors. You can read the case study here.

There are some simple steps to minimize your exposure to competitors clicking on your ads, which we will look at later on.

Human error

People searching for something may accidentally click on your site in the SERPs but then click out again. They may not even realize it’s a paid ad. Technically this wouldn’t be classed as click fraud but an invalid click. There is no strategic sabotage going on here; it’s simply a mistake, although repeated mistakes can cost advertisers a fair amount of money.

Vindictive parties

Your ex-employee, unhappy customer, or even your sociopathic ex might have a reason to click multiple times on your ad just to pee you off. You’d best go and apologize.  

What’s so concerning about click fraud? 

Now, you’re probably wondering why the hell anyone would really want to go to all that trouble. Is this really something that people do?

If you haven’t already, then we suggest you run a quick search for ‘buy clicks’.

What you’ll find is a whole industry built around fake website traffic, often designed to boost views on websites or inflate the popularity of social media accounts.

Sites like Fiverr offer plenty of options for users to buy ‘likes’ or website traffic. And most of these services can, of course, be used maliciously.

Many marketers can also run bots to find new clients or to build an email list that they can sell. These simple bots may not be fraudulent, but with enough of them, you could be looking at losing quite a lot of money through non-purchasing site visitors.

Bots can be used in a variety of ways and are relatively simple pieces of programming, meaning that pretty much anyone with a decent level of coding knowledge can make their own bot. You can also buy bots from a variety of sources for everything from research to more nefarious purposes.

It’s been proven that the bulk of internet traffic is actually bots, with some sources estimating 40% and others putting the figure at upwards of 50%. So when you’re aiming to run your next PPC campaign, this is definitely an issue that you’re going to have to bear in mind.

Those running a PPC campaign might find that the amount of PPC ad fraud sits around 20% of their total traffic. Bear in mind that Google doesn’t refer to the practice as ‘click fraud’ but prefers the term ‘invalid clicks.’ This covers all bases from genuinely mistaken clicks to the actual vindictive bot or click farm traffic.  

Who is affected by Click Fraud?

You might think that click fraud is the kind of thing that only really affects the big boys; the Amazons, Citibanks, and Teslas of this world.

Of course, they are in the firing line as they target high-value keywords. But in reality, every online business is at risk of click fraud to some degree or another.

Automated click fraud doesn’t discriminate, with bots often just scouring the web for specific search terms. Even accidental clicks can really add up if your banner or sponsored result is in a competitive industry.

An industry with a huge amount of traffic and expensive keywords means more room for fraudsters to hide. It also means less risk of getting caught and a higher payout.

Here at ClickCease, we see that the most affected micro industries are locksmiths, lawyers, water damage repair, and… dentists. It seems that local service providers are prone to a higher rate of click fraud due to the competition, high CPC, and knowledge of the market.

No matter how little or how much money gets spent on campaigns, one thing is for sure. Every company that’s using PPC networks like Google Ads or Bing Ads is either vulnerable to click fraud or has been a victim of click fraud.  

High Profile Cases of Click Fraud

On occasion, some of the bigger cases of click fraud make it into the press, especially when there is some serious money at stake. These examples can be on the more extreme end of the click fraud spectrum, but they give a good insight into the lengths some people will go to.

Like other forms of fraud, those big examples are just the tip of the iceberg, with many smaller click fraud campaigns hiding under the surface.

The botnet hacker

Italian citizen Fabio Gasperini was sentenced in 2017 to one year in jail in the USA, as well as a $100,000 fine as a result of his involvement in a botnet hacking scam. Gasperini targeted servers that are used by companies for large-scale data storage and transfer, gaining control of these servers to use as simulated web browsers.

Gasperini was able to use the servers to set up a network of around 100,000 computers around the world and use them to send automated clicks on ads that were embedded on websites that he owned. He also defrauded big businesses that were paying for these ads, including Nike and Walt Disney.

When you consider that one man was able to do such extensive damage, it just goes to show what can happen when you have a seriously organised criminal network.  

We also looked at this case on the ClickCease blog back in 2017…

Search engine clampdown

Microsoft and their Bing search engine are the second biggest player in the PPC world (excluding social media sites), and they have been known to take click fraud very seriously. Back in 2009, Microsoft sued a family team based in Vancouver, BC, for their part in a click fraud scam designed to drive traffic to their World of Warcraft and auto insurance-based websites.

Microsoft was awarded $750,000 in damages, although they also stated that they lost out on $1.5 million in refunds as a result of fake clicks by the scammers.

Criminal bot networks

We mentioned Methbot earlier, but this huge criminal scam is a long-running and hugely profitable bot network that is designed to make money off video advertising. The network makes around $3-5 million a day by using fake websites to stream videos, racking up views, and huge payouts.

It is alleged that the gang has set up around 250,000 URLs that host video adverts which rack up around 300 million video ad views each day!

The sophistication of the Methbot set-up is staggering, with domain names made to look like they belong to well-known brands like ESPN and Vogue, around 570,000 bots, and the software making the interaction with the videos look like genuine human behavior.

Another sophisticated bot setup that was uncovered in 2017 is Hyphbot. With around a million URLs registered, Hyphbot was a prime example of ad spoofing, a practice where fake websites are made to look like big-name publishers like The Economist or The Financial Times. Advertisers then place their ads on these spoofed sites, which then receive a high volume of bot traffic, inflating the PPC payout.

Although there has been a decline in Hyphbot-related activity, it is still thought to be active and making around $500,000 a day.

The click farm

One of the most notorious click farms discovered was in Thailand in 2017. With around 500 smartphones linked up to 350,000 SIM cards and nine computers, the click farm was connected to Chinese fraudsters who used the click farm to boost likes and engagement on the Chinese social media site WeChat.

The owners of the click farm were allegedly paid $4400 a month to run the set-up.

Bangladesh and India are also regularly listed as some of the top places to set up click farms, thanks to the low wages paid to workers. One report suggests that workers paid $120 a year work in shifts to click on multiple smartphones, liking posts, and following profiles on sites like Facebook, Instagram, and Twitter.

The next time you see an Instagram account that seems to have an unfathomably large following, it might be thanks to click farms. In fact, many popular influencers and business accounts, and even some celebrities, have used click farms to inflate their popularity online.

When it comes to Google Adwords fake clicks, companies who want to waste their competitors’ advertising budget can easily hire a click farm to click on ads. A simple search online will net plenty of places where you can buy fake clicks for a low price, for whatever purpose you want. Click farms are a very real and growing business.

DCCBoost attack

The bad cyber actor DCCBoost, also known as the Grinch, resurfaced back in late 2020. Hiding beneath layers of fingerprinting, client-server communication, and intricate client-side traps, its goal was to redirect victims to gift card and lottery scam pages. 

The scammers used a chain of JavaScript codes to encode and decrypt the initial payload inside the source attribute of the displayed ad banner. 

It was discovered that over 25 million fake ad impressions with some variation of this payload have been registered over the internet spread across just about 40 distinct malicious domains hosting the server-side infrastructure.

Dealing with Invalid Clicks in PPC Campaigns

As click fraud is a huge problem, and one that is growing by the day, there are several steps you can take to minimize and mitigate your exposure to it. The good news is that major search engines, like Google and Bing, have some strategies in place to combat click fraud and PPC ad fraud.

However, many feel that their efforts fall short and that there is a whole world of invalid traffic, or click fraud, that isn’t picked up.

