Not all bots are bad, though. Some are helpful, like search engine crawlers, for example. But others, like click bots or spam bots, can mess up your analytics and make it hard to evaluate your traffic.  

That’s why Google Analytics 4 (GA4) plays an integral role in the process of identifying bot traffic and filtering out malicious ones. As a tool that contains records of all your website visitors, it can serve as an initial indicator of bot activity.   

In this article, we will explore the secrets of how you can use GA4 to identify bot traffic and take some actions to minimize its presence on your website.

What exactly is bot traffic?    

Bot traffic refers to automated website visits carried out by computer programs rather than human users. These bots serve various purposes, ranging from indexing content for search engines to analyzing the healthiness of your website… and also, unfortunately, stealing your data, spreading spam, or committing click fraud.      

Good bots, like search engine bots, play a helpful role in indexing and ranking your site. They contribute to the visibility of your content in search results, which makes them a must-have for the overall healthiness of your website. 

However, bad bots, such as click bots or spam bots, are the ones you need to watch out for. They can mislead your analytics by artificially inflating pageviews and sessions or triggering false interactions.  

What is bot traffic in GA4?         

When it comes to GA4, bot traffic refers to the above-described automated visits. As such, this traffic does not represent a genuine interest in your product or service, and if it infiltrates your analytics, it will impact your data accuracy.  

It’s important to mention here that GA4 automatically excludes web traffic from known good bots and spiders. This applies to bots with well-established identities and consistent behavior. 

Search engine bots and known SEO tools like Ahrefs and Semrush fall under this category, and their traffic wouldn’t show up in your GA4. However, some new or less popular bots, no matter good or bad, will still appear in your Google Analytics reports. It takes time for Google to detect repetitive visits across websites coming from the same sources or sources showing specific patterns.           

And while GA4 automatically clears your reports from the helpful bots, web traffic from the malicious bots still makes its way into your analytics data. 

But how can you recognize it and avoid its impact on your data and further activities? Let’s explore how you can do that in GA4. 

How can you identify bot traffic in GA4?  

Identifying bot traffic in Google Analytics involves using a combination of built-in features and additional settings. While GA4 includes some automatic mechanisms for filtering out known bots, it’s important to implement additional measures to enhance bot detection. Let’s explore some.   

Customize your reports     

The default reports in GA4 don’t contain all the metrics that can distinguish between bot and human traffic. So, your number one task is to customize your report data in a way that will help you recognize the signs of bot traffic.  

Our recommendations? The Traffic acquisition and User acquisition reports are the ones that hold most of these key metrics you’d like to have included, so let’s start from there.   

Here’s how to access these reports in your Google Analytics 4 account:  

1. Sign in to your Google Analytics account.
2. Select “Reports” from the left menu.
3. Expand the “Acquisition” section in the Life cycle collection.
4. Choose the desired report:
   • Traffic Acquisition report
   • User Acquisition report

Once there, you can start customizing your report by clicking the “Customize Report” button (pencil icon) in the upper right corner. Select “Metrics” under Report data, and you can start with adding metrics. 

Here’s our recommendation of metrics to have included under each of these two reports:   

Traffic acquisition report:    

• Engagement rate
• Average engagement time
• Sessions
• Engaged sessions
• Views per session

User acquisition report:         

• Total users
• Users (Represents the number of active users)
• New users
• Event count
• Engaged sessions per user

Recognizing suspicious patterns       

Here’s how to identify suspicious patterns in your data: 

Behavioral data:

• Short engagement sessions: Bots often spend seconds on a page, unlike humans. Check the engagement rate (the formerly known bounce rate in GA) and average session duration for anomalies.
• Unrealistic page views: Hundreds of pages viewed in a single session could indicate scraping bots. 
• Unusual interactions: Unnatural scroll patterns, rapid form fills, or visiting multiple pages with no mouse movement are examples of bot-specific interactions.
• A sudden flow of spam comments: Spam bots main purpose is to land on your website and spread spammy comments. They often promote unrelated products, use flattery language, or include irrelevant links. You can recognize them by the unnatural and generic language.   
• Declined card transactions: Fraudsters usually use stolen or non-existent credit card information. Many attempts to complete a transaction mean they’re trying different variations or the card they’ve stolen has been blocked. 

Demographic data:    

• Traffic spikes from a single IP address: Botnets or malicious scripts can generate high traffic volumes in a short time span. Sudden, massive increases in web traffic originating from a single IP address are a clear sign of bot traffic.
• Unlikely origins: Traffic spikes from countries you don’t target or visits classified as ‘Location not set’ might be bots. Unusual sources, such as unfamiliar websites, data centers, or crawlers with unusual user agents, are another sign of suspicious traffic.
• Unusual traffic sources: A sudden influx of uncommon devices or operating systems could be suspicious and indicate bot traffic. For example, a spike in new user acquisition by a single traffic source is a sign of suspicious activity.  

How to filter bot traffic in GA4?  

Now that you know how to recognize early signs of bot traffic in Google Analytics 4, let’s see how you can exclude it from appearing there in the first place. 

While GA4 doesn’t provide the same level of granular filtering as Universal Analytics, there are some features that can be used for this purpose.  

Use custom filters 

With custom filters in Google Analytics 4, you can modify or segment the data in your reports based on specific conditions. By applying your preferred criteria, you can tailor the data you see in your reports. This way, you’ll filter out suspicious or known bot traffic sources from messing up your data.

To access custom filters in GA4, navigate to the “Analysis” section and click “Reports.” Once you are in a report, you can find the “Filter” button at the top of the page.

You can create custom filters based on various conditions, such as events, user properties, or other dimensions. 

Choose the dimension you want to filter and set the conditions for inclusion or exclusion.

There are two types of filters you can find: “Include filter” and “Exclude filter.” As their names are self-explanatory, the first one is used if you want to include a particular type of traffic, and the latter is for the traffic you want to exclude. When filtering out bot traffic, you’ll naturally want to use the ‘exclude’ filter.    

You can set conditions based on various parameters, such as country, user properties, equality, inequality, regular expressions, etc.

For example, you might create a filter to exclude users who stay less than 10 seconds on your website.   

Create segments 

The purpose of the “Create segments” feature in GA4 is to help you define and save specific subsets of your data. This can also be done based on various criteria, and together with segments, you’ll be able to analyze and understand the behavior of specific groups of users or events within your overall data set.   

To create segments in GA4, navigate to the “Explore” tab in your GA4 property. Once there, look for the “Segment builder” in the top left corner. 

Under segment conditions, you can: 

• Exclude known bots:
  • Add a condition like “User Agent does not contain” and list common bot user agents (e.g., “Googlebot,” “Bingbot,” “SemrushBot”).
• Filter by IP addresses:
  • If you have specific IP addresses associated with bots, create a condition like “IP Address does not equal” and list those IPs. 
• Examine events and engagement:
  • Add conditions based on suspicious event patterns or low engagement metrics:
    • “Event count is less than X”
    • “Session duration is less than Y seconds”
    • “Pageviews per session is equal to 1”

Configure unwanted referrals 

In GA4, you can use the referral exclusion list to exclude certain domains from being counted as referrals. You can block up to 50 unwanted referrals per data stream to exclude known bot or spam referral traffic.

To set up the referral exclusion list, go to your GA4 property settings, navigate to “Data Streams,” and click on the relevant data stream. From there, you can find the “Referral Exclusion List” section.

Block bot traffic with a bot mitigation solution  

While these strategies can improve data reliability, they don’t guarantee the absence of bot traffic in your reports. GA4 filters can exclude bots from reports, yet it’s not foolproof against their access to your website.  

To truly combat bot and spam traffic, prevention is key. It’s not enough to simply filter them out of your Google Analytics data. You need to stop them from accessing your website and online activities altogether.

As a bot detection and protection solution, ClickCease blocks any type of bot targeting your ads, organic online activities, or website. This means your overall online traffic gets protected, ensuring accurate, reliable data in your Google Analytics 4.    

Ensure full protection against bots.

FAQs: 

How do I know if I have bot traffic?            

In your traffic reports in Google Analytics 4, you can spot suspicious user activity, usually common to bot traffic.  

Look out for unusual patterns like sudden spikes in events and conversions. For example, a user might be viewing many pages or items in a short time, which might be a sign of bots crawling your website rapidly to collect as much information as possible.   

Additionally, in the “Network Domains” report, you can identify traffic from unusual domains, which most likely come from bots. 

Another common sign of bot traffic is low time on page (or high bounce rate). Bots usually have very low time spent on pages. Examine these metrics to identify pages that might be attracting bot traffic. 

Some other anomalies include spikes in traffic, specific pages with abnormal patterns, or sudden drops in conversion rates. 

If you notice these signs in your GA4, there’s a chance that bots are affecting your traffic, and you may want to investigate further or implement measures to mitigate their impact.

Does GA4 block bot traffic?  

Google Analytics 4 automatic blocking excludes traffic from bots and spiders, which are already identified as such. This includes traffic from already known tools that serve for SEO or other beneficial website activities, as well as lists of already known malicious bot traffic sources.

This helps keep your data relatively clean and prevents skewed metrics about user behavior.

What are the limitations of GA4 bot filtering? 

While Google Analytics 4 automatically excludes known sources of bot traffic, there are many new bots, especially malicious ones, that are not detected by the automatic filters.

This means you’ll need to take manual measures to identify and filter out the remaining unwanted activities from your reports. However, there’s not a single report or metric that can represent signs of bot traffic. 

It takes a combination of reports to come to some insights. Sometimes, there’s no clear sign to distinguish between a bot and genuine user activity, which makes the process more complex.

For more accurate bot management, it’s recommended to consider further protection. These could include security plugins, CAPTCHAs, and even dedicated anti-bot services.         

The post How to Identify Bot Traffic in Google Analytics 4: A Full Guide appeared first on ClickCease Blog.

Where do these fake views come from?

View bots. 

These bots can be hired for relatively little money to boost the viewing figures on any video channel, from YouTube or Instagram to Twitch or TikTok.

What are view bots?

View bots, as the name suggests, are bots programmed to watch videos to inflate viewer count numbers. They can be used on virtually any platform where video is played or even on music streaming sites. 

A view bot doesn’t just view whatever activity is occurring on the screen at any time. It also views media such as banner ads, pre or post-roll video ads, and other paid elements. 

This form of a bot is relatively complex, as its goal is to avoid being detected by sophisticated filters on video platforms. 

There’s a high demand for these bots, which is why they are easy to find and are widely used. When searching for ‘view bots,’ there are hundreds of results on the organic search pages. 

And, yes, if you’re wondering whether view botting is against the TOS (Terms of Service), it is, but this doesn’t stop people from buying these very affordable bot packages. In fact, many of them offer free trials, so you don’t even need to pay to inflate your views.   

Why do people use view bots?

The biggest objective of any YouTube or Twitch creator is to get more views. The more views they get, the more money they make, and that’s all the motivation they need to use view bots. 

And this is where many people saw an opportunity, making it easy for creators to purchase a YouTube, or a Twitch view bot. There are even Facebook live view bots that can drastically increase viewer numbers on live videos on Facebook.     

Newbie creators on video platforms are particularly susceptible to using them as they look to grow their subscriber base and convince the algorithms to show more people their videos.  

It also doesn’t hurt them that a view bot isn’t difficult to set up. You can find websites like ViewerLabs and UseViral that walk you through setting up a view bot for your YouTube channel. Many are quite affordable (UseViral offers 10,000 views for a little over $100).   

Although most of us think of social media sites like TikTok, YouTube, or Twitch, there are also other view-based sites such as esports platforms where you can unleash a view bot.

And as this form of online entertainment is increasingly popular with younger audiences, marketers are looking to streaming services or even metaverse games to run their ad campaigns.

How do view bots affect advertisers?

Perhaps the most obvious impact for advertisers is in cost-per-mile (CPM) advertising. If you’re paying per 1000 impressions, and around 15-20% of those impressions are fake, you’re leaking money.  

Referred to as both click fraud and ad fraud (although the two terms mean slightly different things), the impact on the global marketing industry is estimated at around $40 billion each year and growing.       

Impression fraud also means your ad spend is exhausted faster, often meaning you’re missing out on genuine ad opportunities.

Another issue is that the inflated view metrics skew your ad data, effectively making your video ads or banner ads seem more successful than they are.

And in an age of influencer marketing, embellished videos and stream views also artificially inflate the value of an influencer. When you consider that the definition of an influencer is someone with a few thousand followers and that those followers could cost someone just a few hundred bucks, the cost of this deception to marketers can mount up.  

Would you be happy paying your ad budget to target an audience of click farm robots?

Read this guide to understand how you can protect your marketing efforts from fraudulent bots.

Types of view bots

‘View bot’ is a blanket term for a wide range of bots that are programmed to help inflate video metrics. Most obviously, these bots click on videos and raise the view count. But they can do other things as well.   

Live stream bots

Some vIew bots can also hop on Twitch and Facebook live streams to make it seem like the streamer has a wider audience base. The goal here is to draw in more people to join the stream. Streaming farms are becoming increasingly popular as a way to artificially inflate the number of viewers or listeners on live streams.

Chats and engagement bots

People see through views without engagement pretty easily, so many YouTube view bots have been programmed to engage as well. However, the engagements are flat and, well, unengaging. You’ll usually see this with Instagram and Facebook comments too. We’ll talk more about these in a bit.

Engagement groups

Although these aren’t view bots in the traditional sense, engagement groups act as a sort of human view bot.

Instead of getting a YouTube view bot that is prohibited by the TOS, creators often sign up with communities where they watch and engage with each other’s videos. For creators, they get the metrics of more views and comments.    

