Click fraud uncovered: Ultimate guide to protecting ad spend

The basics: What does it mean?

Before digital media, ads were placed and paid for as a simple “media buy” (or “insertion order”). Maybe results were measured, but the results didn’t have any impact on the price paid, except maybe to influence whether the advertiser repeated the order in the future.

Digital media changed things drastically. It became possible to measure exactly how many eyeballs saw an ad, and bill precisely for them. Then came pay-per-click (or PPC / cost-per-click), and the rules changed again. Now it was possible to bill based on how many people took action on ads.

This change brought real benefits to both advertisers and publishers. It’s now easier for advertisers to understand the value they get from their ad spend. At the same time, small publishers were now able to join together with other publishers into “networks” and share a pool of ad dollars.

But ad impressions and clicks can be faked. And with revenue now so closely tied to these metrics, some unscrupulous publishers found ways to make a lot of money out of faking them.

Pay-per-click advertising also opened up new problems for advertisers in recent times. The cost per click is now so high that in some categories, competitors or upset customers can make a material difference to a campaign’s overall performance. PPC ads are open to the world to be clicked on, and there can be many motivations for doing so outside of genuinely needing the services of the advertiser.

This guide will explain everything you’ll ever need to know about click fraud, the different categories of unwanted clicks, how it can be detected, and how it can be solved (or at least minimized).

We'll start by looking at all the possible categories of click fraud.

Types of click fraud

The term “fraud” is true of many unwanted clicks, but the catch all term of “click fraud” can actually cover not just deliberate invalid clicks, but also clicks that are more accidental.

Direct publisher fraud

Digital publishers are sites (or apps) that carry ads. For example, The New York Times is a publisher in the traditional sense, but also a digital publisher since they run ads that are billed by the impression or click.

Large publishers may accept advertising orders directly, with the advertiser paying the publisher through an ad system run by the publisher. In this case, although there is incentive for the publisher to falsely inflate ad performance, since a direct relationship exists, fraud is likely to be minimal. After all, the advertiser will soon notice the poor ROI from their spend and it would be a simple business decision to stop advertising there altogether, or ask for a lower CPM or CPC rate.

But smaller publishers, and actually many very large publishers too, are part of networks of publishers such as Google AdSense, Propel Media, or Mediavine. These are essentially middle-men, taking advertising orders and delivering the ads through inventory spread across a large network of publishers.

This changes the game because it vastly reduces transparency and complicates the relationship between advertiser and publisher. It makes it easy for faceless, fraudulent publishers to sign up to networks and fake traffic, earning potentially millions before they’re found out and shut down. Even when these publishers are banned from networks, they can set up again and start the fraud all over again.

Sites created primarily to sell ad spots, where the content is non-existent or wouldn’t attract organic visitors, are known in the industry as Made For Ads (MFA) sites.

Of course, ad networks do their best to confront this type of fraud. But it’s technically difficult, and publishers are more greatly incentivized to invest in other areas such as innovation and expanding their networks of genuine publishers.

The more subtle the fraud, the harder it is to eliminate. It’s easier to identify a 100% fraudulent publisher than one that inflates traffic by 10-15%. But if 10% of traffic is fake, that means 1 in 10 clicks are fake, and it will have an impact on the advertiser.

Indirect publisher fraud

So, direct publisher fraud is where the publisher directly inflates (or completely fakes) their own traffic.

However, publishers compete between each other for the same ad dollars, so there is incentive for one publisher to “frame” another.

The way this works is that publisher A will pay a botnet or click farm to create fake traffic on publisher B’s site. Publisher A knows that this activity will be detected by their ad networks and that a penalty will be imposed on publisher B. This may be helpful to publisher A, especially if publisher B is banned altogether from the network.

Since there is no contractual relationship between publisher A and publisher B, and in some cases not even a contractual relationship between the ad network and a publisher conducting this type of activity, it’s extremely hard to spot the connection.

Advertising competitors

Most businesses try and keep quite a close eye on competition. And there any many legitimate reasons for competitors to click on competing PPC ads. For example, to check on prices daily. Or to check for new products or services being offered.