For example, Google blocks things like high bounce rate visits (often the sign of an accidental click or obvious web scraper) or multiple visits from the same IP address. But more often than not, you’ll need to flag up suspicious activity yourself and request a refund.

In the cases where Google takes a deeper look at the issue, you’ll normally find it can take anything up to a month for the issue to be inspected and for your refund to come through. When you’re looking at batches of ten clicks on $10 keywords, this can run into the hundreds or even thousands.

Spotting these multiple clicks from specific sources isn’t the hard part; in fact, we’ll be looking at how to spot fraudulent clicks later on in this guide. It is the increasingly sophisticated click fraud approaches that cause the biggest headaches. With software able to imitate human behavior, switch IP addresses using VPNs and proxies, or even those click farms pulling the wool over the search engines’ virtual eyes, additional measures are often needed to minimize exposure to click fraud.

Using dedicated click fraud prevention software is the most effective way to make sure that you’re tackling those invalid clicks.

How can you identify click fraud?

We’ve established that click fraud is a pretty big issue, with lots of variations and the potential to really sting your cash flow. So how do you identify when you’ve been a victim of click fraud?

There are several manual checks you can do yourself to see if there has been any fraudulent activity on your ad campaigns. These don’t always give a 100% accurate reflection of what has been happening but can serve as a useful outline and possibly flag up some of the more obvious violations.

Checking IP addresses

You can use tracking tools, including WordPress plugins, for IP address logging to track IP addresses that have visited your site. You can also check your website visitor logs to see how many times the same IP address pops up over a specified time. If you notice that the same obscure location or IP address has been visiting your site regularly, then this might be a red flag for you to try and block this IP address or location.

Google does offer some protection against multiple visits from a single IP address or device. Although it isn’t perfect, and the parameters might not necessarily be what you would set yourself, it is a form of damage limitation.

Checking publishers

If you’ve been subject to one of the most popular forms of ad fraud, which is channeling your ad onto a dodgy website, then checking your publisher list will help you keep an eye on it. Look in the ‘placements’ section of your Google Ads and check the high-traffic sites for any suspect activity. If you think any of them might be fraudulent, you can block them from your publishers’ list.

A few giveaways that a site is fraudulent include pages that appear to be covered in ads, no content (or very little content of any substance), and recently registered domains.

Monitor campaign activity

Suspicious timings or spikes in engagement might be a sign that someone is targeting your ads. Especially if you seem to be getting lots of clicks and little in the way of engagement.

You might also spot a high click rate from a country that might have little to do with your market. For example, if you’re a US-based company and you appear to be getting lots of clicks from the Philippines but no conversions/sales, that could be a marker that you’ve been the target of a click fraud campaign.

Click fraud protection strategies

Aside from locations, devices, IP addresses, and dodgy publishers, it can be hard to spot other forms of fraudulent traffic. Forms of fraud that mimic human behavior or hide behind proxy servers are going to be hard for you to spot yourself. And as the processes and techniques are becoming more sophisticated, keeping track of developments and fraud can be a Herculean task. This is where using click fraud protection software comes into play and can really make a big difference.

How to manually block click fraud?

Of course, you’ll want to do everything you can to limit the number of fraudulent clicks coming through on your ad campaign. It can be tricky and a little labor-intensive to get everything battened down, but it is definitely worth doing these manual fixes.

Even if you’re not that tech-savvy, you’ll be able to find guides to making your PPC campaigns as watertight as you can. And where possible, we have linked to the resources to help you use some of the best techniques to minimize your click fraud exposure.

Set up IP and ISP exclusions

If you’ve identified a pesky IP address that seems to be doing something strange, and you’re pretty sure they’re messing up your PPC campaign, you can set up some exclusions. As an IP address normally refers to a specific device or location, this can cut out fraudulent PPC activity from specific users.

We have a guide to setting up IP address exclusions.

Remarketing campaigns

If you’re not looking to boost your reach at the moment, then remarketing could be a useful campaign strategy. It looks at visitors who have visited your site before and pops up on partner websites, ensuring your brand stays in their minds and possibly even encouraging repeat custom.

Of course, one of the main benefits of remarketing campaigns is that you’ll only be showing up for people who have shown an interest in your business before. It should also limit your exposure to bots or click farms, especially if you’re not in their target area.

You can find out more about running remarketing campaigns on Google’s support pages.

Adjust your targeting

By tweaking your targeting for your ad campaign, you can hugely reduce the exposure of your PPC campaign to fraudulent activity. Excluding certain geographic locations, languages, demographics, and devices can make a big difference to the success of your advertising. If you see suspicious activity coming from one particular demographic, exclude it and see what happens. You can always change it again later…

How To Automatically Block Click Fraud

As the click fraud industry remains unchecked by controls and the profits just keep getting bigger, more and more companies are waking up to the impact that click fraud is having on their budgets. 

In fact, a recent study by Juniper Research estimates that the rate of wasted ad budget due to ad fraud will be around 22% of all digital advertising spending in 2023. This means that for every $100 spent on digital advertising, $22 is wasted on fraudulent activity. This figure is expected to rise to $172 billion by 2028.

By following our tips above, you’ll be able to plug some of the leaks in the dam. But of course, you want to plug all the leaks in and make sure nothing is getting past you. The best way to make sure you’re keeping all of your ad spend on target and not losing any to fraud is by using click fraud protection software. 

Although it might seem counterintuitive to spend money on protecting your ad budget, when you consider that you could be losing hundreds of dollars a day, it might make more sense as an investment.

ClickCease is a market-leading click fraud protection software service that is used in over 2 million online ad campaigns. By using a sophisticated and constantly updated series of algorithms, you’ll be able to minimize your exposure to click fraud and ad fraud activity.

If you’re running Google or Bing ad campaigns, then you’ll be able to prevent bot traffic and click farm activity and minimize invalid clicks on your PPC ads. ClickCease works on all of the most popular web hosting platforms, including WordPress, Wix, Shopify, Squarespace, and Drupal.

Although ClickCease blocks the majority of fraudulent activity, if any activity is detected after it has happened, then ClickCease can provide the details for you to apply for a refund. Unfortunately, Google no longer allows third parties to apply for refunds on their customers’ behalf.

Do I really need click fraud protection software?

So do you really need to use click fraud protection software?

Maybe it’s better to look at it from another angle.

Are you bidding on high-value keywords? The more you pay for your average PPC, the higher your chance of being exposed to click fraud. Although losing clicks on $1 keywords might sting a little, it’s when you get to those $10 and up search terms that you might start to notice a hole in your marketing budget. Your search term can include one of the expensive keywords, so, for example, ‘travel insurance’ and ‘best value health insurance’ all fall under the banner of ‘insurance.’

If you’re wondering what the most expensive keywords are, and by extension, those most at risk of exposure to click fraud, these are the top 8 most expensive industries for PPC campaigns.

If your PPC keywords include some of these words, then your campaign is at heightened risk of click fraud or ad fraud. As some of the PPC prices can go anywhere up to $50 and over per word, these are very attractive for fraudsters.

Even invalid and genuinely accidental clicks on these keywords can really add up to making a big dent in your marketing budget. If you do use any of these search terms, take a look at your historical AdWords campaigns and see if you have been exposed to any invalid clicks.

Businesses that use any of these search terms could find that using a click fraud protection service, such as ClickCease, could boost their effective marketing spend by up to 30%.