But for advertisers, this is non-genuine human traffic with a very low chance of converting. And to add to this, engagement groups may also click on ads within videos, blogs, or other content to inflate the payout for the creator. In short, they commit click fraud.

What is click fraud? Learn more in our guide…

Chat impersonation bots

Another form of view bot, chat impersonation, is often presented as a way to ‘prank’ your friends on their live streams. But, of course, these bots are often bought to increase engagement on live streams or videos.

Like other forms of view bots, these chat impersonators also affect ad impressions and distort view metrics. 

Creators risk a lot by using view bots

Fraudulently inflating your engagement is against the terms of service on all of the major platforms, including YouTube, Twitch, TikTok, and Meta (Facebook/Instagram). Content creators who are caught run the risk of: 

• Getting their videos taken down
• Losing the ability to monetize their content
• Being banned from the platform altogether

Twitch takes an aggressive approach against view botting. Besides banning creators, the platform has a history of suing bot creators. 

For example, In 2018, Twitch won a $1.37 million lawsuit against Michael and Katherine Anjomi, creators of a view bot. 

Trust issues

Bots on YouTube and other platforms don’t just rob advertisers of their ad revenue; they also make a fool out of real users. Many people follow creators online because of the social proof that thousands of others enjoy their content.

When these creators get busted, they don’t just lose their videos; they often lose the trust of their subscriber base.

Take Pink Sparkles, a Twitch streamer who got banned after mistakenly flashing her bot software on-screen during a Twitch stream. This, in addition to other violations, earned her an instant ban from the platform.

Meanwhile, on Instagram, around half of all influencers on the platform are knowingly engaging in forms of fraud, such as buying subscribers and viewers.

And when an influencer is discovered to be using fake followers or bots, it can seriously damage their status.

Amongst all these, there are several ways you can spot a fake profile and a view bot on social media.

How can you spot a view bot account? 

Here are three quick ways to identify a profile with view bots on any platform.

1. Low chat with high views

These are the biggest giveaways that someone doesn’t have real views. The average view-to-chat ratio varies between platforms and the kind of content being shared. However, a video with thousands of views and a few dozen comments usually means one of two things: the video is promoted, or the profile uses view bots.

2. Generic comments

We mentioned this earlier. Some sophisticated and higher-priced view bots will also engage with comments. However, the comments are prescripted, generic, and usually appear repeatedly. 

Look out for comments that require zero thought and seem to appear regularly. Typical examples include: 

• I love your stream
• Awesome
• This looks great

3. Low subscribers

A realistic YouTube subscriber/view ratio is 8-12%. That means accounts with 10,000 subscribers can expect 800 to 1,200 views per video. Of course, these numbers will fluctuate, but when you start to see 7,000 consistent views on a channel with 10,000 subscribers, you know it’s not just real viewers.

What can you do about view bots?

If you advertise on any video-based platform, the chances are that your ads are exposed to view bots in some capacity.

Considering that between 40-50% of all internet traffic is non-human, this presents a major headache for marketing budgets. And yes, although platforms such as YouTube and Twitch do use filters to block bots on their sites, the truth is a large amount of non-human traffic still gets through.

Research from ClickCease shows that an average of 14% of all Google Ads clicks are non-genuine. Even on Facebook and Instagram, fake profiles (including view bots) are responsible for a big slice of the ad spend.

ClickCease’s industry-leading fraud prevention software blocks bots, including view bots, on your Facebook, Instagram, and YouTube ad campaigns. Whether you’re running pre-roll or post-roll video ads, paying for display ads on YouTube, or any other form of video marketing, blocking bots can save your ad campaign.

Sign up for a free trial of ClickCease to run an audit on your ads.

FAQs: 

What is viewbotting on Twitch?

Viewbotting on Twitch is the practice of artificially boosting a streamer’s viewer count through the use of automated bots. These bots are fake accounts created to simulate human-like views on live streams on the platform. 

The primary motivation behind viewbotting is to create a false perception of popularity and success, potentially attracting more genuine viewers, followers, and sponsors.

Is viewbotting illegal?

Viewbotting is against the terms of service of most video and streaming platforms, but it is not illegal in most jurisdictions. However, viewbotting can have significant consequences for streamers who engage in it. Any account caught using viewbots is subject to suspension or termination.

While viewbotting is not currently illegal in most jurisdictions, it is a form of fraud, as it can be used to mislead advertisers and viewers. For example, a streamer who uses view bots may be able to get more sponsorship deals or donations from viewers who believe that the streamer has a large audience.

The post What Are View Bots & How Do They Affect Your Ads? appeared first on ClickCease Blog.

But if you run online ads, you’ve probably also heard of ad fraud or click fraud.

And, if you’ve seen any news or data on the subject of click fraud, you’ll know that it cost the digital marketing industry $188 billion in 2023 alone. This number is expected to keep growing by about 14% annually until 2028. 

In short, a lot of money goes missing from the marketing ecosystem thanks to ad fraud and click fraud.

But what is ad fraud, and what is click fraud? Before we go on, let’s define what these two forms of marketing fraud mean and what’s the difference between them.  

Ad fraud – a definition

Ad fraud is any form of fraudulent activity that increases engagement numbers on pay-per-click (PPC) ads online. Fraudsters usually aim to artificially inflate the number of impressions, clicks, or conversions to deceive advertisers into paying for non-existent interactions. 

A simple example explanation for ad fraud is when a publisher hosts ads on their website or app and then uses fake traffic to inflate the number of impressions or clicks.   

They may also use other sneaky methods, such as layering multiple ads on top of each other, to collect a payout on multiple ad impressions instead of one. Or, worse still, hiding multiple ads in tiny unviewable iframes, often 1×1 pixels.  

We’re also hearing more about apps that host malware and inflate the ad payout for the developer.

Another more insidious form of ad fraud is when the publisher falsifies a bid request, collecting a payout for ads that never appear anywhere.  

We also have a complete guide to ad fraud…

Click fraud – a definition

The main difference between click fraud and ad fraud lies in their respective targets. Ad fraud exclusively targets paid online ads, whereas click fraud extends its reach to include organic content, such as links on social media platforms or within apps. 

Fake traffic, such as bots and click farms, can often be used to click your links, apps, buttons, or ads. The reasons can be varied, like compromising your marketing efforts, gaining a competitive advantage, or making money from your promoted links or ads.

A common example of click fraud is where an affiliate marketing partner will use click bots to boost the clicks on your product link they place throughout their content.

Read our guide to click fraud…

How do ad fraud operators make money?

Although there are different methods of ad fraud, the result is often the same. Advertisers pay, and the fraudulent party misrepresents either the ad placement or their authenticity and collects the payout.

For example:

Fake website traffic

The easiest way for ad fraudsters to make money is to create a website and apply for a publisher account on an ad platform. Once accepted, they can then host display ads or any other form of paid media. It’s then just a simple step to inflate their traffic.  

This inflated traffic is often hired from a bot farm/click farm, or if the site owner is particularly tech-savvy, they may use a botnet for hire.

By doing this, they simply collect a nice fat paycheck from the ad platform every month. Inflated by fake traffic, of course.

Hidden ads

What if your ad was displayed on a website or app, but no one ever saw it? That’s the issue with hidden ads.  

Ad fraud operators can use a number of methods to pack as many ads into their website real estate as possible. Common methods include:

• Unviewable ad placements, e.g., 1×1 pixel frames
• Ad stacking – where the top ad is viewed, but there are multiple ads hidden underneath, collecting a multiplied payout for one impression
• Displaying the ad outside of the viewable area – for example, on a hidden sidebar
• Background ad loading – the Drainerbot malware generated impressions on video ads even when the app was running in the background

In-app malware

Ads within mobile apps have become the new frontier for ad fraud. As over 50% of internet traffic is now mobile, it makes sense for fraudsters to leverage these apps and cram them full of fake clicks. There are a number of ways apps can be used to deliver inflated or completely fake traffic – such as using click spam or click injection. 

These are methods where the software amplifies each organic/genuine click, so it seems like there are multiple clicks on the hidden ads.

Other forms of malware use install hijacking or clickjacking, which is where an app will claim credit for an organic app install.

Read more about forms of app malware and ad fraud here.

Falsified bid requests

Some websites don’t even bother to host the ads or mess about with web traffic. Instead, they use an existing publisher ID to falsify records of ad placements.

These falsified bid requests will likely come from a genuine website or app. The account will have been verified but will have never hosted these ads.  

In short, they collect a payout for extra ad placements that have never seen the light of day.

Who is behind ad fraud?

The catch-all term ‘fraudsters’ is often used in articles discussing ad fraud. But who are these fraudsters? And why are they being so blatant and stealing your ad budget?

Some of the answers are obvious, but some may surprise you…

1. Organized criminal networks

In recent years, we’ve seen the takedown of networks running sophisticated ad fraud networks, for example, Methbot and Hyphbot.

As the poster boys for ad fraud, both these campaigns made off with eye-watering amounts of money. Ad fraud campaigns like this are a huge threat to the digital industry and are rightly singled out for their impact and the sheer audacity of their operations.

Often run by a mixture of hackers and other experienced criminals, this network will set up a complex system of spoofed websites and botnets to perform ad fraud 24/7. In fact, some of these criminal networks have been accused of working with certain ad platforms to increase the perceived traffic and, therefore, the value of the ad placements.  

Although there have been fewer headlines about these organized criminal networks in recent years, there are still plenty of them out there.   

2. Black hat marketers

Black hat marketers use shady marketing practices to inflate ad traffic or boost a website profile. And as a result of this, they often use ad fraud as a tactic to impress their clients.  

For example, a website publisher might want to improve their web traffic. They approach a seller advertising a service such as ‘get organic traffic fast,’ which is, of course, not going to be quality traffic.

Their website traffic increases by thousands, all bots or forced redirects. The client sees an improved payout from their ad networks and is happy to pay their shady marketing team to carry on.

3. Casual ad fraud

Building a website and hosting ads is not difficult. Many ad platforms will allow you to run ads on a site with barely any traffic. Others require a certain traffic or content threshold to be reached.  

Google, for example, is quite strict on its content specifications and website quality for publishers.

But once ads are being hosted on a site, a publisher can use any number of methods to inflate their ad payout. The most common of these methods is buying fake traffic, which can be easily found online for incredibly low prices.

These sites may even host plagiarised content or, more likely, be built as link farms.  

Sites built as link farms often host low-quality content or guest posts, have absurdly high domain authority and deliver traffic volumes that would envy many established publishers.

The secret is? It’s all paid traffic – and those ad impressions are almost 100% non-human.

4. Ad networks

You may have noticed there are A LOT of ad networks out there. Some claim to offer stratospheric levels of ad traffic – even if you’ve never heard of them and you’re pretty sure no major publisher uses them either.

These ad networks may have little to no fraud monitoring or blocking and will also likely not care about traffic quality to publishers. They may not be performing ad fraud themselves, but their low levels of filtering enable ad fraud on their network.

Consider also the Uber lawsuit, where Uber alleged that one of the ad networks they were using to promote their product was using ad fraud practices. The case went against the ad network, finding that they had used click flooding and fake traffic to inflate their revenue. (source)

5. Paid-to-click (PTC) sites

Working from home has become more than just a buzzword. Jobs offering easy ways to make money working from home have really bloomed in the post-pandemic landscape. And none more so than paid-to-click (PTC) websites.  

These sites, with names like Scarlet Clix, NeoBux, and Swagbucks, offer people pennies per click – but then people aren’t just clicking once. Workers can make $10 to $20 per day simply by viewing ads or clicking on ad banners.

Bear in mind that most of the world lives on less than $10 a day – so clicking ads for a payout is a tempting proposition for many.

How much exactly does this cost the ad industry? In 2020, the PTC sites paid out an estimated $12 million. In the grand scheme of the $42 billion ad fraud industry, this is nothing.

But there are also countless other scam PTC sites that pop up and disappear without paying their click workers.

6. The fake web

Another deeper issue that impacts the global digital marketing industry is the proliferation of non-human traffic and tools.  

Developers use bots and web scrapers to test their new software. The average web user might also use ad-blocking software or tools like AdNauseam that click ads as a method of obfuscation.  

Hackers and black hat marketers constantly crawl the web to harvest data or find vulnerabilities. So, the sheer volume of potential invalid traffic is huge – even without looking at the genuine fraud listed above.

Oh, and it just keeps getting bigger.

Is ad fraud a cybercrime?

As ad fraud is theft, it is, by definition, a cybercrime. However, is it intentional? And more importantly, is it illegal? 

As we’ve seen, ad fraud doesn’t necessarily occur because of malicious intent. A black hat marketer who just wants to inflate their site traffic isn’t necessarily focused on ad revenue – but might be delivering results to a paying client using methods that produce or enable fake traffic.

Saying that plenty of ad fraud occurs specifically for monetary gain.  

Most legal cases around ad fraud focus on wire fraud, deception, and illegal access to databases and systems. No one has (yet) been charged with committing ad fraud specifically.  

High-profile cases mostly focus on the money laundering aspect, although a famous case by Microsoft against a team of alleged ad fraudsters did focus on the ‘improper use of ads to profit by fraud.’

The damage that ad fraud causes to businesses

According to the ad fraud definition, it’s an online threat that affects PPC advertisers and platforms. As such, it’s expected that it primarily impacts advertisers’ pockets negatively. 

They dedicate a certain amount (often significant) of their marketing budget to digital paid ads and expect, in return, to see some positive metrics. A high click-through rate (CTR), followed by website visits and, of course, conversions, leads to a higher return on investment (ROI) from the particular campaign. 

However, when fraudsters attack, advertisers pay for fake interactions instead of reaching potential customers. Naturally, the financial damage is the most concerning one for PPC  advertisers and business owners.      

