Click Fraud Scams: How They Work — and How to Prevent Them

What Is Click Fraud?

Click fraud is a type of criminal activity where a person or automated software application (called a bot) clicks on a pay-per-click (PPC) ad or social media ad to inflate the number of clicks artificially for illegitimate reasons. 

For example, say a website owner receives an affiliate marketing commission each time a visitor clicks on a Google advertising promotion hosted on their site. The site owner might organize a click fraud campaign to increase the affiliate revenue. This can be done through means such as hiring people to click on ads or deploying a bot.

What Motivates Click Fraud?

Why do cybercriminals engage in click fraud? There are several common motives, including:

• Generating advertising revenue: Advertisers and affiliates who get paid based on clicks or other traffic-based metrics may be tempted to increase their revenue by promoting artificial clicks
• Hurting competition: Companies that pay advertisers based on click volume lose money from invalid clicks and suffer other damages, such as skewed marketing analytics data
• Inflating search engine rankings: Invalid clicks may be used to increase rankings of sites
• Promoting opinions: Phony clicks can make views such as social and political opinions seem more popular than they actually are by influencing public opinion polls

 These motivations combine to make click fraud attractive to cybercriminals.

How Much Does Click Fraud Cost Businesses?

Click fraud has become a multibillion-dollar industry. A study released at the beginning of the COVID-19 pandemic by University of Baltimore economic analyst Roberto Cavazos and security provider CHEQ documented the scope of the problem and projected losses in 2020.

Major targets for click fraud include Google Ads, which accounts for 44% of all online marketing spend, along with ads on Facebook, Instagram and Pinterest. Together these and other search and social ad platforms generate an estimated $40.1 billion in annual ad spending by ecommerce providers.

Click fraud diverts a significant percentage of this spending. In one case study, a major fashion retailer suffered a loss of 12% of clicks to fraud. For some keywords, invalid click rates rose as high as 56%. The study estimated click fraud would cost online retailers an estimated $3.8 billion in 2020 because of increased online traffic stemming from the pandemic.

Click fraud across all search and social ads was on track to increase to $23.7 billion, the study projected. A later update to the study estimated that marketing losses from ad fraud might rise as high as $35 to $40 billion by the end of 2020, exceeding credit card fraud.

What Are the Most Common Click Fraud Tactics?

Click fraud artists commonly employ a number of common tactics, including:  Some of the most popular include:

• Crowdsourcing
• Incentivized traffic
• Click farms
• Hit inflation attacks
• Botnets

These tactics range from manual methods employed by operators on a small scale to automated methods used by sophisticated organized criminal groups.

Crowdsourcing

This method of click fraud works by tricking or otherwise persuading visitors into volunteering to click on a link. 

For example, a site might promote its advertisers by inviting visitors to click on a link in order to support the site. This seeming appeal to altruistic motives can have the effect of generating clicks from users who have no interest in buying what the link is selling. 

Google’s policies for its AdSense advertising program prohibit websites from artificially inflating clicks to their own ads by using this or other methods, but many sites skirt this rule.

Incentivized Traffic

Whereas crowdsourcing doesn’t offer any tangible reward for clicking on a link, incentivized methods offer some type of quid pro quo. 

For example, an affiliate marketer might offer a discount code to visitors who click on a partner’s ad. Gaming apps might offer in-game bonuses for fraudulent clicks.

Click Farms

A systematic form of incentivizing traffic is click farms, where workers are paid to click on links. This can look less suspicious to security surveillance than using automation to generate clicks as the click patterns involve human behavior. Because of this, many click fraud perpetrators use click farms even though they’re less efficient than automated methods. 

Such paid-to-click scams frequently employ workers in countries where wages are low, which keeps costs of hiring workers down while making regulatory and legal restrictions harder to enforce.

Hit Inflation Attacks

This type of click fraud uses hidden software code to redirect clicks to an external site invisibly before sending the visitor on to the site they thought they were clicking on. This is doen without the visitor noticing the detour, apart from perhaps experiencing a delayed loading time. 