What else does ClickCease do?

In 2022, we launched our new Bot Zapping tool. Currently available for WordPress websites, Bot Zapping allows website owners to block bot fraud such as:

• Content scraping
• SEO spam injection and spam bots
• Account takeover
• Payment card fraud or carding

Blocking fraudulent activity is one thing, but ClickCease also offers some great insight tools which are incredibly useful for your marketing. You can also get new competitor notifications whenever someone starts to bid on your keywords.

As ClickCease tracks all activity on your website from PPC advertising, you can also get an insight into customer behaviour. See mouse movements and where visitors to your site have clicked on your site to understand how customers interact with your business.

So as well as minimising fraud on your ad campaigns, you’ll also be able to get crucial marketing insight that could help you get the most out of your PPC advertising. When you look at the modern click-through rate as under 2% for search ads and around 0.35% for display ads, understanding how to maximize your results is essential.

We’ve come a long way since the days of 44% click rates on that very first online banner ad! Today you need as much help as you can get to win over potential customers.

Sign up for the best click fraud detection and prevention. ClickCease blocks fraud on Google, Bing, and Facebook Ads – so run a diagnostic on your campaigns to see how much invalid traffic you’re seeing.

FAQs

Is click fraud illegal?

Although there are laws across the world that protect against click fraud, it’s not so simple to answer the question, ‘Is click fraud illegal.’ 

The act of defrauding advertisers is generally considered illegal in most countries, but the problem is policing it.

Clicking multiple times on a search result; creating a website designed to host banner ads and then channeling traffic through it; hiring a click farm to download an app 100 times a day. This is all obviously highly damaging and fraudulent practice, but hard to prove and a grey area when it comes to legality.

There are some cyber crime authorities to whom you can report activity if you believe there is a serious and organized threat occurring. These include Europol, the UK’s National Crime Agency, the FBI, and Interpol.

However, most of these agencies are set up to tackle more obvious cyber crime threats such as identity theft, people smuggling, drug dealing, terrorism, pornography, and other more tangible problems.

How does fraud protection software work?

One of the main benefits of using fraud protection software is that it is constantly learning about new threats and adapting its algorithms. When a suspect IP address, device, or VPN is identified, it’s then added to the list of blocked sources. So if you’re running a PPC campaign and you’re protected by software such as ClickCease, you’ll be able to benefit from the ongoing process of identifying suspect sources.

The post What is Click Fraud? The Complete Guide 2024 appeared first on ClickCease Blog.

But as fake clicks and ad fraud continue to pose a growing menace, Facebook finds itself facing a significant challenge. The good news is that the platform is actively working on finding effective solutions to tackle this problem head-on. The aim is to remain a reliable advertising network for its advertisers. 

Running ads on Facebook is nothing new, with the company also owning another social media behemoth, Instagram. So, if you plan on running an ad or marketing campaign on social media, you’re probably considering one of Facebook’s offerings through their Meta Business Suite.

With that in mind, understanding how your Facebook ad can be affected by ad fraud, or click fraud, is an important step in avoiding and minimizing your exposure to it.

How does ad fraud on Facebook work?

In much the same way that other online advertising can be defrauded, so can Facebook’s. In August 2019, Facebook actually sued two Asian-based software developers for ad fraud on the Audience Network. It’s alleged that the two app developers, LionMobi and JediMobi, both created apps that were infected with malware. Once installed, the malware would then perform a click injection attack or flood fake clicks on Facebook ads, which would pay out to the advertisers.

Facebook’s Audience Network is a display ad platform, not unlike Google’s display ads. What this means is that external websites and mobile apps can sign up to display ads from Facebook. If a visitor then clicks on these ads, the site or app owner will receive payment for hosting the ad.

You might also be aware of the problem of scam ads on Facebook, and yes there are plenty of Facebook fraudsters. But it’s worth noting that this is a different kind of fraud. These genuine adverts have been created to defraud potential customers, often relating to cryptocurrency or suspect products like diet pills – and you’ll find plenty of people who have been scammed by fake Facebook ads. 

So when we talk about ad fraud on Facebook, we refer to the process where fraudsters with malicious intent drive fake engagements on paid ads. This way, advertisers not only spend their budgets ineffectively but also see irrelevant data in their marketing stats.    

The most common types of Facebook ad frauds

Although the example of the fraudulent app developers is quite alarming, in fact, the majority of Facebook click fraud comes in the form of more general fake clicks or invalid clicks. These are most likely to be clicks from:   

• Bot Traffic which is automated traffic coming from bots or botnets
• Click farms, designed to drive up the popularity and traffic of pages and sites
• Competitors looking to deplete your advertising budget
• Invalid/accidental clicks coming from non-interested parties, such as people just browsing or accidentally clicking on your ad

Bot Traffic

Put very simply, bot traffic is any non-human automated traffic that goes through your ad. Frustratingly, bot traffic does still count as a click, even though there is no chance of a sale or interaction from it. These bots can be anything from scrapers, amassing information from across the web, to viruses, malware, or any other automated process. It’s estimated that around half of all internet traffic is of the automated variety!  

You can read more about bot traffic here.    

Click Farms

The click farm can be either a group of people, hired to click on ads or social media profiles, or an automated setup. Yes, they do exist, normally in low income countries such as Bangladesh or the Philippines.

People can buy clicks online for whatever purpose they need, from driving up traffic on a website to getting more followers or likes. These purchases tend to go through click farms.

Read more about click farms here.

Competitors

The one thing about a PPC advertising campaign is that it can soon add up, and if you’ve set your budget correctly, your ad will stop at a certain level. Competitors know this and play games with your ad, clicking on it multiple times to maximize your ad budget.  

In fact, competitor click fraud is one of the most damaging (and alarmingly common) forms of PPC fraud, on all ad platforms.

Invalid/accidental clicks

This refers to any click on your ad that is unintentional. It might be from people not paying attention to what they click on, or from a shared post that attracts random traffic on Instagram or Facebook.

Are Facebook ads safe?

With the rising significance of the topics of click fraud and ad fraud, Facebook is becoming more and more active in combating it from its platforms.

Facebook has declared that they are taking ‘steps to reduce the risk of abuse from invalid clicks’. As an advertising platform, their end goal will remain to help advertisers improve their ad performances. According to this statement, Facebook won’t charge you for any clicks that are determined to be invalid.   

In one instance Facebook sued a company that was selling fake likes on its Instagram platform. They also appear to be making an effort to remove spam and scam pages, or those that have been identified as having inauthentic behavior.    

So, Facebook is doing its bit to protect its users and advertisers from fake activity. But what can you do on your end to avoid click fraud on your ads? That’s exactly what we’re about to explore below, so keep reading if you want to protect your Facebook ads and budget.

How can you avoid ad fraud?

In terms of actions that you can take in your hands when it comes to protecting from fake activity in your ads, you can consider the following:

Pay attention when setting up your ad

It’s very easy to set up a Facebook ad, and also very easy to do it wrong. It’s highly recommended you take a look at Meta’s own documentation and tutorials about setting up an ad online to make sure you target the correct demographic and general audience.

The first defense against problems with your Facebook ads is doing it right!

Choose your audience wisely

When setting up your Facebook ad, you have an incredible amount of control over who sees your ad and where. From age ranges, job types, geographic locations, interests… This is one of the best things about using Meta for your advertising.