But there’s more than just losing money as a result of ad fraud. The irrelevant clicks are distorting both marketing and business analytics, leading to making uninformed decisions, missed business opportunities, and even a compromised brand reputation.     

In a nutshell, we can classify the main consequences of both click fraud and ad fraud into the following categories:

• Financial losses
• Ineffective ad campaigns
• Distorted analytics
• Decreased ROI
• Uninformed decision making
• Missed business opportunities
• Compromised brand reputation

How much does your ad campaign lose to ad fraud?

Ad fraud impacts ad campaigns differently. This often depends on the cost of keywords, the industry’s competitiveness, and even your geographic location. 

In-depth research from CHEQ reveals that the Gambling and Gaming sector faces the highest fraud rates at 49.1%, while Advertising and Marketing see a lower 7.9%. 

It’s hard to put an exact number on how much you are losing to ad fraud. But between 1 in 4 and 1 in 5 clicks are non-genuine. 

It’s hard to put an exact number on how much you are losing to ad fraud. But between 1 in 4 and 1 in 5 clicks are non-genuine.

Protecting your ad campaigns

With over $42 billion lost to ad fraud and click fraud in 2021, digital marketers no longer see it as a niche concern.  

Making sure your ad budget doesn’t fall into the wallets of ad fraudsters means taking precautions.

ClickCease offers the industry standard in ad fraud and click fraud protection, protecting Google, Microsoft, and Meta for Business (Facebook) ads. 

Want to know how much fake traffic affects your ads?     

Use ClickCease’s free trial to run a traffic audit and find out exactly how much you’re losing to ad fraud.

The post How Much is Ad Fraud Stealing From Your Business? appeared first on ClickCease Blog.

For the uninitiated, click fraud is the practice of non-genuine traffic clicking on your Google Ads and other PPC campaigns. This non-genuine traffic is also referred to as invalid traffic (IVT), which includes bots, click farms, and even your business competitors clicking on ads to waste your ad spend.

One of the main techniques used to fool the ad platforms is the use of VPNs and proxy servers to hide the fraudulent IP address, allowing the fraud to continue.

VPN click fraud is a common problem that we see here at ClickCease. So, we want to share how VPN and proxy servers can be used to hide traffic and how it works. 

Proxy Servers

They hide your IP, but you are still not invisible…

“A proxy server is a computer that offers a computer network service to allow clients to make indirect network connections to other network services. A client connects to the proxy server, then requests a connection, file, or other resource available on a different server. The proxy provides the resource either by connecting to the specified server or by serving it from a cache. In some cases, the proxy may alter the client’s request or the server’s response for various purposes.”

How does a proxy server work?

Simply put, a proxy server is a computer used as a form of middle-man. By routing your traffic through a proxy server, you are masking your internet activities in a way that they appear to be originating from somewhere else.

However, in most cases, proxy servers do not strip your internet transmissions of identifiable information- meaning there are no additional privacy or security considerations built into it.

Furthermore, proxies are configured on an application-by-application basis and not computer-wide. This means only one application at a time (your web browser or your BitTorrent client, for example) can be configured for use with a proxy server.

This configuration is great when you want to perform a low-stake task, such as reaching simple region-restricted content (Youtube/Netflix, anyone?) or bypassing IP-based restrictions on services. 

It’s also a popular method for click fraud operators to hide their location with fake proxy, as the fraudulent device mostly only uses one application. We’ll dive into the details of how fraudsters execute their attacks with the help of proxies a bit later in the article.

Private and shared proxy servers

As well as these three tiers of proxy servers, proxy users can also choose either a private or shared proxy service. Some are totally free, for example, the TOR browser, which uses a network of computers around the world to enable users to remain anonymous. However, professional proxy users, especially those performing ad fraud or click fraud, will most likely use a dedicated private proxy.

These private proxy servers are often based in data centers like AWS (Amazon Web Services).

And setting up a private proxy server to use for your click fraud campaign is actually very easy.

Virtual Private Networks (VPNs)

Your connection is encrypted, and you become much harder to track and identify…

Virtual Private Networks (VPNs) are secure online tunnels that protect your internet connection by encrypting data between your device and the server. This hides your online activity from third parties and increases your privacy. 

Businesses often use VPNs to protect their employees’ data when they are working remotely. They can also be used by individuals to protect their privacy and security when they are using public Wi-Fi networks. 

Your connection is encrypted, and you become much harder to track and identify… And this, unfortunately, is where fraudsters have identified an advantage to hide their activities. 

How do VPNs work?

VPNs, in a similar fashion to proxies, make your internet activity appear as if it is originating from a far away location. But that’s where the similarities pretty much end.

First off, unlike proxies, VPNs are configured to be set up at the device level. Moreover, the VPN connection uses the full network connection of the device it is configured on. Also, the connection between the user’s device and the VPN server is done via a heavily encrypted tunnel. That is why VPNs are considered superior when it comes to performing high-stakes tasks where privacy or higher security is a concern. In fact, studies indicate that 13.6% of all fraudulent traffic is attributed to VPN click fraud, highlighting the significant role they play for fraudsters. 

So, what makes VPNs and proxies attractive methods to fraudsters?

Nowadays, whenever an IP address is blocked in the Google Adwords or Bing Ads platforms, the advertiser’s ads become invisible to the attacker. This results in the attacker being unable to click on the advertiser’s ads any longer.

However, by employing a proxy server or by using a VPN, the attacker can rapidly change IP addresses regularly and click on the advertiser’s ads again and again. This is VPN click fraud.

Organized ad fraud or click fraud operators will use a high-level proxy server or VPN to hide their identity and perform their fraud. And because these fraudulent operations are often organized and use multiple devices, switching IP addresses is instrumental in performing this level and volume of fraud.

Other forms of click fraud, including traffic bots for hire, also use VPNs and proxies to hide their location and device.

How do VPNs and proxies are used for click fraud? 

As we’ve seen, VPNs and proxies are appealing tools for fraudsters due to their ability to mask their malicious online activities effectively. The dynamic nature of these services minimizes the risks of identification for fraudsters.

To understand them better, here’s a breakdown of how fraudsters employ VPNs and proxies in some of their common click fraud methods: 

IP spoofing

VPN: With VPN services, fraudsters can easily hide their actual IP addresses, making it appear as if clicks are coming from various locations. This helps them avoid detection based on IP patterns. 

Proxy: Similar to VPNs, proxy servers can be used to spoof IP addresses. By rotating through different proxies, fraudsters make it difficult for advertisers to identify and block fraudulent traffic.

Geotargeting manipulation

VPN: Fraudsters can use VPN servers located in specific geographic regions to simulate legitimate traffic from targeted locations. For example, a fraudster could use a VPN to make it appear as if they are located in the United States in order to click on ads that are only targeted to US users.

Proxy: Proxies work in a very similar way to VPNs when it comes to masking geotargeting locations. It’s just that the internet traffic is routed through the proxy server, while in the case of VPN, the traffic is fully encrypted through a secure tunnel which makes it more difficult to be identified.

Rotating IPs

VPN: Fraudsters may utilize VPN services with features like automatic IP rotation. This constantly changes the IP address associated with clicks, making it challenging for ad networks and businesses to identify suspicious patterns.

Proxy: Similar to VPNs, proxy servers can be set up to rotate IP addresses, making it more difficult for advertisers to trace fraudulent activity back to a single source.

Automated scripts and bots

VPN: Automated browsing scripts and bots can be deployed in conjunction with VPN services to simulate human-like interactions. A VPN bot helps fraudsters generate clicks and engage with ads in a way that mimics legitimate user behavior.

Proxy: Bots and scripts can also be used with proxy servers to automate fraudulent activities such as clicking on ads. The combination of fake proxies and automation makes it challenging for detection systems to differentiate between real and fake traffic.

User-agent spoofing

VPN: Fraudsters may modify the user-agent strings of their browsers while using VPNs to mimic different devices and browsers. This makes identifying and blocking fraudulent activity harder based on user-agent patterns. 

Proxy: Similar to VPNs, user-agent spoofing with proxy servers involves altering browser information to appear as if clicks come from diverse devices and browsers, making it more difficult for advertisers to detect automated or suspicious behavior.

Click farms

VPN: Click farms may use VPN services to generate clicks from various locations, contributing to the fake appearance of diverse and legitimate traffic sources.    

Proxy: Similarly, click farms can leverage proxy servers to simulate clicks from different IP addresses, further complicating efforts to identify and block fraudulent activity.  

How does ClickCease combat proxy and VPN click fraud?

Anonymity poses a considerable challenge when it comes to combating this type of fraud. The issue for the major ad platforms is that they will mostly focus on blocking IP addresses as a way to stop click fraud. This has been shown to be largely ineffective because, as we’ve seen, IP addresses can easily be switched by click farms or botnet operators. 

However, here at ClickCease, we have developed several solutions for blocking proxy servers and VPNs. 

We have accumulated and compiled a large amount of data regarding known repeating offenders into blacklists which we use as the first tier of protection against fraudsters who use proxy servers and VPNs.

Secondly, alongside these blacklists, we allow our clients to determine their click threshold, which refers to the maximum amount of clicks they would allow any one IP address to be able to click on their ads before our system automatically blocks them.

Thirdly, we have devised a tool that allows our system to tag each individual device used by any IP address with a specific and unique ID. This means that even though the fraudster who’s assaulting your ads might be trying to hide his IP address by constantly changing it, we are still able to identify that it is indeed the same attacker using the same device.

Once we have identified his device as one that is used for fraudulent activity, we are able to block any new IP he uses on its first click. 

Find out more about click fraud in our guide.

Is click fraud a problem for you?

If you run PPC ads, there is a very high chance that your campaigns are affected to some extent by VPN click fraud. In fact, 90% of Google Ads campaigns are affected by invalid traffic of some kind.    

The average Google Ads campaign actually sees a click fraud rate of around 14%, although, for competitive industries, this can run as high as 70%!

So, is click fraud affecting your Google Ads? Well, the best way to find out is to run a traffic audit to see exactly who or what is clicking your paid ads.

Sign up for your FREE 7-day trial of ClickCease to perform your own traffic audit and to find out if VPN or proxy-based click fraud impacts your campaigns.

The post How VPNs and Proxy Servers Are Used For Click Fraud appeared first on ClickCease Blog.

As advertisers chase their dreams of ad success, some of their cash unknowingly takes a detour into the black hole of fake clicks. Yep, a portion of your hard-earned budget might be slipping through unnoticed.

This hidden threat highlights the critical importance of effective click fraud prevention in the ongoing battle against deceptive clicks on Google Ads.  

So, let’s unravel the mystery behind click fraud and explore some strategies that give advertisers the upper hand in the ongoing fight against these sneaky clicks in their Google Ads campaigns.

The definition of click fraud

Click fraud, at its core, involves deceptive or unintended clicks on online content. Its manifestations are diverse, encompassing fake clicks delivered by automated schemes or click farms, manual clicks by your competitors, or even simple accidental clicks.   

These unauthentic clicks also infiltrate your analytics which skews your data and makes it difficult to make informed decisions. In the case of PPC campaigns, click fraud can create a misleading illusion of success by making you believe that more people are genuinely engaging with your ads. 

Meanwhile, the advertising platform is regularly charging you for these deceptive clicks, leading to a misalignment between perceived success and the actual value of your advertising investment. 

Read our full guide about click fraud here.

How does click fraud impact advertisers on Google Ads?

In the complex dance of online advertising, click fraud on Google Ads is the uninvited guest that disrupts the rhythm, impacting advertisers on multiple fronts. 

With a market share of 23.61%, it’s the most dominant ad platform on the Internet. As such, it’s not just the first choice for advertisers but also the main target of fraudsters. If left unaddressed, click fraud can have far-reaching consequences for advertisers. Let’s explore them.     

Financial losses 

In the world of online ads, click fraud really hurts advertisers where it hurts the most: the budget.

WebFX estimates that a regular business spends anything between $1,000 and $10,000 on Google ads per month. Now imagine that, on average, 14% of these clicks are fake. You’re basically flushing $140 down the drain for every $1,000 spent.

Yet, think about the time and effort you poured into creating and optimizing your ad campaign. It’s more than just a financial loss; it feels like the overall productivity of your business endeavors is continually decreasing, making it challenging to reach your business goals.

Reduced ROI

With inflated click numbers and increased costs, your return on investment (ROI) decreases. 

You may find it challenging to justify your ad spend when a significant portion of it is wasted on clicks that can’t contribute to genuine conversions. 

Distorted performance metrics 

Click fraud can distort key performance metrics such as click-through rate (CTR), conversion rate, and engagement metrics.   

Advertisers may find it difficult to accurately assess the actual performance of their campaigns, making it challenging to optimize and improve their strategies. 

Trust and credibility

Beyond the domain of finances, ROI, and key performance metrics, click fraud extends its influence to the very foundation of the advertiser’s relationship with the digital advertising space – trust and credibility.

Advertisers may lose trust in the effectiveness of Google Ads if they perceive that a significant portion of their budget is being wasted on fraudulent clicks. This could lead to a reluctance to invest in online advertising or a shift to alternative advertising channels. 

How does Google deal with fake clicks?

There’s a reason why Google Ads is so powerful and remains the number one advertising platform no matter what. It’s in Google’s interest to take care of its advertisers and ensure they’ll get the most out of their campaigns.

So, Google does take it seriously to minimize click fraud and ad fraud on its platform. It has a multi-layered approach to protecting advertisers from unwanted clicks on their ads. Let’s explore it.

Automated systems and manual human reviews for click fraud detection

At the forefront of Google’s defense are both automated systems and specialized human reviews dedicated to click fraud detection. 

The automated system uses filters to distinguish between activity generated through genuine users and activity that may pose a risk to advertisers, lowering the risks of advertisers being charged for irrelevant interactions.