This type of attack can be difficult to detect unless specifically looked for by a security specialist. Even then, it can be concealed to make it hard to prove.

Botnets

Botnets are networks of connected devices all running automated bot scripts to perpetrate click fraud or other types of cyberattacks. 

Some devices on the network may be infected with malware that generates clicks, unknown to the user. Botnets can include large numbers of devices, enabling large-scale click fraud.

Click Fraud Prevention: 5 Ways to Stop Invalid Clicks

While click fraud is rampant, you can take steps to reduce it. Some of the most important preventive measures include:

1. Monitoring signs of fraudulent activity
2. Excluding suspicious Internet addresses
3. Adjusting your ad targeting to avoid fraudulent clicks
4. Using remarketing campaigns
5. Run social media ads

You can implement these and other methods through your internal security team or outsource them to a security provider.

1. Monitor Signs of Fraudulent Activity

Click fraud detection techniques form a foundation for preventing invalid clicks. Illegitimate clicks can exhibit some warning signs. These include:

• Coming from the same suspicious Internet Protocol (IP) address (the unique identifying number assigned to each device on the Internet)
• Click timestamps (logs that show when a visitor arrived on your site) and action timestamps (logs that show what action a visitor took after arriving) showing an IP address making frequent clicks without taking any actions
• User agent identifications (logs recording information such as a visitor’s browser, operating system and device type) indicating whether the same person is using an IP

Botnets may display other, more advanced suspicious behavior patterns. Your own internal security team can monitor this type of behavior, or you can detect it through apps that include click fraud detection features, such as AppsFlyer, PPC Protect and ClickCease. Alternately, you can hire an external security provider to monitor your site.

2. Exclude Suspicious Internet Addresses

When you’re advertising on Google, Google Ads includes a feature that allows you to exclude IP addresses. 

Once you’ve identified a suspicious IP address, add it to a list of excluded addresses not allowed to view your ads.

3. Adjust Your Ad Targeting To Avoid Fraudulent Clicks

In addition to suspicious IP addresses, click fraud is often associated with specific marketing data. 

For example, you may notice many invalid clicks come from a particular country, zip code or users browsing in a specific language. You can exclude visitors with these features.

4. Use Remarketing Campaigns

Remarketing or retargeting allows you to show ads to users who have previously visited your website. You can adjust settings on remarketing ads to target visitors who display specific behaviors, such as viewing a sales page. 

This can help you steer traffic toward actual visitors and away from click fraud artists.

5. Run Social Media Ads

Social media ads can be targeted by click fraud schemes, but this form of advertising enjoys some advantages over search engines that tend to reduce click fraud. 

On social media, ads are only displayed on their native platform, not hosted on multiple sites as search engine ads can be. Plus, social media ads allow you to focus on very specific demographic characteristics, rather than just keywords, helping you reserve your ads for a qualified audience.

Prevent Click Fraud To Protect Your Business

Click fraud happens when a human or bot clicks on an ad to generate artificial clicks on a link for illegitimate reasons. This is commonly done to generate affiliate revenue or to hurt a competing site. Other reasons include increasing search-engine rankings or influencing polls on social or political opinions. 

This practice costs businesses billions of dollars annually in lost marketing revenue, while diminishing analytics insights by skewing marketing data.

Click fraud happens through a variety of methods. These include tactics that employ human users, such as:

• Crowdsourcing
• Incentivized traffic
• Click farms
• Automated cyberattacks such as hit inflation scripts and botnets

Proactive detection, often assisted by automation, forms a foundation for countering click fraud. By detecting suspicious patterns of behavior, you can isolate and block fraudulent IP addresses and visitors exhibiting other questionable characteristics. Remarketing and social media advertising can help you further reduce the proportion of fraudulent clicks you receive. 

Use these techniques to help you reduce click fraud and avoid wasted ad expenses so you can better results from your digital marketing investment.