With this in mind, it can be tempting to go for the broadest possible canvas and watch those customers come rolling in. However, it pays to be a bit more cautious, especially when starting out. It’s easier to track invalid traffic when you have your audience narrowed down.

Study your customer personas, work out who best to target, as well as the when and where. This will help you avoid fraudulent traffic considerably.   

Pay attention to traffic coming from Audience Network

As we’ve already seen in this article, Audience Network does mean that your ad is displayed on partner sites and apps. It’s an effective tool for your ad to reach a wider audience that can’t necessarily be reached through the Meta platforms themselves. 

Audience Network does offer a very interesting way of getting your message out there, with a range of options to display your ad. From traditional banner ads to reward videos, there is no doubt that they can be effective.

However, it’s also a very easy tool for ad fraud networks to use too. Through malware installed on their apps, or by using click farms, they drive fake traffic on ads displayed on their websites or apps that are part of the audience network. This way they inflate their numbers and ultimately earn more money from these ads.

So it’s definitely not a tool that you want to skip in order to use the platform to its full potential, but be aware to keep an eye on your ‘Audience Network’ traffic.

Blocking users and locations

As well as choosing specific demographics and locations, you can also block certain hotspots or user profiles from viewing your ad. You might want to pre-emptively block traffic from some countries such as Pakistan, Nigeria, or Venezuela, but then what about the authentic traffic from these sources? You might also be a business based in those countries, or targeting those markets, so this might not be your best option.

What you can do is monitor traffic and activity through Google Analytics, or any other website trackers. If you spot multiple visits from certain IP addresses, or a particularly high traffic flow from non-standard locations, then you can add these to your block list. 

Using a click fraud protection package 

Identifying fraudulent traffic is one thing, but avoiding it to happen in the first instance is another. That’s why using an ad fraud protection tool is the most effective way to keep your ads safe from fraudulent activity.

Having a platform partner to fight against this challenge will not just detect fake traffic, but will also block it from engaging with your paid ads.

ClickCease is a trusted partner to over 14,000 advertisers across all industries protecting their paid advertising and website from harmful traffic. The Facebook Ad protection tool by ClickCease is designed with the goal to ensure that your Facebook ad budget is used for genuine users only.

For this reason, the rules above for avoiding bad Facebook traffic are so important.

Start your free trial here.

In conclusion

Aside from Google, Facebook is one of the biggest and best advertising platforms available. For boosting your brand visibility or getting more engagement with a product or service, it’s close to unbeatable. Especially when you consider that Instagram, Facebook Messenger, and the Audience Network can all maximize your ad reach.

If you are using any of them for your advertising, click fraud is still a big problem and one that is only getting bigger. If you want to stay in full control of your ad spend and be assured that it’s seen only by REAL people who are potential customers, ClickCease is a wise investment.   

The post All About Facebook Ad Frauds: What Makes Meta a Safe Platform? appeared first on ClickCease Blog.

Pretty much everyone these days knows that a sizeable chunk of many social media accounts are automated. 

An estimated 95 million Instagram accounts and 270 million Facebook accounts are thought to be either bots or fake profiles. And despite the impact of fake news, disinformation, and troll accounts, we’re learning to live with it and basically ignore the issue.

But, for digital marketers, bots on Facebook have other negative impacts. And with the sums of money involved, they’re kinda hard to ignore.

Before we dig into the resulting problem, let’s look at the types of Facebook bots and audiences and what they’re doing. 

Types of audiences & bots on Facebook

The term bad audiences refer to any form of social media account that has a minimal to zero chance of converting. This might be because they’re designed for a purpose other than genuine interaction, or, they’re not actually human.   

Bot accounts

It’s actually quite easy for even a novice programmer to create a Facebook or Instagram bot. They can then use these bots for a number of processes, from spreading disinformation to inflating engagement on specific accounts.
There’s a well-publicized account of a vending machine in Moscow selling Instagram followers and clicks for just a few dollars. And while researching click farms, I myself spoke to two people who showed me their Instagram bots in action.

Duplicate accounts 

Duplicate accounts don’t necessarily mean bots, and there are a number of reasons why people would use a duplicate account on Facebook. For reasons as diverse as managing their business, trolling people, or stalking their ex.   

Although these are not necessarily fraudulent accounts, they are most likely used for a specific purpose and so have less chance of converting. 

Zombie or compromised accounts

When people either stop using their profiles or die, their accounts are known as zombie profiles. Although there are processes to remove these accounts from social media, many of them are still floating around out there. 

These accounts can also be compromised or hacked by bots or hackers. 

Cyborg accounts

On Facebook itself, there is the ongoing problem of fake accounts created to spread or amplify disinformation. 

These accounts are often run from some form of click farm, with the Russian troll factories perhaps the most infamous example. Fake accounts like these are usually operated as a combination of humans and bots, referred to as cyborg accounts.  

Often these accounts will use bots to post or share content (usually from dubious sources), comment, or inflate the popularity of groups, businesses, and individuals. However, they also use humans to interact with the site, such as commenting on posts or responding to comments. This can often generate ad impressions.   

Malware clicks

The Facebook Audience Network is a popular method of advertising on third-party apps. But the problem with these apps is that you can’t always be sure those clicks are genuine.

There have been a number of recent cases of malware within apps generating click traffic fraudulently. One of these, DrainerBot, was able to view video and banner ads even when the infected app wasn’t being used.  

Malware often leverages the genuine activity of the human user by hijacking touches and clicks. Known as clickjacking or click injection, the developer can generate revenue by fraudulently amplifying or diverting the click to an ad often without the user’s knowledge.

Data center traffic

There are a number of ways that your ad impressions can be generated by data centers. One of these is web scrapers or data harvesting. Many legitimate software programs such as Ahrefs and Google use these scrapers to collect data from the internet.

However, there are plenty of less sophisticated web scrapers that can inadvertently generate an impression on a Facebook ad.

Another form of data center traffic, and one that has been well publicized, is fraudulent botnets. Fraud campaigns such as 3ve and Methbot used data center traffic to route their bots and hide their true location or identity.

What’s in an ad impression?

Marketers running ads on Facebook know that impressions matter. We mean ad impressions, of course. 

So how many of your ad impressions are being wasted on bots and bad audiences?

Data from CHEQ.AI shows that around 4% of all ad clicks and impressions on Facebook are from bots or non-genuine accounts. 

Facebook actually purged 2.2 billion fake accounts from January to March 2019. An amount that had doubled since the end of the previous year.

You’ll find these duplicate or fake accounts on both Facebook and Instagram.

How Facebook bots affect your marketing

However much you’re spending on Facebook Ads, there is a high chance you see some bad audience traffic.  

Each ad impression costs you money, which is obviously the main way that you’ll see an adverse effect. But what about the other ways bots and bad audiences affect your ads?

Skewed analytics

Bot traffic and bad audiences that aren’t excluded from your analytics also leave an impression on your data. Many businesses focus solely on the KPIs, the traffic, and the engagement. If your traffic seems a success, why not pump more money into the platform that generated it?

Being aware of the bot traffic on Facebook Ads can help you better understand your ad performance overall. It can also help you to exclude these bad audiences, and maximize your ad targeting.  

Bad retargeting

It’s one thing if your ads target bad audiences once. But what about if you retarget your ads to these automated accounts and bad audiences? In effect, you’re spending twice (or more) on ad impressions and potential clicks.