The team uses specialized tools and techniques based on extensive experience tracking and monitoring user behavior and analyzing scenarios that may indicate fake ad interactions.

Monitoring various data points 

To stay ahead in the cat-and-mouse game of click fraud, Google monitors various data points, including:

• IP address
• Time of interaction
• Duplicate interactions

After analyzing various kinds of interaction patterns, Google tries to filter out potentially invalid clicks and impressions. 

Reporting invalid traffic      

Despite their proactive measures, Google recognizes that some invalid traffic may pass unnoticed through its filters. That’s why, as a last layer of their click fraud protection process, they offer the opportunity for advertisers to detect and report suspicious activity.  

So, once you know there are fake interactions with your Google Ads campaigns, you can collect your information and report this to Google for further investigation.

Read their guide about managing invalid traffic and how the reporting of invalid activity works.

How can you identify click fraud on your Google Ads?   

While Google has implemented various measures to detect and prevent click fraud, it is still a prevalent issue. If you run PPC campaigns on Google, you must be aware of the signs of fake traffic. 

Identifying click fraud on your Google Ads requires a vigilant eye and active monitoring of your analytics.  

Here are some steps you can implement to identify suspicious activity:  

1. Keep an eye on your campaign metrics, especially click-through rates (CTR) and conversion rates. Look for unusual spikes in clicks without a corresponding increase in conversions. 
2. Examine the IP addresses of the users who click on your ads. Multiple clicks from the same IP address within a short time period may indicate fraudulent activity. However, be cautious, as legitimate users may share IP addresses (e.g., in offices or public spaces).   
3. Analyze your bounce rate (and Engagement rate in the new GA4). A high bounce rate can indicate that your ads are being clicked on by bots or low-quality traffic.
4. Compare your Google Ads data to your Google Analytics. If there is a higher number of clicks on your ads, but no visits are marked in your Google Analytics, it may indicate that bots or malicious actors are clicking on your ads without actually visiting your website or landing pages.  

Keep in mind that once you spot any of these signs, it means that your ads are already being targeted by the fraudsters. To minimize the risks associated with click fraud and avoid serious damage, it’s of crucial importance to block fraudulent traffic in the first place.   

How can you prevent click fraud?

Preventing click fraud is not just a goal; it’s a proactive strategy to protect your advertising efforts on Google Ads. Unlike identifying click fraud, preventing it requires a more strategic approach. 

Manual click fraud prevention      

Active monitoring of your ad traffic empowers you to take manual measures, such as excluding suspicious IP addresses or refining your targeting to eliminate irrelevant audience groups. 

However, to achieve comprehensive protection, it’s important to recognize the limitations of manual intervention. The large volume and complexity of data you need to go through is not a simple task to do. It’s challenging for human oversight alone to detect and respond accurately to emerging threats. 

And after all, you have a business to run or campaigns to plan, implement, and optimize. You’ll likely want to stay focused on the more critical tasks. That’s where the importance of full and automated protection comes into play.    

Automated click fraud prevention 

Utilizing software tools designed for click fraud prevention, such as ClickCease, proves to be a game-changer. These tools analyze vast datasets in real-time, identifying fraudulent patterns and implementing preventive measures with precision. This ensures that no deceptive click goes unnoticed.  

With the increasing rates of money lost due to PPC click fraud, employing an automated solution for blocking malicious traffic is the most effective way to protect your budget.   

With ClickCease, you can automatically block such fraudulent sources from clicking on your Google Ads. This way, you can run your ad campaigns stress-free, ensuring that your precious ad budget is used for attracting genuine traffic only.    

Run a free traffic audit and see how much you can save on your Google Ads if you let ClickCease prevent click fraud and block bad traffic for you.    

Sign up for your 7-day free trial here.

The post Click fraud prevention on Google Ads – How to protect your ads? appeared first on ClickCease Blog.

In this guide, we will take an in-depth look at the growth of digital marketing. We’ll explain what is click fraud in cyber security  – who it affects, and what you can do to stop it.

Contents

Chapter One Why Click Fraud Matters	Chapter Two The History Of PPC	Chapter Three How Click Fraud Works
Chapter Four Infamous Click Fraud Cases	Chapter Five Preventing Invalid Clicks	Chapter Six The Best Way To Block Fraud

Click Fraud: What Is It & Why Does It Matter?

Digital marketing, and pay-per-click ads, in particular, have become the go-to methods of advertising for most businesses. Everyone from small business owners to global corporations can take advantage of this access to a huge market online. 

With over 4 billion people in the world connected to the internet on a daily basis, and nearly 2 billion of those buying something online each year, a well-targeted PPC campaign is the difference between sinking and swimming. Add in the fact that there are 9 billion searches on Google every day, and you’ll understand how big a deal pay-per-click advertising is. With this huge volume of traffic, and money, comes an obvious target for fraud. And click fraud has now come to be the most costly form of fraud committed each year. Just as a result of ad fraud (the most common form of click fraud), businesses are losing $100 billion globally in online advertising, surpassing credit card fraud at $30 billion. 

What is click fraud?

Click fraud is the act of clicking on online content, including organic or paid ads online, with malicious or vindictive intent. For instance, it could take place on a display ad or a sponsored search result, on links you publish on your social media accounts, or rake clicks across your website.

This can be to deplete the advertisers’ marketing budget, damage the performance or reach of the ad, or even steal the cost of that click for yourself (a practice known as ad fraud).

When it comes to click fraud on organic content – like fake clicks on your social media posts or generating fake website traffic – fraudsters may aim to gain a competitive advantage, overwhelm your website, or hurt your online efforts by injecting fake data into your analytics. 

We will look more in-depth at the sources and motives for click fraud later in this article. But suffice it to say, there is a huge industry that has grown around defrauding programmatic ads and advertisers.

From paid-to-click apps (PTC apps), to click farms, generating large volumes of fake clicks is easier than ever.In fact, the issue of click farms is widely reported, with many of them selling their services to inflate likes and followers on social media. But this same technique can also be used for criminal gain, with millions of dollars at stake for enterprising gangs who know how to make click fraud pay using complex technological solutions and malware.

What is ad fraud?

The practice of ad fraud is an organised form of click fraud. Ad fraud is often used to fraudulently inflate the payout for website publishers, mobile app developers, or on social posts or videos.

Often when referring to click fraud, people use the term ad fraud interchangeably. However, where click fraud can be either accidental (for example from bad ad placement) or malicious; for example, rivals aiming to deplete your marketing budget; ad fraud is usually intended to line the pockets of the fraudster.

Is click fraud really that big a problem? 

The actual rates of fraud vary based on:

• Your industry
• Geographic location
• Time of year

Our research paper found that the average rate of click fraud across the campaigns we protect here at ClickCease is 14%. 

However, there is a huge variation of fraudulent ad clicks within that, depending on the industry. For example, the industries with the highest volume of fraud were found to be:

• Photography – 65%
• Pest Control – 62%
• Locksmith – 53%
• Plumbing – 46%
• Waste Removal – 44%

Other notable industries subject to high levels of click fraud include real estate (31%), financial services (20%), and legal and law services (14%).

The truth is, click fraud affects almost every industry, with 90% of all campaigns on Google Ads being impacted in some capacity.

In this guide we’ll be taking an in-depth look at the world of marketing, what click fraud is, and how it can cause you a real headache.

And more importantly, we’ll show you how you can fight back and prevent click fraud on your online marketing operations.

A Brief History of PPC

Where were you on the 6th of August 1991? Well, you may or may not have even been born, but that’s the day the World Wide Web ran its first web page.

Tim Berners Lee, a British computer scientist who had been working at CERN in Switzerland, proposed that by networking computers via phone connections, we could share data around the world.

First web page released to the world wide web that was released in 1991 by Time Berners Lee

It took a few years for it to catch on, with browsers becoming available for the Commodore Amiga, Unix, Windows, and Mac OS in 1993.

Does anyone remember Netscape?

The birth of online advertising

But it was in 1994 that much of the online activity that you might recognize today started to happen. With around 11 million American households equipped to get online, we saw the White House launch a web presence; the first online purchase – a pepperoni pizza from Pizza Hut; the launch of Yahoo! – which was the Google of its day; the first piece of spam mail and… The first-ever online banner ad.

American telecoms company AT&T paid $30,000 to the website HotWired.com (now Wired.com) to place an HTML banner ad on their homepage. The incredibly simple design said:

“Have you ever clicked your mouse right here?” with an arrow pointing to a separate piece of text saying: “You Will.”

Once they clicked on the banner, users were taken to a landing page that took them on a tour of the world’s greatest museums. So it wasn’t even a blatant sales campaign but was designed to encourage engagement and build AT&T as an information brand. An early form of content marketing…

That banner had a 44% click-through rate!

By contrast, today’s marketers are happy to see a click-through rate of around 0.5%.

Of course, we internet users see countless display ads, videos, and sponsored search results a day. But at the time, the process was unique. A way for websites to monetize their content so they could pay writers? Who would think that would catch on? But sure enough banner ads became one of the most popular forms of online advertising, with sites like Time getting in on the act, and with companies paying anything up to thousands of dollars to place their banner ads on websites.

Targeted and sponsored ads

With banner ads becoming commonplace, advertisers started to wonder if there were ways to target specific demographics. Up to this point, advertisers had simply hired space on whichever web page they wanted, and their ads would be displayed for a set amount of time.

An advertising company called WebConnect was one of the first to pioneer tracking user activity online and using algorithms to change the adverts shown on a web page. Before this, a banner ad was static for the duration of the advertising contract. By using WebConnect, a company could add their banner ad to a variety of different websites based on price and demographics.

Another breakthrough was being able to rotate banner ads on websites to avoid ‘banner fatigue.’ Once a site visitor had been shown a banner two or three times, the banner would change, a clever tactic designed to catch the attention and maximize the chances of a click-through.

In 1996 came DoubleClick, another online advertising agency that made it easy for companies to find the right site and for websites to make money from ads. In fact, DoubleClick’s ability to give websites easy access to advertisers caused a rapid expansion in the number of websites offering advertising space.

Add in the ability for advertisers to track their ROAS and to customize their ad spend by focusing on high-performing websites, and you had the fuel to the fire for online marketing.

The software underpinning this was D.A.R.T (Dynamic Advertising, Reporting, and Targeting) which gave advertisers an easy way to see where their money was going. DoubleClick was also one of the first sites to bring in a new pricing model for online advertising; CPM or Cost per Mille, meaning advertisers were now paying for the ad’s performance, not just for its placement.

The rise and rise (and rise) of Google

Around this time, two students at Stanford University, called Larry Page, and Sergey Brin were developing a piece of code that was designed to make sense of all of the websites that were popping up every day. Their program, ‘Backrub’, was part of their mission to organize the masses of information that the internet was spawning by categorizing links.

Sites like Yahoo!, Excite, Lycos, AOL, and AltaVista were the search engines of choice for most internet users in the 90s. And although they worked, their algorithms were perhaps too simplistic for the growing World Wide Web.

For example, Yahoo! required a team of real people to input websites into its database so that when you ran a search, it would show in the results. If you hadn’t submitted your website to Yahoo!, then it wasn’t going to show up.

At the time, Yahoo’s technique was a revolutionary approach and one that put a huge strain on sites like Excite and AltaVista which used simple text searches to find results.

But Page and Brin had worked out a way to map the relevancy of a website to a user’s search terms by a complex web of link crawling, keyword analysis, and PageRank, or relevancy. At a relatively early point, the project got renamed Google, and with an investment of $100,000 from the co-founder of Sun Microsystems, Andy Bechtolsheim, the Google project began its ascendency.

Although early websites like Yahoo and Lycos also offered a sort of online directory, news pages, and weather reports, Google kept it simple. Their thing was search results, and the more the word got out about how effective Google was, the more they grew.

At some point between 2000-2001, Google became the dominant search engine, and the phrase ‘Google it’ was born. Even Yahoo! switched its search engine over to Google to make sure people didn’t stop using Yahoo!

Google gives birth to AdWords and AdSense

Having cornered the marketplace with effective search results, Google had to monetize. Between August and October 2000, Google launched its Premium Sponsorships and AdWords platforms.

Using Premium Sponsorship enabled advertisers to pay to have their company appear at the top of the Google SERPs on a CPM basis. Whereas using AdWords meant that your advert would appear as a text banner on the side of the search results. Although, at the time, Google was still in its relative infancy, the popularity of the service took off quickly.

In 2003 Google launched its AdSense platform, allowing publishers to host advertising on their websites and make money from clicks and views. Like DoubleClick, it revolutionized how website owners could get paid for their content.

Suddenly you didn’t need to be selling anything or even have an online shop… You could set up a blog or information portal, host ads and banners, and get paid. All you needed to do was bring in the traffic.

So by offering the most efficient search results and easily giving people what they were looking for, Google became the dominant search engine. Then by giving businesses a way to maximise their visibility on these search results, they built a growing tide of income that would establish them as one of the world’s biggest tech companies.

And then, by offering publishers a way to host and get paid by adverts, Google became the world’s biggest advertising platform.

With their growth, Google continues to offer highly effective tools to manage, research, and track your advertising spend: Analytics, Trends, and My Business…. Today there are something like 251 Google services, covering everything from productivity and study to entertainment, web browsers, and actual hardware.

The other guys: Facebook, Amazon & Microsoft

As Google grows to become the dominant search engine, other players are doing their thing. As a savvy digital native, you’ve no doubt heard of some quirky start-ups called Facebook and Amazon. Both of these billion-dollar brands have grown, alongside Google, to become the biggest at what they do.