There are more malicious angles too. Particularly in sectors with a very high cost per click, or in more niche businesses (lower volume), competitors may decide to deliberately deplete the ad budgets of competing companies. It’s remarkably simple to do this, and it’s not illegal. It may not even be contractually prohibited. But it can easily harm the performance of an otherwise profitable advertising channel.

It’s against most per-per-click network advertiser terms of use to click on competitor ads. But these terms generally only cover clicking on other ads in the context of managing an advertising account. There is nothing to stop a competitor browsing Google and clicking on competing ads in the normal course of business.

Another side effect of these types of attacks is that once a competitor’s daily budget has been depleted, their ads stop being shown, leaving the marketplace smaller (and cheaper) for the attacking advertiser.

Customer revenge clicks

Businesses have their reputation to protect and so never like to leave a customer unhappy. But even with the best of intentions, customers can sometimes get upset. And many customers know that when you click their ads, there's a cost to that business. So rage clicking those ads is the perfect passive aggressive, totally legal way to get even.

As these clicks come from real people on legitimate devices, in this case it's important to use statistical (frequency) analysis to spot the same device coming back again and again.

Customer friendly clicks

On the other hand, customers that love a business can inadvertently drain those budgets in a similar way. There are more people than you would imagine that think the only web navigation path is to search Google and click the top listing.

If there are customers using this method day in day out, it will also cost those budgets. This is especially the case for brand terms, but can affect any keyword that you bid on. Sometimes a customer will come back to your site every time using the same search term they originally found you on, even if the cost-per-click is $20!

Click fraud in the news

Although a lot of fraud naturally flies under the radar, there have been some major criminal busts and legal cases that have shone a light on the scale of advertising fraud.

We'll take a look at some of the most notable incidents here. You'll find a link on each summary to read the full details (we have a separate write up with more detailed information about each of these cases).

Advertising related controversies

Forbes MFA subdomain

Forbes were found to be running a made for ads (MFA) version of the main Forbes site, in a way that led some advertisers to think they were buying premium ad space on the main Forbes site. Read more.

Google Video Partners program quality

Analysis by Adalytics in 2023 alleged that Google fell short of its quality commitment for its Google Video Partners program. The report stated that ads were frequently shown in small, muted boxes rather than in prominent positions with sound, as promised. Read more.

Botnets and ad fraud operations

Methbot

A major ad fraud network that used click farms in datacenters running headless browsers to fake clicks on video ads. Clicks appeared to be originating from real users on residential IP addresses. The botnet is thought to have watched up to 300 million video ads every day. Read more.

3ve

Pronounced as “eve”, a botnet thought to be closely related to Methbot, that relied on infected home and office computers to generate fake clicks on throwaway webpages containing real ads. Devices were infected with malware inadvertently downloaded through spoof emails and fake downloads. Read more.

Vastflux

A sophisticated fraud that involved stacking up to 25 video ads in the same video ad slot, within legitimate ad spots in real apps. Although 25 ads played, the end-user only ever actually watched one of them. Read more.

Other notable botnets

Learn about PEACHPIT & BADBOX (OEM installed malware botnet), Pereto (a botnet that masqueraded as connected TVs), HyphBot (a programmatic advertising spoofing scam), and others. Read about them here. Read more.

Legal cases

Phunware v. Uber

After Phunware initially filed a contract law suit against Uber, Uber then uncovered a major click flooding fraud. Phunware was found to be flooding devices with clicks in order to attribute organic installs of the Uber app to itself. Read more.

Google v. Auction Expert

This case happened a long time ago now, but it was directly related to click fraud. Google accused Auctions Expert (a publisher) of essentially clicking on the ads published on its own website. Read more.

AIT v. Google

Again, an old case but directly concerning PPC fraud. AIT (an advertiser) sued Google alleging that Google didn’t do enough to prevent click fraud on its ads. This case was settled out of court without any public resolution. Read more.

The mechanics of click fraud

Now you know what click fraud is, you may be wondering about how it actually happens. We’ll look at how botnets and click farms create thousands of clicks without a single human ever looking at an ad, and learn about some of the other terminology you’ll hear relating to ad fraud.

Click farms

A click farm is a cluster of physical devices that are set up to mimic human interaction with ads. For example, they may open a web page, scroll and make mouse movements, maybe pause a video ad, and sometimes click on ads.