Fake leads

Increasingly, bots are able to interact with links in a more human manner. This includes completing forms or generating downloads, which as well as skewing your analytics, can also result in false leads.

These fake leads lead to additional wastage from retargeting, marketing, and even direct sales inquiries.    

Cart abandonment

Shopping based sites also see high rates of cart abandonment from bot traffic. This results in knock-on effects such as inventory distortion, skewed distortion rates, and a reduced ROI from your ads.     

Carding

Another issue for shopping based sites, carding is where a bot will try to use multiple fraudulent or stolen card details to generate a sale. It’s a method that criminals use to verify which stolen bank cards work. 

Carding is another practice that distorts your metrics and ROI, results in fraudulent purchases and disputed transactions, and can also result in criminal charges for the seller. 

Blocking Facebook bots bad audiences

Increasingly, digital marketers are becoming more aware of the impact of bots on their ads. The need to filter and manage invalid traffic has become a part and parcel of online ads, especially on Google Ads.  

Facebook Ads, as we’ve seen, isn’t immune to the problem of ad fraud. 

Taking back control of your marketing spend means using fraud prevention software. As well as blocking bots proactively, you’ll also gain insight into how your ads are interacted with, the factors that trigger the fraudulent clicks, and more insights such as locations. 

As the industry leading click fraud prevention software, ClickCease is the choice of professional marketers and global brands. With an ever growing blocklist of bots and fraud sources and the best fraud filters on the market, ClickCease makes blocking invalid traffic easy.

Sign up for your free trial to run a diagnostic on your ads.

The post How to Protect Your Ads from Bots on Facebook? appeared first on ClickCease Blog.

This has led to alarming levels of click fraud losses for advertisers. It is estimated that global losses due to click fraud will reach 100 billion U.S. dollars in 2023, a significant increase from the 35 billion reported in 2018.

In this post, we’ll list the most famous examples of click bots over time, their impact on ad campaigns today, and how you can avoid them.

What is a click bot?

A click bot is a type of software program designed to simulate user clicks on ads or other types of web content.

In some cases, click bots can be beneficial. For example, some of them perform useful activities online, such as scanning websites for errors, tracking links in emails to detect spam, or automating tasks.

However, the majority of click bots nowadays are used for fraudulent purposes. From fake traffic to manipulating ad campaigns, these bots seriously harm the online ecosystem.

They can be used to perform simple tasks like clicking on buttons, posting comments (spambots), or visiting websites (bot traffic). But, fraudsters are creating more sophisticated bots that can carry out more complex tasks and even mimic real user behavior. This can include ‘browsing’ a website, adding items to shopping baskets, or completing forms and downloads.

In addition to individual click bots, there are also botnets. These are networks of interconnected bot programs that can perform tasks individually or as a unit. These bots are often run from a command and control (C&C) center by a human operator. The bots themselves might be embedded on servers in a data center, or they can also be presented on infected user devices such as laptops and smartphones.

What do click bots do?

The main goal of click bots is to deceive ad campaigns by generating fake clicks. They are conducted in a way that makes it look like the ad is being clicked by a real user.

In the case of PPC fraud, the focus is fraudulent clicks on ads (display, video, or text/search results). These ads are normally embedded on a website owned by a fraudster. The idea is that the fraudster then collects the payout for the clicks (or video impressions) on the ads that his site is hosting.

Some other activities that click bots perform include generating bot traffic for social media, engaging with websites, and spamming or commenting.

This bot traffic can also be used for more malicious fraud, such as distributing copies of themselves and spreading viruses. It can also perform cybercrime-related activities, such as denial of service (DDoS) attacks.

How do these click bots work?

The bots themselves are technically a type of virus or Trojan, usually embedded on an internet-connected device such as a computer, tablet, server, or cellphone.

The bots from these devices can then be either used as part of a network to click on these ads en masse. Or, they can carry out localized click fraud, for example, within an app (known as click injection or click spamming).

Whatever the technique, every ad click costs an advertiser, somewhere in the world, some money…

Click fraud pre-2006

Most mentions of click fraud before 2006 are related to the practice of hosting ads on a low-quality site (or sites) and then clicking them en masse to collect the payout.

This tended to be quite simple, with fraudulent publishers signing up their low-quality site for Google AdSense and then clicking the ads themselves (or hiring someone to do it for them).

Even in 2003, there were mentions of bots clicking on these ads, but much of the information is based on assumptions and partial research. Knowing there was a big problem with click fraud and ad fraud, Google employed a dedicated team to tackle the growing problem.

Competitor click fraud has also been a problem since the early days of pay-per-click (PPC), with the practice becoming commonplace today.

So, it was just a matter of time before click bots proliferated and became a bigger problem…

Click fraud post-2006

Clickbot A

• Years active: 2006
• Estimated cost: $50,000
• Estimated infections: 100,000 computers

In 2006, Google detected malicious software called Clickbot A that conducted low-noise click fraud attacks on syndicated search networks.

The bot targeted search results on Google-provided sponsored sites, with around 100,000 machines powering it.

Clickbot A was the first real evidence of click fraud botnets, causing an estimated $50,000 worth of fraud. However, it pales in comparison to the more massive botnets that emerged later.

DNS Changer

• Years active: 2007-2011
• Estimated cost: $14 million
• Estimated infections: 4 million computers (both Internet Explorer and Apple devices)

The DNS Changer scam was created by a team of Estonians and Russians known as Rove Digital, which infected web browsers with ad fraud bots.

The botnet changed infected devices’ web addresses to domains owned by the gang and displayed ads that earned commissions.

The DNS Changer ran for 4 years, with features that prevented anti-virus updates. Vladimir Tsastin, a member of the group, was convicted of wire fraud and money laundering. It is one of the first court cases against an ad fraud bot network.

Miuref

• Years active: 2013 – present
• Estimated cost: Unknown
• Estimated infections: Unknown

Miuref, also known as Boaxxe, is a Trojan that can be delivered through fake documents and used for various online bot attacks. It was notably part of the 3ve botnet campaign and can also mine Bitcoin, steal data, and exploit security vulnerabilities.

Despite being detectable and removable by antivirus software, Miuref remains a problem and continues to spread. 

It’s unclear exactly how much financial damage Miuref has caused, as it is often used in conjunction with other botnets. And, as it isn’t specifically a PPC campaign bot clicker, its financial impact will be in the multiple billions.

Stantinko

• Years active: 2012 – present
• Estimated cost: Not known
• Estimated infections: 500,000+ machines

Another multi-use botnet, Stantinko has been identified as being behind a number of ad fraud campaigns but has recently shifted over to crypto mining.

Initially, it was detected as a malware component in Chrome extensions, which facilitated ad injection. Additionally, the bot can install adware, access WordPress and Joomla sites, and perform Google searches.

The gang behind this botnet has managed to keep it going for so many years as the code for the bot is hidden within reams of legitimate code. Stantinko affects mostly Russia and Ukraine but has also been found on systems outside these areas.

Bamital

• Years active: 2009 – 2013
• Estimated cost: $700,000 per year
• Estimated infections: Up to one million desktop machines

Bamital, a type of malware that committed click fraud by redirecting search engine users to ads or pages with malware, was discovered by Microsoft in 2013.

This bot evaded detection by hiding in web pages and being installed through ‘drive-by’ downloads.