Put simply, Facebook has built itself from a simple platform to connect with friends to the dominant global social media platform with plans to connect EVERYONE. Meta now encompasses Instagram, WhatsApp, and Oculus (virtual reality), with around 2 billion users of its platform every month. 

Amazon has gone from being a bookshop to the world’s online superstore. With acquisitions including Whole Foods, Ring (a home security company), Pillpack (an online pharmacist), and Twitch (gaming and video).

In this history of the internet, this is the first real mention of Microsoft, which has been there the whole time. Their Windows operating system has powered the internet from the start, but their presence away from the OS hasn’t been the most consistent. However, their search engine Bing is still the second biggest search engine, with over 9 billion searches a month. Microsoft also owns LinkedIn, Skype, Nokia, MultiMap, and a whole glut of software companies.

When it comes to PPC campaigns, although Google is the leader in search engines, each of these has its own specialty that can be harnessed.

And that brings us to the issue of click fraud and how it could affect you, the modern marketer.

How Click Fraud Works

As programmatic advertising has become more complex, allowing us different ways to target demographics and a multitude of ways to pay for our advertising, so has click fraud become more sophisticated.

The practice of click fraud

As we’ve seen, there are multiple reasons to commit click fraud or ad fraud. It can occur on any link, whether organic, paid search, social media, in-app promotion, or other forms of digital marketing activities. 

The most common reasons to get fake clicks on your PPC ad campaign are:

• Vindictive competitors or customers who want to negatively impact your online presence or brand reputation in general
• Organized fraudulent developers who have created a way to get paid for clicking your ads, usually using fake publisher inventory
• Malware apps or software created to collect the payout from ads (often with some help from bots)
• Paid-to-click apps that pay users to click or watch ads in exchange for a small reward.

When you consider that the price for some keywords in Google Ads (previously known as AdWords) can be upwards of $50, or over $100 per click, you’ll soon see why multiple fraudulent ad clicks can really start to cause a problem. In fact, even with clicks at a dollar or so each, the volume of click fraud can quickly cause problems for the average marketer.

In 2017 it was estimated that around 1 in every 5 clicks on a PPC ad campaign were fraudulent in some capacity. Since then, the techniques have become more advanced, and the sheer volume of fraudulent activity online has increased. A study by the University of Baltimore and CHEQ found that click fraud cost marketers over $35 billion in 2022. And this is forecasted to reach $100 billion in 2023 and beyond.

What are the main sources of fake clicks or click fraud?

If clicking on someone’s ad repetitively sounds like a lot of hard work, you’d be right. A competitor clicking on your ad five or ten times a day might be a drop in the ocean for your advertising spend, but there are more damaging ad-clicking methods.

High-volume clicks:

Bots and web crawlers

Designed to crawl the web looking for information, usually for spam or data collection purposes. There can be ‘friendly’ bots, that are just looking to scrape contact info, for example. Or deliberately vindictive bots that have the sole purpose of clicking on your ads hundreds or thousands of times to deplete your ad budget.

The issue of bot traffic is a complex one, with bots coming in a huge variety of flavors. Take a look at our guide to bot traffic to understand this issue in more detail.

Click Farms

Either automated setups or human-powered factories designed to click multiple times on specified links. Yes, they do exist, usually in developing countries where people can be paid as little as $5 for 100 clicks.

Click farms are used by all sorts of businesses, often to inflate their following or engagement, and they can be hired to do multiple actions, from liking social media accounts, watching videos, sharing links or information, leaving comments, and, of course, clicking on PPC adverts multiple times.

Although the bulk of click farms can be based in developing countries, there have been increasing instances of click farms based in Europe and the USA. By hooking up phones and tablets to a computer, you can automate the activity of hundreds of people.

We recently carried out our own research about this phenomenon, so read all about click farms here.

Fraud rings and bot networks

Criminal gangs establish a mixture of publisher websites and automated bots to defraud advertisers. One of the best known is Methbot, a highly sophisticated scam bot network with a complex setup that is designed to fraudulently collect the payout on video views using a network of computers. Thought to have originated in Russia, Methbot is estimated to make around $5-6 million each day in fraudulent clicks.

Ad fraud

Publishers create a website designed to host banner and text ads, then channel fake clicks through the website to collect a payout. Ad fraud often involves placing ads on websites with little chance of genuine traffic being able to find it but with the opportunity for the site owner to maximize their income.

As a complex issue with many threads, you can check out our ad fraud guide for more information.

Medium to low volume clicks:

Competitors

Your direct competitor can try and siphon off your PPC budget so that their ad ranks higher for relevant searches. They might just click your ad every time they see it, or they might instruct everyone in the office to click your ad – which could be potentially quite damaging.

Although competitors can try to manually inflate your PPC spend, you might find that this is a temporary measure or occasional practice.

We actually looked recently at a case of competitor click fraud, where a business orchestrated a campaign against local competitors. You can read the case study here.

There are some simple steps to minimize your exposure to competitors clicking on your ads, which we will look at later on.

Human error

People searching for something may accidentally click on your site in the SERPs but then click out again. They may not even realize it’s a paid ad. Technically this wouldn’t be classed as click fraud but an invalid click. There is no strategic sabotage going on here; it’s simply a mistake, although repeated mistakes can cost advertisers a fair amount of money.

Vindictive parties

Your ex-employee, unhappy customer, or even your sociopathic ex might have a reason to click multiple times on your ad just to pee you off. You’d best go and apologize.  

What’s so concerning about click fraud? 

Now, you’re probably wondering why the hell anyone would really want to go to all that trouble. Is this really something that people do?

If you haven’t already, then we suggest you run a quick search for ‘buy clicks’.

What you’ll find is a whole industry built around fake website traffic, often designed to boost views on websites or inflate the popularity of social media accounts.

Sites like Fiverr offer plenty of options for users to buy ‘likes’ or website traffic. And most of these services can, of course, be used maliciously.

Many marketers can also run bots to find new clients or to build an email list that they can sell. These simple bots may not be fraudulent, but with enough of them, you could be looking at losing quite a lot of money through non-purchasing site visitors.

Bots can be used in a variety of ways and are relatively simple pieces of programming, meaning that pretty much anyone with a decent level of coding knowledge can make their own bot. You can also buy bots from a variety of sources for everything from research to more nefarious purposes.

It’s been proven that the bulk of internet traffic is actually bots, with some sources estimating 40% and others putting the figure at upwards of 50%. So when you’re aiming to run your next PPC campaign, this is definitely an issue that you’re going to have to bear in mind.

Those running a PPC campaign might find that the amount of PPC ad fraud sits around 20% of their total traffic. Bear in mind that Google doesn’t refer to the practice as ‘click fraud’ but prefers the term ‘invalid clicks.’ This covers all bases from genuinely mistaken clicks to the actual vindictive bot or click farm traffic.  

Who is affected by Click Fraud?

You might think that click fraud is the kind of thing that only really affects the big boys; the Amazons, Citibanks, and Teslas of this world.

Of course, they are in the firing line as they target high-value keywords. But in reality, every online business is at risk of click fraud to some degree or another.

Automated click fraud doesn’t discriminate, with bots often just scouring the web for specific search terms. Even accidental clicks can really add up if your banner or sponsored result is in a competitive industry.

An industry with a huge amount of traffic and expensive keywords means more room for fraudsters to hide. It also means less risk of getting caught and a higher payout.

Here at ClickCease, we see that the most affected micro industries are locksmiths, lawyers, water damage repair, and… dentists. It seems that local service providers are prone to a higher rate of click fraud due to the competition, high CPC, and knowledge of the market.

No matter how little or how much money gets spent on campaigns, one thing is for sure. Every company that’s using PPC networks like Google Ads or Bing Ads is either vulnerable to click fraud or has been a victim of click fraud.  

High Profile Cases of Click Fraud

On occasion, some of the bigger cases of click fraud make it into the press, especially when there is some serious money at stake. These examples can be on the more extreme end of the click fraud spectrum, but they give a good insight into the lengths some people will go to.

Like other forms of fraud, those big examples are just the tip of the iceberg, with many smaller click fraud campaigns hiding under the surface.

The botnet hacker

Italian citizen Fabio Gasperini was sentenced in 2017 to one year in jail in the USA, as well as a $100,000 fine as a result of his involvement in a botnet hacking scam. Gasperini targeted servers that are used by companies for large-scale data storage and transfer, gaining control of these servers to use as simulated web browsers.

Gasperini was able to use the servers to set up a network of around 100,000 computers around the world and use them to send automated clicks on ads that were embedded on websites that he owned. He also defrauded big businesses that were paying for these ads, including Nike and Walt Disney.

When you consider that one man was able to do such extensive damage, it just goes to show what can happen when you have a seriously organised criminal network.  

We also looked at this case on the ClickCease blog back in 2017…

Search engine clampdown

Microsoft and their Bing search engine are the second biggest player in the PPC world (excluding social media sites), and they have been known to take click fraud very seriously. Back in 2009, Microsoft sued a family team based in Vancouver, BC, for their part in a click fraud scam designed to drive traffic to their World of Warcraft and auto insurance-based websites.

Microsoft was awarded $750,000 in damages, although they also stated that they lost out on $1.5 million in refunds as a result of fake clicks by the scammers.

Criminal bot networks

We mentioned Methbot earlier, but this huge criminal scam is a long-running and hugely profitable bot network that is designed to make money off video advertising. The network makes around $3-5 million a day by using fake websites to stream videos, racking up views, and huge payouts.

It is alleged that the gang has set up around 250,000 URLs that host video adverts which rack up around 300 million video ad views each day!

The sophistication of the Methbot set-up is staggering, with domain names made to look like they belong to well-known brands like ESPN and Vogue, around 570,000 bots, and the software making the interaction with the videos look like genuine human behavior.

Another sophisticated bot setup that was uncovered in 2017 is Hyphbot. With around a million URLs registered, Hyphbot was a prime example of ad spoofing, a practice where fake websites are made to look like big-name publishers like The Economist or The Financial Times. Advertisers then place their ads on these spoofed sites, which then receive a high volume of bot traffic, inflating the PPC payout.

Although there has been a decline in Hyphbot-related activity, it is still thought to be active and making around $500,000 a day.

The click farm

One of the most notorious click farms discovered was in Thailand in 2017. With around 500 smartphones linked up to 350,000 SIM cards and nine computers, the click farm was connected to Chinese fraudsters who used the click farm to boost likes and engagement on the Chinese social media site WeChat.

The owners of the click farm were allegedly paid $4400 a month to run the set-up.

Bangladesh and India are also regularly listed as some of the top places to set up click farms, thanks to the low wages paid to workers. One report suggests that workers paid $120 a year work in shifts to click on multiple smartphones, liking posts, and following profiles on sites like Facebook, Instagram, and Twitter.

The next time you see an Instagram account that seems to have an unfathomably large following, it might be thanks to click farms. In fact, many popular influencers and business accounts, and even some celebrities, have used click farms to inflate their popularity online.

When it comes to Google Adwords fake clicks, companies who want to waste their competitors’ advertising budget can easily hire a click farm to click on ads. A simple search online will net plenty of places where you can buy fake clicks for a low price, for whatever purpose you want. Click farms are a very real and growing business.

DCCBoost attack

The bad cyber actor DCCBoost, also known as the Grinch, resurfaced back in late 2020. Hiding beneath layers of fingerprinting, client-server communication, and intricate client-side traps, its goal was to redirect victims to gift card and lottery scam pages. 

The scammers used a chain of JavaScript codes to encode and decrypt the initial payload inside the source attribute of the displayed ad banner. 

It was discovered that over 25 million fake ad impressions with some variation of this payload have been registered over the internet spread across just about 40 distinct malicious domains hosting the server-side infrastructure.

Dealing with Invalid Clicks in PPC Campaigns

As click fraud is a huge problem, and one that is growing by the day, there are several steps you can take to minimize and mitigate your exposure to it. The good news is that major search engines, like Google and Bing, have some strategies in place to combat click fraud and PPC ad fraud.

However, many feel that their efforts fall short and that there is a whole world of invalid traffic, or click fraud, that isn’t picked up.

For example, Google blocks things like high bounce rate visits (often the sign of an accidental click or obvious web scraper) or multiple visits from the same IP address. But more often than not, you’ll need to flag up suspicious activity yourself and request a refund.

In the cases where Google takes a deeper look at the issue, you’ll normally find it can take anything up to a month for the issue to be inspected and for your refund to come through. When you’re looking at batches of ten clicks on $10 keywords, this can run into the hundreds or even thousands.

Spotting these multiple clicks from specific sources isn’t the hard part; in fact, we’ll be looking at how to spot fraudulent clicks later on in this guide. It is the increasingly sophisticated click fraud approaches that cause the biggest headaches. With software able to imitate human behavior, switch IP addresses using VPNs and proxies, or even those click farms pulling the wool over the search engines’ virtual eyes, additional measures are often needed to minimize exposure to click fraud.

Using dedicated click fraud prevention software is the most effective way to make sure that you’re tackling those invalid clicks.

How can you identify click fraud?

We’ve established that click fraud is a pretty big issue, with lots of variations and the potential to really sting your cash flow. So how do you identify when you’ve been a victim of click fraud?

There are several manual checks you can do yourself to see if there has been any fraudulent activity on your ad campaigns. These don’t always give a 100% accurate reflection of what has been happening but can serve as a useful outline and possibly flag up some of the more obvious violations.

Checking IP addresses

You can use tracking tools, including WordPress plugins, for IP address logging to track IP addresses that have visited your site. You can also check your website visitor logs to see how many times the same IP address pops up over a specified time. If you notice that the same obscure location or IP address has been visiting your site regularly, then this might be a red flag for you to try and block this IP address or location.

Google does offer some protection against multiple visits from a single IP address or device. Although it isn’t perfect, and the parameters might not necessarily be what you would set yourself, it is a form of damage limitation.