The term click farm could mean a bank of mobile phones with software running on them to mimic the user, or equally a click farm could be a bank of computers running headless (computer controlled) browsers. See our write up of the Methbot botnet for this type of setup.

Usually a click farm setup will also involve proxies, to mask the actual IP address that the devices are connected to and make it look like the traffic is coming from a wide variety of locations and ISPs. Click farms always prefer to use residential IP addresses, as datacenters are much more likely to be flagged as a threat.

A click farm is different from a botnet in that a click farm is a network of devices directly controlled by a fraudster whose primary purpose is to create fake clicks.

Botnets and trojans

In contrast to a click farm, a botnet is a network of hijacked real user devices. They perform the same work as a click farm, but in secret on a real device, ideally without the user of the device knowing what’s happening.

A botnet is built using malware, often downloaded through spam/phishing emails or hidden in legitimate software (a trojan). The malware installs itself on the device, hides in the background, and usually takes instructions from some remote server.

Once the botnet is big enough, either the controller of the botnet can use it to commit ad fraud directly, or will rent its capability out to other fraud operations for a fee.

One major benefit of a botnet over a click farm, is that it’s already distributed across many different countries, device types, and ISPs. For example, botnets don’t need to use proxies to blend in with genuine ad traffic.

However, there are downsides. Since the botnet relies on hijacked devices, they are somewhat limited in the amount of work they can do secretly without being found out. If the device is too busy, it will slow down and get too hot, and eventually the malware will be caught and removed. This isn’t a problem for click farms.

3ve is a great example of a malware botnet used for ad fraud.

Ad stacking

Ad stacking is a technique that fraudsters use within fake publisher pages or compromised ad slots that they control.

Most advertising inventory is sold on a CPM (cost per thousand) basis. So the more ad impressions that can be squeezed into the page, the better.

Ad stacking is the practice of placing ads above each other, as opposed to spread throughout content or placed side-by-side. Of course, when an ad is stacked on top of another, the ads underneath are invisible to the human eye. This makes any ad stacked under another an entirely fraudulent (and useless) ad impression.

Vastflux is an example of a sophisticated fraud that involved stacking up to 25 video ads in the same video ad slot, within legitimate ad spots in real apps.

Ad hiding

This is similar to ad stacking, but the idea is to make ads invisible to users but still allow them to be counted as "viewed" in reporting systems.

There are several ways to achieve it. Sometimes ads are squeezed into tiny 1x1 pixels that are all but invisible to the human eye. Or ads can be loaded into iFrames that are hidden from view, or simply placed in a spot that's off screen, such as far below or to the right of viewable content.

Pop-under ads

In pop-under ad fraud, when a visitor loads a site, a pop-under window also loads up behind the window that the user is expecting to see. This pop-under can contain ads that a real user will never see.

The nature of this means that the pop-under can appear to contain “normal” content, even though it’s much less likely to be seen be a real human.

Click flooding

In the Phunware v. Uber case, Phunware was found to be involved in click flooding in its work for Uber.

Attribution involves keeping track of which users see (or click on) each ad so that if a conversion eventually happens (a day or a week after seeing an ad, for example), then the advertiser knows which media drove the user to take action.

If the app in question is popular and universal enough, an unscrupulous agency with access to a large inventory can fake impressions or clicks (sometimes even by counting an impression as a click). I.e. create a record of an impression/click by a user who didn’t actually see the ad.

The idea is to take advantage of the organic installs that would have happened anyway, and pretend that when a user naturally downloads the app, or sees an offline ad, that the install is falsely attributed to the faked impressions/clicks.

If the agency is getting paid per install, this can be especially lucrative.

Clickjacking

Have you ever been on a website where you’ve clicked on a large “Go!” button to then find out that it’s an ad rather than the button you were looking for? Most of us have been there, unfortunately.

Any situation where the visitor is tricked into clicking on an ad is known as clickjacking.

This can happen in less malicious circumstances where algorithms used to serve ads adapt to a feedback loop and begin placing elements like the “Go!” button where they are clicked on more often, unaware that the reason for this is actually confusion rather than intent.

But there are more malicious and intentional tricks such as using transparent elements over content to change the destination of a click.