The botnet was estimated to generate up to $1 million per year for its operators. Bamital’s search-hijacking technique affected Bing, Yahoo, and Google searchers.

Chameleon

• Years active: 2013
• Estimated cost: Around $6 million per day
• Estimated infections: 120,000 desktop machines

The Chameleon botnet, one of the initial click bots to mimic user behavior, targeted display ads, which was groundbreaking as text ads were the norm.

Despite being relatively simple, it diverted over 50% of the ad revenue from 200 targeted sites through a uniform random series of fraudulent clicks and rollovers.

Kovter

• Years active: 2014 – present
• Estimated cost: Not known
• Estimated infections: Unknown

Kovter is another click fraud botnet that has been leveraged by bigger campaigns. Like other long-lasting malware, it has managed to hide in long lines of code, including Windows registry files.

It’s a particularly clever bot that does its damage when the system is in ‘sleep’ or ‘standby’ mode. Kovter can also shut itself down whenever a system scan is started, making it hard for standard virus scanners to find it.

Methbot

• Years active: 2015-2017
• Estimated cost: $3 million per day at the peak
• Estimated infections: 1,900 dedicated servers running 852,000 false IP addresses

Methbot, the infamous botnet, used infected servers to fake website identities and generate fake video ad impressions. The group behind Methbot reportedly earned up to $5 million a day through these fake impressions.

Methbot’s distinctive characteristic was its ability to pass off its fake inventory as legitimate premium inventory. Its massive scale alarmed the digital marketing industry, and it remains the standard for click fraud schemes, although its successor, 3ve, eventually surpassed it as the largest fraudulent network.

3ve (Eve)

• Years active: 2017-2018
• Estimated cost: At least $29 million
• Estimated infections: 1.7 million hacked computers

As Methbot was being shut down by the FBI, a new and bigger ad fraud network came to the fore. 3ve was actually run by most of the same team behind Methbot, but the complexity of this scheme was truly impressive.

3ve was capable of even more video impressions and also managed to work despite ads.txt – actually using ads.txt lists to spoof inventory.  

It turned out that a team of Russian and Kazakh nationals was behind this huge scam, and the team made an estimated $29 million from its efforts. 

HummingBad

• Years active: 2016
• Estimated cost: $300,000 per month in 2016
• Estimated infections: 10 million Android devices worldwide

HummingBad, a malware allegedly created by Chinese company YingMob to inflate ad clicks, highlighted the issue of mobile app infections.

The software was not only an ad bot clicker but also had the ability to disguise click origins and potentially install software on devices without user knowledge.

Although shut down in 2016, it resurfaced as HummingWhale in 2017 and infected over 20 Google Play store apps.

HyphBot

• Years active: 2017
• Estimated cost: Up to $1.2 million per day
• Estimated infections: At least 500,000 computers in the US, UK, Netherlands and Canada

Another ad clicker that managed to get around ads.txt, HyphBot, was thought to be three or four times bigger than Methbot.

It exploited ads.txt lists to generate composite domain names, creating fake video ad impressions. The creators utilized an existing botnet network to click ads.

HyphBot ran for a short time but managed to embezzle millions of dollars in fraudulent ad revenue before eventually disappearing.

DrainerBot

• Years active: 2018 – 2019
• Estimated cost: Not known
• Estimated infections: At least 10 million infections when discovered

DrainerBot, as a malware botnet, was embedded in a software development kit (SDK) found in Android devices.

The botnet evaded Google’s Play Protect checks and committed ad fraud by playing video ads in the background (using lots of data and battery power in the meantime). It’s no strange why the malware earned the name DrainerBot. It could use up to 10GB of data and was draining battery life quickly.

All apps identified as containing DrainerBot have been removed from the Play Store, but this ad clicker bot may still be out there…

404Bot

• Years active: 2018 – present
• Estimated cost: At least $15 million
• Estimated infections: Not known

Another botnet targeting the weak links in ads.txt, this bot clicker spoofs domain inventory in a similar way to HyphBot. In fact, it seems that 404 Bot is capable of passing several different preventative techniques and continues to deplete marketing funds as we speak.

With an estimated $15 million in damage as of February 2020, how many more millions will be siphoned off by 404 Bot?

Tekya

• Years active: 2019-2020
• Estimated cost: Not known
• Estimated infections: At least 56 apps, over 1 million downloads

Tekya, a clicker bot, was found in 56 Android apps, including children’s games and utility apps. It engaged with ads without user knowledge, using a clicker malware called Haken.

Since May 2019, Tekya has committed click fraud on over 1 million downloads, clicking on visible and invisible ads to mimic user behavior.

And this isn’t all….

This list of click bots and ad fraud networks isn’t even definitive. We haven’t even mentioned Judy, a malware-based ad clicker from South Korea that was allegedly distributed by an app developer to inflate their ad revenue.

Some other known botnets that we haven’t mentioned are IceBucket or SourMint, both recent botnets that have caused havoc. There are dozens of smaller botnets that don’t have a name or run long enough for the authorities to find them.

The impact of these types of bots on paid campaigns

Click bots can be a total headache for everyone running online ads. From advertisers that run PPC campaigns for clients to small business owners running their own ads to marketing teams managing multiple marketing activities.

We’ve already mentioned that fake clicks mainly affect PPC ads and their budgets. Unfortunately, this also leads to many more negative effects. Below are the top ones you should aim to avoid:

• Waste of marketing budgets: The main pitfall of click bots. Every time a click bot generates a fake click, it’s wasting your ad budget.
• Misleading analytics: Fake click data is also incorporated into your analytics. This gives you incorrect insights, leading to poor decision-making.
• Challenging optimization process: Campaign optimization based on irrelevant data will not produce a positive outcome, again wasting your time and efforts.
• Decreased engagement: When the click bots artificially increase click-through rates, it can lead to decreased engagement from real users.
• Ineffective ad targeting: Adjusting audience targeting due to bot traffic can harm your other marketing optimization efforts as well.

As we can see, click bots are not just affecting your ad campaigns like Google Ads or Facebook Ads, but they are a threat to your overall marketing efforts as well.

That’s why it is important to prevent them from happening in the first place.

How to detect and block click bots

Detecting bot clicks can be challenging, but it’s not impossible. Here are some actionable steps that you can take to detect and avoid click bots:

1. Monitor Your Website Traffic: Keep track of your website’s traffic to detect suspicious patterns, such as sudden increases in clicks or clicks coming at unusual times of the day.
2. Narrow down your targeting: With more specific audience targeting, it’s easier to detect when clicks are coming from unusual audience groups.
3. Limit your ad runtime: By not running your ads 24/7, you can limit the possibilities of some click bots that are scheduled at specific times to access them.
4. Implement CAPTCHAs: CAPTCHAs are a popular way to prevent bots from accessing your website. The most basic forms usually include image or text recognition tests to verify that the user is human.

While these steps can help reduce bot traffic’s impact, it’s essential to note that they cannot guarantee 100% effectiveness. We’re also aware that implementing them can be difficult and time-consuming.

Fortunately, ClickCease streamlines this whole process. ClickCease is a bot detection tool designed to mitigate and block bot clicks in real time.

If you want to keep your PPC ads (or any other marketing activity) free of click bots, check out the free trial here. You can look at exactly how many fake clicks your ads get before you sign up.

Make sure your PPC ad spend is only being seen by genuine human eyes, not clicker bots or click farm workers.