Checking publishers

If you’ve been subject to one of the most popular forms of ad fraud, which is channeling your ad onto a dodgy website, then checking your publisher list will help you keep an eye on it. Look in the ‘placements’ section of your Google Ads and check the high-traffic sites for any suspect activity. If you think any of them might be fraudulent, you can block them from your publishers’ list.

A few giveaways that a site is fraudulent include pages that appear to be covered in ads, no content (or very little content of any substance), and recently registered domains.

Monitor campaign activity

Suspicious timings or spikes in engagement might be a sign that someone is targeting your ads. Especially if you seem to be getting lots of clicks and little in the way of engagement.

You might also spot a high click rate from a country that might have little to do with your market. For example, if you’re a US-based company and you appear to be getting lots of clicks from the Philippines but no conversions/sales, that could be a marker that you’ve been the target of a click fraud campaign.

Click fraud protection strategies

Aside from locations, devices, IP addresses, and dodgy publishers, it can be hard to spot other forms of fraudulent traffic. Forms of fraud that mimic human behavior or hide behind proxy servers are going to be hard for you to spot yourself. And as the processes and techniques are becoming more sophisticated, keeping track of developments and fraud can be a Herculean task. This is where using click fraud protection software comes into play and can really make a big difference.

How to manually block click fraud?

Of course, you’ll want to do everything you can to limit the number of fraudulent clicks coming through on your ad campaign. It can be tricky and a little labor-intensive to get everything battened down, but it is definitely worth doing these manual fixes.

Even if you’re not that tech-savvy, you’ll be able to find guides to making your PPC campaigns as watertight as you can. And where possible, we have linked to the resources to help you use some of the best techniques to minimize your click fraud exposure.

Set up IP and ISP exclusions

If you’ve identified a pesky IP address that seems to be doing something strange, and you’re pretty sure they’re messing up your PPC campaign, you can set up some exclusions. As an IP address normally refers to a specific device or location, this can cut out fraudulent PPC activity from specific users.

We have a guide to setting up IP address exclusions.

Remarketing campaigns

If you’re not looking to boost your reach at the moment, then remarketing could be a useful campaign strategy. It looks at visitors who have visited your site before and pops up on partner websites, ensuring your brand stays in their minds and possibly even encouraging repeat custom.

Of course, one of the main benefits of remarketing campaigns is that you’ll only be showing up for people who have shown an interest in your business before. It should also limit your exposure to bots or click farms, especially if you’re not in their target area.

You can find out more about running remarketing campaigns on Google’s support pages.

Adjust your targeting

By tweaking your targeting for your ad campaign, you can hugely reduce the exposure of your PPC campaign to fraudulent activity. Excluding certain geographic locations, languages, demographics, and devices can make a big difference to the success of your advertising. If you see suspicious activity coming from one particular demographic, exclude it and see what happens. You can always change it again later…

How To Automatically Block Click Fraud

As the click fraud industry remains unchecked by controls and the profits just keep getting bigger, more and more companies are waking up to the impact that click fraud is having on their budgets. 

In fact, a recent study by Juniper Research estimates that the rate of wasted ad budget due to ad fraud will be around 22% of all digital advertising spending in 2023. This means that for every $100 spent on digital advertising, $22 is wasted on fraudulent activity. This figure is expected to rise to $172 billion by 2028.

By following our tips above, you’ll be able to plug some of the leaks in the dam. But of course, you want to plug all the leaks in and make sure nothing is getting past you. The best way to make sure you’re keeping all of your ad spend on target and not losing any to fraud is by using click fraud protection software. 

Although it might seem counterintuitive to spend money on protecting your ad budget, when you consider that you could be losing hundreds of dollars a day, it might make more sense as an investment.

ClickCease is a market-leading click fraud protection software service that is used in over 2 million online ad campaigns. By using a sophisticated and constantly updated series of algorithms, you’ll be able to minimize your exposure to click fraud and ad fraud activity.

If you’re running Google or Bing ad campaigns, then you’ll be able to prevent bot traffic and click farm activity and minimize invalid clicks on your PPC ads. ClickCease works on all of the most popular web hosting platforms, including WordPress, Wix, Shopify, Squarespace, and Drupal.

Although ClickCease blocks the majority of fraudulent activity, if any activity is detected after it has happened, then ClickCease can provide the details for you to apply for a refund. Unfortunately, Google no longer allows third parties to apply for refunds on their customers’ behalf.

Do I really need click fraud protection software?

So do you really need to use click fraud protection software?

Maybe it’s better to look at it from another angle.

Are you bidding on high-value keywords? The more you pay for your average PPC, the higher your chance of being exposed to click fraud. Although losing clicks on $1 keywords might sting a little, it’s when you get to those $10 and up search terms that you might start to notice a hole in your marketing budget. Your search term can include one of the expensive keywords, so, for example, ‘travel insurance’ and ‘best value health insurance’ all fall under the banner of ‘insurance.’

If you’re wondering what the most expensive keywords are, and by extension, those most at risk of exposure to click fraud, these are the top 8 most expensive industries for PPC campaigns.

If your PPC keywords include some of these words, then your campaign is at heightened risk of click fraud or ad fraud. As some of the PPC prices can go anywhere up to $50 and over per word, these are very attractive for fraudsters.

Even invalid and genuinely accidental clicks on these keywords can really add up to making a big dent in your marketing budget. If you do use any of these search terms, take a look at your historical AdWords campaigns and see if you have been exposed to any invalid clicks.

Businesses that use any of these search terms could find that using a click fraud protection service, such as ClickCease, could boost their effective marketing spend by up to 30%.

What else does ClickCease do?

In 2022, we launched our new Bot Zapping tool. Currently available for WordPress websites, Bot Zapping allows website owners to block bot fraud such as:

• Content scraping
• SEO spam injection and spam bots
• Account takeover
• Payment card fraud or carding

Blocking fraudulent activity is one thing, but ClickCease also offers some great insight tools which are incredibly useful for your marketing. You can also get new competitor notifications whenever someone starts to bid on your keywords.

As ClickCease tracks all activity on your website from PPC advertising, you can also get an insight into customer behaviour. See mouse movements and where visitors to your site have clicked on your site to understand how customers interact with your business.

So as well as minimising fraud on your ad campaigns, you’ll also be able to get crucial marketing insight that could help you get the most out of your PPC advertising. When you look at the modern click-through rate as under 2% for search ads and around 0.35% for display ads, understanding how to maximize your results is essential.

We’ve come a long way since the days of 44% click rates on that very first online banner ad! Today you need as much help as you can get to win over potential customers.

Sign up for the best click fraud detection and prevention. ClickCease blocks fraud on Google, Bing, and Facebook Ads – so run a diagnostic on your campaigns to see how much invalid traffic you’re seeing.

FAQs

Is click fraud illegal?

Although there are laws across the world that protect against click fraud, it’s not so simple to answer the question, ‘Is click fraud illegal.’ 

The act of defrauding advertisers is generally considered illegal in most countries, but the problem is policing it.

Clicking multiple times on a search result; creating a website designed to host banner ads and then channeling traffic through it; hiring a click farm to download an app 100 times a day. This is all obviously highly damaging and fraudulent practice, but hard to prove and a grey area when it comes to legality.

There are some cyber crime authorities to whom you can report activity if you believe there is a serious and organized threat occurring. These include Europol, the UK’s National Crime Agency, the FBI, and Interpol.

However, most of these agencies are set up to tackle more obvious cyber crime threats such as identity theft, people smuggling, drug dealing, terrorism, pornography, and other more tangible problems.

How does fraud protection software work?

One of the main benefits of using fraud protection software is that it is constantly learning about new threats and adapting its algorithms. When a suspect IP address, device, or VPN is identified, it’s then added to the list of blocked sources. So if you’re running a PPC campaign and you’re protected by software such as ClickCease, you’ll be able to benefit from the ongoing process of identifying suspect sources.

The post What is Click Fraud? The Complete Guide 2024 appeared first on ClickCease Blog.

This has led to alarming levels of click fraud losses for advertisers. It is estimated that global losses due to click fraud will reach 100 billion U.S. dollars in 2023, a significant increase from the 35 billion reported in 2018.

In this post, we’ll list the most famous examples of click bots over time, their impact on ad campaigns today, and how you can avoid them.

What is a click bot?

A click bot is a type of software program designed to simulate user clicks on ads or other types of web content.

In some cases, click bots can be beneficial. For example, some of them perform useful activities online, such as scanning websites for errors, tracking links in emails to detect spam, or automating tasks.

However, the majority of click bots nowadays are used for fraudulent purposes. From fake traffic to manipulating ad campaigns, these bots seriously harm the online ecosystem.

They can be used to perform simple tasks like clicking on buttons, posting comments (spambots), or visiting websites (bot traffic). But, fraudsters are creating more sophisticated bots that can carry out more complex tasks and even mimic real user behavior. This can include ‘browsing’ a website, adding items to shopping baskets, or completing forms and downloads.

In addition to individual click bots, there are also botnets. These are networks of interconnected bot programs that can perform tasks individually or as a unit. These bots are often run from a command and control (C&C) center by a human operator. The bots themselves might be embedded on servers in a data center, or they can also be presented on infected user devices such as laptops and smartphones.

What do click bots do?

The main goal of click bots is to deceive ad campaigns by generating fake clicks. They are conducted in a way that makes it look like the ad is being clicked by a real user.

In the case of PPC fraud, the focus is fraudulent clicks on ads (display, video, or text/search results). These ads are normally embedded on a website owned by a fraudster. The idea is that the fraudster then collects the payout for the clicks (or video impressions) on the ads that his site is hosting.

Some other activities that click bots perform include generating bot traffic for social media, engaging with websites, and spamming or commenting.

This bot traffic can also be used for more malicious fraud, such as distributing copies of themselves and spreading viruses. It can also perform cybercrime-related activities, such as denial of service (DDoS) attacks.

How do these click bots work?

The bots themselves are technically a type of virus or Trojan, usually embedded on an internet-connected device such as a computer, tablet, server, or cellphone.

The bots from these devices can then be either used as part of a network to click on these ads en masse. Or, they can carry out localized click fraud, for example, within an app (known as click injection or click spamming).

Whatever the technique, every ad click costs an advertiser, somewhere in the world, some money…

Click fraud pre-2006

Most mentions of click fraud before 2006 are related to the practice of hosting ads on a low-quality site (or sites) and then clicking them en masse to collect the payout.

This tended to be quite simple, with fraudulent publishers signing up their low-quality site for Google AdSense and then clicking the ads themselves (or hiring someone to do it for them).

Even in 2003, there were mentions of bots clicking on these ads, but much of the information is based on assumptions and partial research. Knowing there was a big problem with click fraud and ad fraud, Google employed a dedicated team to tackle the growing problem.

Competitor click fraud has also been a problem since the early days of pay-per-click (PPC), with the practice becoming commonplace today.

So, it was just a matter of time before click bots proliferated and became a bigger problem…

Click fraud post-2006

Clickbot A

• Years active: 2006
• Estimated cost: $50,000
• Estimated infections: 100,000 computers

In 2006, Google detected malicious software called Clickbot A that conducted low-noise click fraud attacks on syndicated search networks.

The bot targeted search results on Google-provided sponsored sites, with around 100,000 machines powering it.

Clickbot A was the first real evidence of click fraud botnets, causing an estimated $50,000 worth of fraud. However, it pales in comparison to the more massive botnets that emerged later.

DNS Changer

• Years active: 2007-2011
• Estimated cost: $14 million
• Estimated infections: 4 million computers (both Internet Explorer and Apple devices)

The DNS Changer scam was created by a team of Estonians and Russians known as Rove Digital, which infected web browsers with ad fraud bots.

The botnet changed infected devices’ web addresses to domains owned by the gang and displayed ads that earned commissions.

The DNS Changer ran for 4 years, with features that prevented anti-virus updates. Vladimir Tsastin, a member of the group, was convicted of wire fraud and money laundering. It is one of the first court cases against an ad fraud bot network.

Miuref

• Years active: 2013 – present
• Estimated cost: Unknown
• Estimated infections: Unknown

Miuref, also known as Boaxxe, is a Trojan that can be delivered through fake documents and used for various online bot attacks. It was notably part of the 3ve botnet campaign and can also mine Bitcoin, steal data, and exploit security vulnerabilities.

Despite being detectable and removable by antivirus software, Miuref remains a problem and continues to spread. 

It’s unclear exactly how much financial damage Miuref has caused, as it is often used in conjunction with other botnets. And, as it isn’t specifically a PPC campaign bot clicker, its financial impact will be in the multiple billions.

Stantinko

• Years active: 2012 – present
• Estimated cost: Not known
• Estimated infections: 500,000+ machines

Another multi-use botnet, Stantinko has been identified as being behind a number of ad fraud campaigns but has recently shifted over to crypto mining.

Initially, it was detected as a malware component in Chrome extensions, which facilitated ad injection. Additionally, the bot can install adware, access WordPress and Joomla sites, and perform Google searches.

The gang behind this botnet has managed to keep it going for so many years as the code for the bot is hidden within reams of legitimate code. Stantinko affects mostly Russia and Ukraine but has also been found on systems outside these areas.

Bamital

• Years active: 2009 – 2013
• Estimated cost: $700,000 per year
• Estimated infections: Up to one million desktop machines

Bamital, a type of malware that committed click fraud by redirecting search engine users to ads or pages with malware, was discovered by Microsoft in 2013.

This bot evaded detection by hiding in web pages and being installed through ‘drive-by’ downloads.

The botnet was estimated to generate up to $1 million per year for its operators. Bamital’s search-hijacking technique affected Bing, Yahoo, and Google searchers.