Other clickjacking techniques involve creating movement on the screen or switching elements at the right time to deliberately increase the number of accidental clicks.

Misrepresentation of inventory

Different ad spots and formats have different inherent value to advertisers. Clearly, a person giving their whole attention to an in-stream video ad is more valuable than an auto-playing video ad that’s within a regular ad spot.

So continuing this example, misrepresentation is where a video played out within an ad spot is classed as an in-stream ad.

In our advertising related controversies section we talked about another example, the Forbes subdomain that advertisers mistook for the higher quality main Forbes site.

Misrepresentation of inventory is any situation where an ad’s true value is compromised or hidden from the buyer. Whether intentional or not.

Detecting click fraud

As you’ve seen already, there are many ways that fraudsters try and hide their activities. However, it’s almost impossible to completely disguise it. Here’s some of the techniques that can be used to detect click fraud.

Statistical analysis

The first method we’ll look at is statistical analysis. This is about looking about when clicks happen in order to spot problems.

For example, if there is a sudden increase in the volume of clicks on ads in a 15 minute window, that could indicate a problem, especially if those clicks otherwise appear to be distinct.

Statistical analysis methods involve flagging up anomalies from one rolling time window to another. For example, if for the past 10 Tuesdays between 10am and 10:30am there have been around 100 ad clicks, and then on this Tuesday in the same time period 1000 clicks were logged, it would be worth looking further into the traffic to see why there was such a ramp up.

This method should usually be combined with others, for example examining the IP addresses or device fingerprints behind the clicks, to get to the root of the problem.

Statistical analysis may also consider the time of day. If the site is relevant to only UK users, for example, then when the UK population is usually sleeping then you’d expect only a fraction of daytime ad traffic.

Behavioral signals

Behavior signals can be:

• Time on the site
• Variety of mouse movements
• Other interactions on the site (interacting with a video player, for example)
• CTIT (Click To Install Time)
• Conversion rates

Using these signals would normally mean establishing a baseline, or common pattern (or range) for each signal. Then, flagging up traffic where the behavior of visitors is too far outside of this baseline.

IP address patterns

Devices tend to use the same IP address for short periods of time. So it’s possible to detect a lot of clicks from an IP in a short time window and conclude that it’s the same person clicking on the ads.

This extends to the ISP (the network that the click comes from) as well. If a single network, i.e. a single ISP, sends a lot of clicks in a short timeframe, that is likely to be the same visitor.

Generally, IP addresses do change less frequently now than they did 20 years ago, but they’re still a good indicator of problems with the quality of traffic.

Device fingerprinting

Once a visitor is on a webpage, it’s possible to analyze the JavaScript environment and the attributes of the OS, device, and browser that’s presented. This is called browser fingerprinting.

There are 1000s of datapoints that, in combination, can do two helpful things:

• Confirm that the device is what it says it is. For example, if the browser declares itself to be the Chrome browser running on a MacBook, is that true? There may be tell-tale signs that the device is masquerading as something it’s not.
• Calculate the likelihood of two visits being the same person (or at least the same device). This is done by boiling down all this data into a “fingerprint”, and matching fingerprints against each other.

We’ve created a complete guide to browser fingerprinting that you may find useful to understand this more.

Referrer domain quality

The referrer is the site that the visitor clicked through from. I.e. the publisher that hosted the ad.

Since some types of publisher fraud relies on creating very poor quality sites (i.e. Made For Ads, or MFA) sites, and quickly pumping volumes of fraudulent traffic through them, it’s useful to monitor referrers carefully.

These things should be checked for each referrer:

• Is the site very new?
• What is the domain name of the referrer (poor quality sites often use TLDs that are cheap and quick to register)
• Check the registrar and DNS routing for the domain
• Confirm the site is accessible
• What type of content is hosted on the site?

When bad referrers are spotted, traffic from that source may then be blocked.

YouTube channels are another area of concern when considering where traffic comes from. Channels that are not relevant for the type of products being promoted may need to be blocked to improve the ROI of the campaign.

An example is kids using their parents device to watch YouTube. Whilst this isn’t strictly fraud, the click quality from ads shown on kids YouTube channels for a grown-up product is going to be extremely low. It’s better to block out this sort of traffic.