Find out more about click fraud in our in-depth guide

The post A Short History of Click Bots & Ad Fraud appeared first on ClickCease Blog.

This fake traffic comes in two main flavors – general invalid traffic, or GIVT, and sophisticated invalid traffic, or SIVT.

But how much of your invalid traffic is malicious and intentional, and how much is a harmless consequence of advertising online? And more importantly, what can you do about SIVT and GIVT?  

What is General Invalid Traffic (GIVT)?

General invalid traffic is a mostly benign form of bot activity. These are bots so they will interact with your site without converting, but they are not usually intended to be fraudulent traffic. 

Most GIVT is from useful bots such as search engine crawlers, data centers, and proxy traffic from VPNs. General invalid traffic is easy to detect and doesn’t try to imitate human behavior or mask its activities.

GIVT rarely generates any form of fraud, as it is mostly quite transparent in its activity. In fact, GIVT can even be helpful – for example, search engine crawlers help make web pages available to searchers, or bots can collect data for your research.

However, general invalid traffic can also have a negative impact if not properly monitored. A good example is when you don’t adequately differentiate between traffic from real users and GIVT traffic.

You may believe that the uptick in traffic is due to SEO and other strategies, and base a chain of other critical decisions on that skewed data. 

What is Sophisticated Invalid Traffic (SIVT)?

Sophisticated invalid traffic (SIVT), as the name suggests, is a form of fake traffic designed to mimic the activity of real human users. SIVT will likely use various processes to dodge detection and is used for various fraudulent applications online, especially for organized ad fraud.

Most often SIVT is used to generate revenue through invalid traffic on ads and publishing platforms. Fraudulent developers are often quick to use new technology or processes to improve their chances of success, which might mean targeting CTV (connected TV) ads or hijacking a trend to create a spoofed website or app.

As a result, this kind of invalid traffic is much harder to detect. For the ad platforms, this often means that their attempts to block fraud are many steps behind the sophisticated fraudsters. And for marketers, this also means they need to be aware of the changes and challenges associated with the use of SIVT. 

SIVT is undoubtedly fraudulent traffic – the kind you need to worry about – and detecting and keeping it away from your website requires advanced analytics, multipoint coordination, and a great deal of intervention from real humans.

Find out more about invalid traffic in our guide.

Types of sophisticated invalid traffic

Some sophisticated invalid traffic comes from bots and spiders, the typically automated actors on the internet. But other forms of SIVT originate from hijacked devices and user sessions, adware and malware, and even manipulation and falsification of device or location data.

Bots and spiders

As mentioned above, these automated scripts are often used for genuine and useful activities such as collating search results. But they can also be used to generate fake traffic and perform a wide variety of fraudulent actions, from spam to brute force account access. 

Hijacked devices and malware

These are also run by scripts, but because they began as real user activity, they are much harder to detect. An example of this is when a genuine device has malware-infected software such as an app or browser extension and is then used remotely by the fraudster to perform a fraudulent activity. This almost always happens without the device user’s knowledge or consent. 

Manipulation and falsification of location or device data

This is done when fraudsters are trying to gain access to a website from blacklisted locations or devices. By changing the device ID (user agent, or UA string) a device can be used to bypass some security measures. As an example, if a data server presents itself as an iPhone based in the USA, it can load web pages that host ads and then perform fraudulent ad impressions or clicks. 

Find out more about how user agent spoofing works.

Invalid proxy traffic

Here, Virtual Private Networks (VPNs) or proxy servers are used to hide activity and propagate fraudulent proxy traffic. VPNs are often used by genuine users, and not all VPN activity is fraudulent. But more often than not, sophisticated invalid traffic will cover its tracks by using a VPN or proxy.

Read more about VPNs and click fraud.

Incentivized traffic

Incentivized traffic is technically valid traffic but doesn’t lead to any conversions. Real users are incentivized to visit a website for rewards other than what’s advertised on the website, so they will probably never convert. Although in some cases, such as view-to-earn ads, this incentivized traffic can be genuine, there are other methods that pay people to view ads without the advertisers’ knowledge.  

Paid-to-click websites (PTC sites) have become a popular way for some people to earn a few dollars a day. However, many of them are totally fraudulent, not just duping the advertisers but also scamming their own users by not paying them the money earned. 

Check out our article about scam PTC sites.

Domain laundering or website spoofing

This tactic is pretty simple. A low-authority domain is disguised as another more desirable one and then charges higher fees (CPMs and flat advertising fees) based on the misrepresented authority. 

How to detect sophisticated invalid traffic (SIVT)

Detecting and stopping SIVT will often require advanced analytics, complex traffic detection solutions, and many other strategies.

To help you understand how to spot sophisticated invalid traffic, keep an eye out for these tell-tale signs:

Pay attention to your web traffic data

If you pay close attention, some SIVT could be spotted right away, and it begins with understanding what typical site traffic looks like. How many visitors do you get per week, and from which sources?

If you start to see underperforming ads send a large number of visitors to a landing page, that could be a dead giveaway. Another obvious point is finding IP addresses that click multiple times on the same ad or on different unrelated ones.

Any unusual traffic-related activity is usually a great place to start searching for SIVT.

Inspect packet headers

Packet headers can help you uncover a great percentage of SIVT. They can reveal information about the activity of the specific IP, and because many fraudsters won’t go through the trouble of obfuscating data at this level, it’s a great place to look.

Check for multiple device details on packets from the same IP address because this usually means a proxy server. While it might be harmless, it could also indicate a deeper problem.

Another dead giveaway is open-source operating systems like Linux because these are widely favored by cybercriminals online to generate fake traffic.

Mobile devices that use browser extensions are another red flag. Most users don’t need extensions for their mobile browsers unless, of course, they’re trying to disguise the device.

Track your ad placements

It’s easy to set up your ads with google and forget about it, but that’s how businesses fall victim to SIVT. There are thousands of websites out there that are signed up as publishing platforms but exist solely to generate fraudulent ad revenue from your ad campaigns.

These may look like great choices on the surface – they drive lots of traffic to your site and may even look like they have great domain authority – but you’ll quickly find that the traffic has horrible conversions as you watch your ad spend skyrocket.

It’s worth it to review where your ads are placed and where your traffic is coming from so you can be on top of the sophisticated invalid traffic. When you have this traffic identified as fraudulent, it’s also a good idea to report the sources to Google.

How to block Sophisticated Invalid Traffic (SIVT)

Although most ad platforms do provide some measure of fraud filtering, this normally only cuts out the most obvious or general invalid traffic. Web scrapers, basic bots, and other forms of less sophisticated traffic are often blocked, although not in real-time.

For example with Google, traffic that is picked up as fake or non-genuine is often refunded automatically. But it can take hours or even days for this traffic to be spotted, blocked, and refunded to the advertiser.

Using a click fraud prevention tool such as ClickCease allows you to proactively block most forms of sophisticated invalid traffic on your PPC ads. 

ClickCease filters out fraudulent devices, bots and suspicious activity using a blacklist that is updated constantly. By blocking fraud in real time, advertisers can rest easy that they don’t need to constantly track their ad clicks to see if they’re losing money.

In fact, ClickCease offers the industry leading click fraud prevention tool, and blocks SIVT on Google Ads, Facebook Ads and Bing Ads.

If you run any form of PPC campaign on these platforms, run a free traffic audit with our 7 day trial.

Sign up for a FREE 7 day trial today and see who is really clicking your ads. 