Chameleon

• Years active: 2013
• Estimated cost: Around $6 million per day
• Estimated infections: 120,000 desktop machines

The Chameleon botnet, one of the initial click bots to mimic user behavior, targeted display ads, which was groundbreaking as text ads were the norm.

Despite being relatively simple, it diverted over 50% of the ad revenue from 200 targeted sites through a uniform random series of fraudulent clicks and rollovers.

Kovter

• Years active: 2014 – present
• Estimated cost: Not known
• Estimated infections: Unknown

Kovter is another click fraud botnet that has been leveraged by bigger campaigns. Like other long-lasting malware, it has managed to hide in long lines of code, including Windows registry files.

It’s a particularly clever bot that does its damage when the system is in ‘sleep’ or ‘standby’ mode. Kovter can also shut itself down whenever a system scan is started, making it hard for standard virus scanners to find it.

Methbot

• Years active: 2015-2017
• Estimated cost: $3 million per day at the peak
• Estimated infections: 1,900 dedicated servers running 852,000 false IP addresses

Methbot, the infamous botnet, used infected servers to fake website identities and generate fake video ad impressions. The group behind Methbot reportedly earned up to $5 million a day through these fake impressions.

Methbot’s distinctive characteristic was its ability to pass off its fake inventory as legitimate premium inventory. Its massive scale alarmed the digital marketing industry, and it remains the standard for click fraud schemes, although its successor, 3ve, eventually surpassed it as the largest fraudulent network.

3ve (Eve)

• Years active: 2017-2018
• Estimated cost: At least $29 million
• Estimated infections: 1.7 million hacked computers

As Methbot was being shut down by the FBI, a new and bigger ad fraud network came to the fore. 3ve was actually run by most of the same team behind Methbot, but the complexity of this scheme was truly impressive.

3ve was capable of even more video impressions and also managed to work despite ads.txt – actually using ads.txt lists to spoof inventory.  

It turned out that a team of Russian and Kazakh nationals was behind this huge scam, and the team made an estimated $29 million from its efforts. 

HummingBad

• Years active: 2016
• Estimated cost: $300,000 per month in 2016
• Estimated infections: 10 million Android devices worldwide

HummingBad, a malware allegedly created by Chinese company YingMob to inflate ad clicks, highlighted the issue of mobile app infections.

The software was not only an ad bot clicker but also had the ability to disguise click origins and potentially install software on devices without user knowledge.

Although shut down in 2016, it resurfaced as HummingWhale in 2017 and infected over 20 Google Play store apps.

HyphBot

• Years active: 2017
• Estimated cost: Up to $1.2 million per day
• Estimated infections: At least 500,000 computers in the US, UK, Netherlands and Canada

Another ad clicker that managed to get around ads.txt, HyphBot, was thought to be three or four times bigger than Methbot.

It exploited ads.txt lists to generate composite domain names, creating fake video ad impressions. The creators utilized an existing botnet network to click ads.

HyphBot ran for a short time but managed to embezzle millions of dollars in fraudulent ad revenue before eventually disappearing.

DrainerBot

• Years active: 2018 – 2019
• Estimated cost: Not known
• Estimated infections: At least 10 million infections when discovered

DrainerBot, as a malware botnet, was embedded in a software development kit (SDK) found in Android devices.

The botnet evaded Google’s Play Protect checks and committed ad fraud by playing video ads in the background (using lots of data and battery power in the meantime). It’s no strange why the malware earned the name DrainerBot. It could use up to 10GB of data and was draining battery life quickly.

All apps identified as containing DrainerBot have been removed from the Play Store, but this ad clicker bot may still be out there…

404Bot

• Years active: 2018 – present
• Estimated cost: At least $15 million
• Estimated infections: Not known

Another botnet targeting the weak links in ads.txt, this bot clicker spoofs domain inventory in a similar way to HyphBot. In fact, it seems that 404 Bot is capable of passing several different preventative techniques and continues to deplete marketing funds as we speak.

With an estimated $15 million in damage as of February 2020, how many more millions will be siphoned off by 404 Bot?

Tekya

• Years active: 2019-2020
• Estimated cost: Not known
• Estimated infections: At least 56 apps, over 1 million downloads

Tekya, a clicker bot, was found in 56 Android apps, including children’s games and utility apps. It engaged with ads without user knowledge, using a clicker malware called Haken.

Since May 2019, Tekya has committed click fraud on over 1 million downloads, clicking on visible and invisible ads to mimic user behavior.

And this isn’t all….

This list of click bots and ad fraud networks isn’t even definitive. We haven’t even mentioned Judy, a malware-based ad clicker from South Korea that was allegedly distributed by an app developer to inflate their ad revenue.

Some other known botnets that we haven’t mentioned are IceBucket or SourMint, both recent botnets that have caused havoc. There are dozens of smaller botnets that don’t have a name or run long enough for the authorities to find them.

The impact of these types of bots on paid campaigns

Click bots can be a total headache for everyone running online ads. From advertisers that run PPC campaigns for clients to small business owners running their own ads to marketing teams managing multiple marketing activities.

We’ve already mentioned that fake clicks mainly affect PPC ads and their budgets. Unfortunately, this also leads to many more negative effects. Below are the top ones you should aim to avoid:

• Waste of marketing budgets: The main pitfall of click bots. Every time a click bot generates a fake click, it’s wasting your ad budget.
• Misleading analytics: Fake click data is also incorporated into your analytics. This gives you incorrect insights, leading to poor decision-making.
• Challenging optimization process: Campaign optimization based on irrelevant data will not produce a positive outcome, again wasting your time and efforts.
• Decreased engagement: When the click bots artificially increase click-through rates, it can lead to decreased engagement from real users.
• Ineffective ad targeting: Adjusting audience targeting due to bot traffic can harm your other marketing optimization efforts as well.

As we can see, click bots are not just affecting your ad campaigns like Google Ads or Facebook Ads, but they are a threat to your overall marketing efforts as well.

That’s why it is important to prevent them from happening in the first place.

How to detect and block click bots

Detecting bot clicks can be challenging, but it’s not impossible. Here are some actionable steps that you can take to detect and avoid click bots:

1. Monitor Your Website Traffic: Keep track of your website’s traffic to detect suspicious patterns, such as sudden increases in clicks or clicks coming at unusual times of the day.
2. Narrow down your targeting: With more specific audience targeting, it’s easier to detect when clicks are coming from unusual audience groups.
3. Limit your ad runtime: By not running your ads 24/7, you can limit the possibilities of some click bots that are scheduled at specific times to access them.
4. Implement CAPTCHAs: CAPTCHAs are a popular way to prevent bots from accessing your website. The most basic forms usually include image or text recognition tests to verify that the user is human.

While these steps can help reduce bot traffic’s impact, it’s essential to note that they cannot guarantee 100% effectiveness. We’re also aware that implementing them can be difficult and time-consuming.

Fortunately, ClickCease streamlines this whole process. ClickCease is a bot detection tool designed to mitigate and block bot clicks in real time.

If you want to keep your PPC ads (or any other marketing activity) free of click bots, check out the free trial here. You can look at exactly how many fake clicks your ads get before you sign up.

Make sure your PPC ad spend is only being seen by genuine human eyes, not clicker bots or click farm workers.

Find out more about click fraud in our in-depth guide

The post A Short History of Click Bots & Ad Fraud appeared first on ClickCease Blog.

This fake traffic comes in two main flavors – general invalid traffic, or GIVT, and sophisticated invalid traffic, or SIVT.

But how much of your invalid traffic is malicious and intentional, and how much is a harmless consequence of advertising online? And more importantly, what can you do about SIVT and GIVT?  

What is General Invalid Traffic (GIVT)?

General invalid traffic is a mostly benign form of bot activity. These are bots so they will interact with your site without converting, but they are not usually intended to be fraudulent traffic. 

Most GIVT is from useful bots such as search engine crawlers, data centers, and proxy traffic from VPNs. General invalid traffic is easy to detect and doesn’t try to imitate human behavior or mask its activities.

GIVT rarely generates any form of fraud, as it is mostly quite transparent in its activity. In fact, GIVT can even be helpful – for example, search engine crawlers help make web pages available to searchers, or bots can collect data for your research.

However, general invalid traffic can also have a negative impact if not properly monitored. A good example is when you don’t adequately differentiate between traffic from real users and GIVT traffic.

You may believe that the uptick in traffic is due to SEO and other strategies, and base a chain of other critical decisions on that skewed data. 

What is Sophisticated Invalid Traffic (SIVT)?

Sophisticated invalid traffic (SIVT), as the name suggests, is a form of fake traffic designed to mimic the activity of real human users. SIVT will likely use various processes to dodge detection and is used for various fraudulent applications online, especially for organized ad fraud.

Most often SIVT is used to generate revenue through invalid traffic on ads and publishing platforms. Fraudulent developers are often quick to use new technology or processes to improve their chances of success, which might mean targeting CTV (connected TV) ads or hijacking a trend to create a spoofed website or app.

As a result, this kind of invalid traffic is much harder to detect. For the ad platforms, this often means that their attempts to block fraud are many steps behind the sophisticated fraudsters. And for marketers, this also means they need to be aware of the changes and challenges associated with the use of SIVT. 

SIVT is undoubtedly fraudulent traffic – the kind you need to worry about – and detecting and keeping it away from your website requires advanced analytics, multipoint coordination, and a great deal of intervention from real humans.

Find out more about invalid traffic in our guide.

Types of sophisticated invalid traffic

Some sophisticated invalid traffic comes from bots and spiders, the typically automated actors on the internet. But other forms of SIVT originate from hijacked devices and user sessions, adware and malware, and even manipulation and falsification of device or location data.

Bots and spiders

As mentioned above, these automated scripts are often used for genuine and useful activities such as collating search results. But they can also be used to generate fake traffic and perform a wide variety of fraudulent actions, from spam to brute force account access. 

Hijacked devices and malware

These are also run by scripts, but because they began as real user activity, they are much harder to detect. An example of this is when a genuine device has malware-infected software such as an app or browser extension and is then used remotely by the fraudster to perform a fraudulent activity. This almost always happens without the device user’s knowledge or consent. 

Manipulation and falsification of location or device data

This is done when fraudsters are trying to gain access to a website from blacklisted locations or devices. By changing the device ID (user agent, or UA string) a device can be used to bypass some security measures. As an example, if a data server presents itself as an iPhone based in the USA, it can load web pages that host ads and then perform fraudulent ad impressions or clicks. 

Find out more about how user agent spoofing works.

Invalid proxy traffic

Here, Virtual Private Networks (VPNs) or proxy servers are used to hide activity and propagate fraudulent proxy traffic. VPNs are often used by genuine users, and not all VPN activity is fraudulent. But more often than not, sophisticated invalid traffic will cover its tracks by using a VPN or proxy.

Read more about VPNs and click fraud.

Incentivized traffic

Incentivized traffic is technically valid traffic but doesn’t lead to any conversions. Real users are incentivized to visit a website for rewards other than what’s advertised on the website, so they will probably never convert. Although in some cases, such as view-to-earn ads, this incentivized traffic can be genuine, there are other methods that pay people to view ads without the advertisers’ knowledge.  

Paid-to-click websites (PTC sites) have become a popular way for some people to earn a few dollars a day. However, many of them are totally fraudulent, not just duping the advertisers but also scamming their own users by not paying them the money earned. 

Check out our article about scam PTC sites.

Domain laundering or website spoofing

This tactic is pretty simple. A low-authority domain is disguised as another more desirable one and then charges higher fees (CPMs and flat advertising fees) based on the misrepresented authority. 

How to detect sophisticated invalid traffic (SIVT)

Detecting and stopping SIVT will often require advanced analytics, complex traffic detection solutions, and many other strategies.

To help you understand how to spot sophisticated invalid traffic, keep an eye out for these tell-tale signs:

Pay attention to your web traffic data

If you pay close attention, some SIVT could be spotted right away, and it begins with understanding what typical site traffic looks like. How many visitors do you get per week, and from which sources?

If you start to see underperforming ads send a large number of visitors to a landing page, that could be a dead giveaway. Another obvious point is finding IP addresses that click multiple times on the same ad or on different unrelated ones.

Any unusual traffic-related activity is usually a great place to start searching for SIVT.

Inspect packet headers

Packet headers can help you uncover a great percentage of SIVT. They can reveal information about the activity of the specific IP, and because many fraudsters won’t go through the trouble of obfuscating data at this level, it’s a great place to look.

Check for multiple device details on packets from the same IP address because this usually means a proxy server. While it might be harmless, it could also indicate a deeper problem.

Another dead giveaway is open-source operating systems like Linux because these are widely favored by cybercriminals online to generate fake traffic.

Mobile devices that use browser extensions are another red flag. Most users don’t need extensions for their mobile browsers unless, of course, they’re trying to disguise the device.

Track your ad placements

It’s easy to set up your ads with google and forget about it, but that’s how businesses fall victim to SIVT. There are thousands of websites out there that are signed up as publishing platforms but exist solely to generate fraudulent ad revenue from your ad campaigns.

These may look like great choices on the surface – they drive lots of traffic to your site and may even look like they have great domain authority – but you’ll quickly find that the traffic has horrible conversions as you watch your ad spend skyrocket.

It’s worth it to review where your ads are placed and where your traffic is coming from so you can be on top of the sophisticated invalid traffic. When you have this traffic identified as fraudulent, it’s also a good idea to report the sources to Google.

How to block Sophisticated Invalid Traffic (SIVT)

Although most ad platforms do provide some measure of fraud filtering, this normally only cuts out the most obvious or general invalid traffic. Web scrapers, basic bots, and other forms of less sophisticated traffic are often blocked, although not in real-time.