Publisher-level analysis

Many of these detection methods are open to both the publisher and the advertiser. But ad networks have a unique top-level view that is only accessible to them.

By making statistical comparisons between similar publishers on the same network, they can spot anomalies that can point towards fraud.

Think about impressions and clicks that don’t account for seasonality, or the hour of day. Or a much higher CTR than other publishers on the network.

Of course, there are financial aspects too. What bank account is the publisher being paid into? Who is the ultimate owner of the publisher, and has there been any attempt to obscure this?

Unfortunately for advertisers, the work that ad networks do to protect them from fraud is usually kept under wraps. This is partly to avoid revealing the techniques that are being used, but it creates an element of doubt that enough is being done.

How to stop (or minimize) fraud

Measures that advertising/publisher networks take

Google’s Traffic Quality page says that:

Our dedicated Ad Traffic Quality Team uses live reviewers, automatic filters, machine learning, and deep research to detect and filter as much invalid and fraudulent activity as possible.

We’ll take a look at each of these methods:

Real-time filtering suspect traffic

Networks inspect the user agent or IP address, and check for problems such as high click through rates (CTRs), or high numbers of clicks from a single user, and can stop the click before it’s charged to the advertiser.

Filtering in near real-time

Ad networks also monitor traffic over a longer period of time, sometimes over days or even weeks. They can detect suspicious traffic patterns that can then be dealt with retrospectively.

But in this case, the advertiser has already been charged and would need to be refunded once problems are identified.

Manual traffic reviews

Google says that they “manually review issues flagged by our advertisers, publishers, and automated systems”, and also that they “may also set an alert to be informed of unusual spikes in that traffic”.

So it can also be useful to report problematic traffic patterns to ad networks, so they can be looked into. Google will investigate any reported case of invalid traffic.

Proactive research and botnet discovery

Ad networks such as Google usually have teams that work to proactively uncover botnets and learn to block their traffic. They may do this in partnership with security research firms that share their research with them.

Suspending publishers

If a traffic quality problem is isolated to a single publisher, the network may choose to either ban the publisher entirely, or suspend them until problems can be fixed (if the quality problem is unintentional, i.e. a technical problem).

Solutions available to advertisers

There are tools on the market available for advertisers to monitor their ad traffic quality and respond to problems, generally know as “click fraud prevention” or “click fraud protection” software.

We at Hitprobe provide exactly this. You can learn more about how Hitprobe provides click fraud protection for advertisers.

Generally, ad fraud protection tools aimed at advertisers will provide features like:

• Identifying each device’s fingerprint and blocking devices that click ads too often
• Blocking IPs and networks where there are a suspicious number of clicks
• Analyzing the referrer and blocking domains where necessary to make sure ads only run on quality sites
• Audience (ad network pixel) exclusion to stop ads being shown to blocked visitors
• Providing reporting and analysis tools to monitor for trends and patterns that could point to fraud

These types of tools are enabled by placing a click tracker between the visitor and the advertiser’s website, as well as injecting a small piece of code into each webpage to monitor how visitors behave.

Solutions available to publishers

There are providers of software tools and services that are more focused on publishers and large media buyers.

These platforms are designed to identify and prevent various forms of digital advertising fraud, such as click fraud, impression fraud, and bot activity.

They also tend to offer features that ensure brand safety for ads (i.e. make sure that ads are only shown alongside suitable and safe content).

Some of the largest players in this area are Integral Ad Science (IAS), DoubleVerify, Oracle Moat, and the security research firm HUMAN.

Pay per results

One approach that can be used to limit the risk, at least for advertisers, is to pay only for results. I.e. pay only when a valuable action is taken.

Since it’s infinitely harder to fake real sales rather than impressions or clicks, it moves almost all of the uncertainty back to the publisher.

Of course, only advertisers with a solid track record and large budgets have access to deals like this. However Google Ads do offer a pay for conversions product to selected advertisers on the Google Display network.

Before you go

If you’re an advertiser and are worried about the quality of clicks your ads are attracting, or want to stop invalid, accidental, or fraudulent clicks forever, then take a look at Hitprobe’s click fraud tool now.

You can start for free and you’ll be up and running with cleaner ad traffic in no time.