The post SIVT vs. GIVT: what’s the difference? appeared first on ClickCease Blog.

Of course, there are huge sums of money involved. And, despite the efforts of the major advertising platforms, there seems to be no end to the growth of ad fraud.

Increasingly marketers are aware that they need to avoid ad fraud. As a result, the market for ad fraud prevention is growing rapidly.

So what can you do? And is ad fraud an issue that really affects your business?

What is ad fraud?

Ad fraud is the practice of fraudulently inflating the views or clicks on an online ad for financial gain. This normally involves hosting ads on a website or app and generating fake traffic, or invalid traffic, in a number of ways.

Primarily, ad fraud is a money-making scheme for unscrupulous app and bot developers or website owners.

Creating a successful digital ad fraud campaign takes a level of technical expertise.

For example, many campaigns involve using complex technical features such as domain spoofing, pixel stuffing, or click injection – all designed to maximize impressions and fool marketers. There’s also the matter of hiding traffic sources, generating fake traffic, and tactics such as impression fraud to fool the advertising platforms and bring in as much money as possible.

Ad fraud or click fraud?

Ad fraud is a form of click fraud, although one that is more organized. In fact, click fraud covers less organized forms of fake clicks and impressions, such as intentional malicious clicks from individuals.

Research from the University of Baltimore and CHEQ found that ad fraud and click fraud cost marketers $35 billion in 2020, which is thought to have exceeded $40 billion in 2021.

As ad fraud isn’t technically illegal, bringing legal charges against ad platforms or even ad fraud operators can be long-winded and complicated. Google, Bing, and others do have some processes to protect against the most obvious sources of click fraud, although this is widely considered inadequate.

Read more about click fraud in our complete guide

What Are the Different Types of Ad Fraud?

Although the definition of ad fraud often involves bots or automated processes, there are other methods that include the human touch. These ad fraud techniques are the most common that you’re likely to encounter.

Ad fraud is the practice of hosting ads on a publishing platform and inflating the volume of clicks, impressions, or conversions to collect a payout.

Hidden Ads or Ad Stacking

There are several practices whereby sites can host ads that are technically not viewable by the human eye. Displaying the ad in a 1×1 pixel square, stacking multiple ads on top of one another, or displaying the ad outside the viewable area are the most common practices.

Using this approach, the site owner will get a payout for the ad being displayed, but the advertiser will see little or no traffic or clicks as a result.

• Ad displayed in an imperceptible format
• Zero to extremely low chance of traffic
• Often used by fraudulent publishers looking to profit from multiple ads on their sites

Click Farms

Click farms are one of the main forms of mass-produced traffic for ad fraud. Essentially, bots or real people are hired to click on your ad. Of course, these are not potential genuine customers, so that click is worthless to the advertisers.

A click farm can be an actual place, often a warehouse in the developing world with hundreds of people assigned to like, click, and interact with content for hours a day.

Click farms can also take the form of remote workers. You might have seen those ‘make $ working from home’ ads online. Some of these can be remote clicking work using PTC (paid-to-click websites or apps). These paid-to-click businesses have been growing in size in recent years and now present a real problem to marketers.

• Real people from unique IP addresses make click farms hard to combat
• Non-genuine traffic with no chance of a conversion
• Used by organisations looking to boost their views (often through paid campaigns)

Bot Traffic

The number one source of ad fraud, bot traffic, refers to automated systems set up to click or interact with sites. However, not all bots are created equal.

Simple bot programs are often set up to do simple repetitive tasks such as scanning through domains clicking on a set group of ads, or performing a single repeated action across multiple sites. These types of bots are relatively easy to spot as they have a consistent IP address and cookie profile.

You might have noticed simple bot behaviour with spam messages in your inbox, or if you run a blog or website, you will probably have seen spam comments.

Increasingly sophisticated bot traffic is where headaches start for advertisers. These can do more complex tasks such as:

• rotating IP addresses
• mimicking user behaviour
• using proxy servers to disguise their location

These bots can play the PPC system, both maximising exposure to the highest-paying ads and creating traffic that looks authentic for a higher chance of a big payout.

• The main source of fraudulent clicks and ad fraud
• Simple bots are easy to combat as they have predictable and simple behaviour
• Complex bots are often used by criminal organisations to boost their income

Hijacking Clicks or Ads

This clever method uses malware to hijack the ad (also dubbed as clickjacking, click injection, or malvertising) on a website and replace the code in the hijackers’ favour.

For example, by changing the ad displayed, the hijacker can display their ad and not pay for the placement, with the original advertiser picking up the bill.

This can also work to redirect clicks to a different site, even if the original ad is displayed. So the advertiser pays for the click, but the hijacker benefits from the traffic generated.

• Malware designed to change the code of a display ad in the hijackers’ favour
• Can either divert traffic from genuine ads or display a different ad on top of the advertisers’
• Click injection can claim organic clicks fraudulently on hidden links and ads (without the users’ knowledge)

Impression Laundering or Arbitrage

This clever form of ad fraud siphons off legitimate display advertising onto less relevant or sometimes downright shady sites. These sites usually also have high traffic. This usually hits advertisers with a high-price CPM (cost per mile) campaign, where the ad success is measured in impressions rather than actual clicks.

By using a series of clever redirects, as far as the advertiser is concerned, their ad is being displayed on legitimate partner sites.

• Ads can be seen on irrelevant sites or sites promoting illegal activity
• These sites tend to be high traffic so impressions can be very high

How to Protect Yourself From Ad Fraud

Although these are the most common types of ad fraud, the goalposts are always moving, and new PPC fraud forms are regularly popping up. And, as the practice isn’t outlawed, it can be very tricky to minimise or even be aware of your exposure to ad fraud.

There are a few things you can do to limit your exposure to ad fraud and get your ad spend under control. Some are things you can do in your PPC campaign setup, others will involve using a paid service. Depending on the potential for gain or loss, you might want to determine which is best for your business.

Monitor your data

At the absolute minimum, keeping an eye on your traffic sources and CTR data will help you identify if something fishy is happening. If traffic appears to be coming from a suspicious location, or you’re experiencing a high CTR but little in the way of conversions, then look closely at your online advertising partners and consider limiting traffic from certain locations.

Blacklists

If you suspect dodgy traffic is coming from some less salubrious partners, you can blacklist certain domains and IPs of “users” that click. As you have little control over malware or traffic coming through those sites, keeping them blacklisted is a good way to avoid the fraudulent traffic they might be attracting.

Ad Fraud Protection

With the rise of ad fraud, it’s advisable to use fraud detection services such as ClickCease. Click fraud prevention services are designed specifically to defend and protect your digital advertising campaigns. The sophisticated algorithms help protect against bot traffic, click farms, and other forms of invalid traffic, such as VPNs.

Ad fraud protection is particularly suited to high-value or high-volume campaigns, especially those targeting competitive keywords. Marketing agencies dealing with multiple clients will especially see the benefits, although some surprising industries do fall foul of click fraud and ad fraud.

Check out our full report into the impact of click fraud on SME businesses here.

ClickCease is designed to protect online ads on major ad networks, including Google, Facebook, and Microsoft/Bing. Stop bots, get more leads, and maximise the return on your ad revenue by using ClickCease.

Sign up for a free trial and run your own ad fraud audit.

The post What is Ad Fraud, and How to Prevent it appeared first on ClickCease Blog.