For example with Google, traffic that is picked up as fake or non-genuine is often refunded automatically. But it can take hours or even days for this traffic to be spotted, blocked, and refunded to the advertiser.

Using a click fraud prevention tool such as ClickCease allows you to proactively block most forms of sophisticated invalid traffic on your PPC ads. 

ClickCease filters out fraudulent devices, bots and suspicious activity using a blacklist that is updated constantly. By blocking fraud in real time, advertisers can rest easy that they don’t need to constantly track their ad clicks to see if they’re losing money.

In fact, ClickCease offers the industry leading click fraud prevention tool, and blocks SIVT on Google Ads, Facebook Ads and Bing Ads.

If you run any form of PPC campaign on these platforms, run a free traffic audit with our 7 day trial.

Sign up for a FREE 7 day trial today and see who is really clicking your ads. 

The post SIVT vs. GIVT: what’s the difference? appeared first on ClickCease Blog.

And, of this automated traffic, a sizeable chunk is thought to be from bad bots.

For anyone running an online business or managing a website, these bad bots can be more than an annoyance. They can be used to perform a huge variety of malicious activities and damage more than just your website.

So what exactly is a bad bot, and what makes it so bad?

What are bad bots?

Bad bots are automated software programs designed to either defraud or damage internet-based networks. They can be used to perform relatively benign but annoying tasks, such as posting spam comments on websites or social media. Or they can be used to commit serious cyber crimes such as data theft, credit card fraud, or ad fraud.

Modern bad bots also often use machine learning algorithms to help them improve their performance and automate more of their tasks.

However, a bot does need a task master to perform its duties. And this usually comes in the form of either a human controller, or they can also be operated as part of an automated process such as spreading copies of themselves or collecting data via fraud. 

These bad bots have often spread with the help of viruses or other forms of malware. Because bots need a host computer to operate from, they can either be operated from a central location  – for example a click farm or bot farm. 

Or they can also be distributed in data centers or infected devices across the world, creating a network of connected bots, also known as a botnet.

In fact, most bad bots have been found to operate from Amazon Web Server (AWS)and Microsoft Azure data centers.

What are the different types of bad bots?

Bad bots come in a broad range of flavors and levels of sophistication. Many bots are built specifically for a certain type of activity, but they can also be repurposed and used for other forms of cyber fraud at a later date.

And because there is already a huge network of existing botnets, these bad bots can be mobilized easily by willing fraudsters. In fact, these botnets can be hired for relatively low costs on the darknet.

Most bad bot attacks online are done using older botnets as their attack vectors.

The most common types of malicious bots you’ll see online include:

Spam bots

We’ve all experienced spam, often in our inboxes. But spam can be much more insidious than just cluttering up your email. For starters, spam bots can be used by black hat SEO practitioners to post crappy comments with backlinks on websites and forums.

But there are also advanced spam bots that can perform spam injection. This is where a bot accesses your website’s file management system and adds in hidden content such as spam comments, redirects, and even hidden pages.

The aim of this form of spam injection is to generate backlinks for clients or to generate traffic for low-quality sites such as gambling, adult-themed, or narcotics-themed sites. Obviously, this is a hugely disruptive way of adding backlinks and is totally against best practice guidelines. And, for your site, the implications can be hugely damaging, with multiple penalties and the added headache of disruption for you and your customers.

Read more about SEO spam injection here.

Content scraping bots

Some good bots can be used to collect information and data from across the internet, something that would take a human a lot of time. But content scraping bots can also be used to copy or spoof entire websites.

Website spoofing is a common practice used by fraudsters operating phishing scams or fake product scams. By copying your website in its entirety (or even partly), a scammer can deceive your customers, who might not be able to tell the difference.

A common target is popular e-commerce sites, where scammers might want to copy the entire layout and product lines to deceive customers. But content scraping can affect any business, not just those selling products online.

Check out our blog about content scraping.

Fake engagement bots

One of the most common reasons to use bots is for fake engagement, usually on social media. In fact, stats show that many popular influencers have fake followers numbering between 10 to 40% of their total audience.

These fake engagement bots can also be used to view videos on YouTube, watch Twitch livestreams or even listen to music on sites like Spotify. Because the like or view count metrics affect the algorithms on most of these sites, inflating engagement can help boost an account’s popularity – albeit fraudulently.

Fake engagement can also include fake traffic on websites. This is often done to inflate the views or clicks on ads hosted on websites, known as ad fraud.

And the worrying thing is that this fake traffic isn’t even expensive or hard to find. People can generate huge volumes of fake traffic for slightly more than the price of a coffee.

Read more about viewbots and the world of fake engagement on social media

Talking of which…

Ad fraud or click fraud bots

Fake engagement on paid ads is known as click fraud and is thought to affect around 90% of all Google Ads campaigns. There are several levels of click fraud.

Casual click fraud is often carried out by competitors or brand haters who simply click on an ad each time they see it to waste their rivals’ budgets.

Website publishers may also perform click fraud by hiring traffic bots to visit their sites and improve their viewing metrics. This isn’t just for ad revenue but can also be done to dupe partners into thinking the site has a bigger audience than it does, usually to win higher-paying guest posts as part of the problems with domain authority based guest posts.

Organized click fraud, or ad fraud, is where criminals manage a campaign to purposely perform high levels of click fraud for profit. Some of the best known ad fraud campaigns include Methbot, Hyphbot and Drainerbot.

Read all about the ad fraud click bots hall of infamy

Credential stuffing bots

Also known as brute force login bots, or account takeover bots. These bad bots are designed to crack passwords, enter websites and steal data or takeover accounts. A similar type of bot is also used to perform credit card fraud, or carding – a process where multiple payment cards are tried in a short period of time to work out which works.

These sophisticated bots can be used to crack the code in seconds. If you ever wondered why you need to have unique complex passwords for all of your accounts, that’s because credential stuffing bots use commonly used passwords to great success. If your password is ‘admin’ or ‘password’ for any of your logins anywhere, go change that ASAP.

Crypto mining

A case in point of the multi-use botnet is the crypto mining bot. This form of malware is often either injected into websites or web browsers from infected software (often email attachments or bootleg software) and will then remotely mine bitcoin or other crypto currencies for the fraudster.

However, crypto mining botnets are often also repurposed for DDoS attacks or for other coordinated bot attacks. 

Attack bots

Some malicious bots are built specifically for damage and for fraud and extortion. The most infamous of these types of attack bots are those used for ransomware. By accessing a website, ransomware bots can shut down a website and cause huge disruption to business until a (usually huge) ransom is paid.

Estimates of the cost of ransomware attacks put the cost at around $20 billion a year as of 2022. 

Another form of attack on websites is the DDoS or distributed denial of service. By overloading the server with trash bot traffic, a website can be taken offline or compromised. DDoS attacks can be coordinated by fraudsters looking to extract a ransom, or sometimes by malicious individuals simply looking to cause disruption. 

How bad bots get around security controls

Although many platforms use a number of security measures to block bad bot traffic, the truth is that some of the systems are not good enough. For example, although Google uses filters to spot and block fraudulent traffic (invalid traffic as it is called); these bots can get through by changing their IP addresses, mimicking behavior to look like genuine human users and using device spoofing.

Device spoofing allows bots hidden in data centers to appear as if they are mobile devices or desktop computers anywhere in the world. 

Now, with these more sophisticated bots constantly changing and evolving, many of the big platforms are playing catch up. 

And with so much traffic coming from bad bots, this has seen a boom in the bot blocking industry and fraud prevention.

The cost of bad bots to the online economy

The impact of global cybercrime is thought to have cost the global economy between $1 trillion and $6 trillion in 2021.

This includes everything from ransomware to ad fraud.

In fact, ad fraud is the biggest slice of the cybercrime cake, accounting for over $41 billion in 2021. Compare that to credit card fraud which took a relatively modest $31 billion in the same year.

Can you use robots.txt to block bad bots?

As many website owners are aware, the robots.txt command can be used to stop certain bots from crawling or indexing specific pages on your website. So can you use robots.txt to block bad bots?

Unfortunately, no, not really.

Bad bots will often either totally ignore robots.txt, or will use it as a sign to check that page for useful information. So in the fight against bad bots, robots.txt can’t help you…

Block bad bots for better business

The options for blocking bad bots are many and varied. But one thing is clear; businesses need some form of bot protection to safeguard their clients and their own security.

Whether that is stopping scammers from injecting malware or spam content into your website; or preventing fake traffic on your ads.

ClickCease has been blocking malicious bot traffic and fake clicks on PPC ads since 2015 and is now the industry leader in click fraud prevention. But it’s not just about blocking bots from your paid search engine results.

Bot Zapping from ClickCease is a new tool, currently available for WordPress sites, designed to block bad bots and fraudulent direct web traffic. This includes spam bots, credential-stuffing bots, content scrapers, and more.

Block bad bot activity on your website and try ClickCease and Bot Zapping today as part of your cyber security suite.

With a 7 day free trial, you can run an audit on your websites and check the validity of your traffic sources.

Sign up for your FREE trial today.

The post What are Bad Bots and how do they affect your business? appeared first on ClickCease Blog.

Spoofing, or copying, is a major source of online fraud. From website spoofing to software spoofing, pulling the digital wool over people’s eyes allows all kinds of sneaky activity to carry on. 

In fact, device spoofing is one of the main methods used in many forms of digital fraud including ad fraud and click fraud. 

So what can you do to avoid device spoofing affecting your online business?

First of all, let’s look at the basics.

What is device spoofing?

Device spoofing is the practice of presenting a digital device as something different, usually for fraudulent purposes, particularly ad fraud. For example, a server in a data center could change its device ID so that it appears to be a mobile device.

Device spoofing can use several processes including user agent spoofing, or UA spoofing. This is the process whereby the device presents a falsified user agent string, which is the unique identifier containing information about the device including:

• Operating system and version
• Processor and video card information
• Location information, often using IP address
• Device type including model

Presenting a false UA string is easily done using various developer tools, which are designed to help developers test software on different devices without changing their own device.

How is device spoofing used for fraud?

Using device spoofing for fraudulent purposes means that fraudsters can get around a number of security protocols. For example, many ad platforms or online services will use device fingerprinting as a way to identify who is using their services or visiting their websites. 

Device fingerprinting uses several methods to identify the website visitor, using a mixture of the user agent string and also other techy processes such as the IP address, device hash, cookie hash and more. 

Find out how device fingerprinting works.

This device fingerprinting can also be used to prevent certain types of device, browser or even specific locations from interacting with the online service. But if a fraudster can get around the device fingerprinting then they can conduct a variety of fraudulent or malicious activities.

This might include:

• Payment card fraud, also known as carding
• Advertising click fraud, also known as ad fraud
• Spam attacks, including the more serious spam SEO injection attack
• Malware injection
• Account takeover

Ad fraud is a growing problem, find out more in our blog

How do fraudsters make money with spoofed devices?

The most common reason for device spoofing is for ad fraud, which is the practice of generating fake traffic on paid ads.

This hugely lucrative industry makes fraudsters more money every year than credit card fraud, with an estimated $41 billion lost in 2021 to ad fraud. And for a very modest cost hackers can pick up readily available fingerprint spoofing software on the dark web.

Because ad fraud and click fraud are relatively simple criminal actions, with little in the way of repercussions, it has become a popular way for criminal networks to make some extra money.

In fact, there are even hobbyists making money with ad fraud by setting up simple click farms. By simply hiring a botnet based in a data center, ad fraudsters can run a basic campaign on a spoofed website and disappear.

And because device spoofing is a key part of this huge growing industry, this is one of the main reasons for its boom. 

How common is device obfuscation in fraud?

Because many fraud attacks use bots and botnets, the common way to hide the traffic source is by using device spoofing. This allows bot traffic to visit a website or app while appearing to be a genuine human user.

Often, these bots will hide behind a VPN or proxy server, which allows them to switch IP addresses and present fake device information.

A VPN presents the easiest and most cost-effective way to dodge many security filters, which is one of the reasons why we pay close attention to VPN traffic here at ClickCease.

To be clear, just because a website visitor is using a VPN it doesn’t mean they are performing fraud. And in fact our filters will look at over 100 data points before blocking a user from clicking paid ads.

So, although not all VPN users are fraudulent, more often than not, fraudulent users are using VPNs.

So, how common are these spoofing or obfuscation methods?

Using fraud blocking on our own domain, we see:

• 41% of ad traffic blocked as fraudulent 

Of this fraudulent traffic around 40% is from fraudulent devices, or likely spoofed devices.

This volume is not consistent across all of our clients. Not all click fraud is ad fraud.

But industries with high value CPC are often targeted by ad fraud networks, which is evident in the volume of fake traffic.

How can I spot or block fake devices on my website?

For business owners or marketers, stopping fraudulent devices from clicking on their ads or interacting with their website is more necessary than ever. With money lost on fake ad clicks climbing by billions of dollars every year, using a click fraud solution like ClickCease is the most effective, and cost effective, way to protect your site.

Although ClickCease is the industry leader in click fraud prevention, it’s now also possible to block direct or organic traffic too. So sneaky fraudsters clicking on shopping carts and processing fake payments can be called out and blocked…

If your business or website does any of these:

• Runs paid ads on Google, Facebook Ads or Bing Ads
• Has a shopping cart/checkout function
• Has a login/create account function
• Relies on it’s web presence for customers 

Then spotting and blocking fake traffic online needs to be part of your strategy.

Not so sure?

Run a FREE traffic audit using ClickCease and get a unique view of your ad traffic and website visitors.

Sign up today for a free 7 day trial, pop the tracking code on your site, and start blocking fake clicks on your ads and your WordPress website.

The post How Device Spoofing became a major cyber threat appeared first on ClickCease Blog.