“Google stops all click fraud” [True or false?]

The answer? Google does invest time and money into combating click fraud, but there’s only so much they can do.

Let’s start be seeing what Google say about it...

Google’s traffic quality page says that:‍

Our dedicated Ad Traffic Quality Team uses live reviewers, automatic filters, machine learning, and deep research to detect and filter as much invalid and fraudulent activity as possible.‍

Next, we’ll look into what this actually means.

What actions does Google take?

Reading on through the information that Google shares online, we can see that Google uses several approaches to reduce click fraud, such as:

• Filtering in real-time
• Filtering in near real-time
• Manual detection and review
• Research and botnet hunting
• Suspending and disabling accounts
  

Sounds good right? Well yes, good to hear that Google acknowledge the problem and are doing something about it.

But they earn $billions in ad revenue every year, and a lot of that revenue comes from small businesses investing their hard earned profits back into expensive search ads.

So we need to know they’re solving the problem, not just aware of it.

Surely click fraud is easy for Google to solve?

All the best engineers in the world can’t make up for one big disadvantage that Google have.

The problem is scale, and that’s something that won’t be changing soon.

To help illustrate the problem, let’s imagine the data generated by users of Google search (the “clickstream”) as a firehose. Think about taking a drink from it. This is the metaphorical equivalent of Google needing to analyze, label, and connect every click.

Pretty hard to imagine being able to catch every drop, right?

But I hear you protesting:

“But Google’s a $2 trillion company and they’re the world leaders in data...”

This is true. But data doesn’t come at Google like a firehose. This time imagine YOU are Google, and the clickstream is the Niagara Falls. Now we’re somewhere close to the scale of the problem for Google.

In traffic terms, Google.com serves 82 billion visits every month (according to traffic monitoring firm Similarweb, September 2024).

So whilst the quantity of data can be harnessed for good, the sheer scale of Google’s task means their approach has to be broad rather than deep.

What sort of click fraud does Google miss?

Bots that masquerade as real users

A 2024 report by Pixelate titled Desktop and Mobile Web Invalid Traffic Benchmark Report found that the global IVT (Invalid Traffic) rate for desktop web programmatic advertising is measured at 11.1%.

Google is not able to carefully profile every visitor to their search results. So bots hiding behind thousands of IPs can relatively easily evade Google’s protections.

You don’t need a Google account to use Google search. And since Google doesn’t perform full browser fingerprinting, they can only go off imperfect signals such as a visitor’s IP address when trying to join the dots.

Clicks from outside your country

Google’s help page on invalid clicks seems to imply that your clicks will mostly come from users within the countries you want to target.

But anyone that has used Google Search and checked their server logs will know that Google’s methods of geolocation seem imperfect.

Tip: Make sure your location targeting is set correctly

To actually apply proper location targeting on your ads, you’ll need to change the setting to target people “where they're likely to be located or regularly located”, otherwise known as “presence” only.

But even with this setting, you’ll likely still see clicks from countries you simply didn't ask for.

Poor quality partners

Analysis into Google’s Video Partners program by Adalytics in 2023, as reported by The Wall Street Journal, revealed that Google were found to be placing ads on low-quality, clickbait, or even pirated content sites. We wrote about it in our article about click fraud in the media.

Again, scale could be the issue. Google’s partner programs such as AdSense are enormous networks with hundreds of thousands of potential placements to keep track of.

Could the definition itself be a problem?

On the surface, the answer is no, as Google’s definition seems clear:

Clicks on ads that aren’t the result of genuine user interest, including intentionally fraudulent traffic and accidental or duplicate clicks.

They go on to say what they consider to be invalid clicks:

• Manual clicks meant to increase your advertising costs or to increase profits for website owners hosting your ads
• Clicks by automated clicking tools, robots or other deceptive software
• Accidental clicks that provide no value to the advertiser, such as the second click of a double-click
  

But later on, Google specifically say that “return visits” are not necessarily counted as invalid. But what if those return visits are twice a day, every day? Where do they draw the line?

They also state that “shared IP addresses” are a reason that multiple clicks from the same IP address may not be considered to be invalid. But most if not all residential ISPs assign shared IPs, and most botnet traffic is routed through these same shared IPs.

Past litigation against Google for ad fraud isn't much help either. There have been cases brought against Google related to ad fraud, but Google have never allowed litigation to get to a stage where they need to reveal anything substantial about their systems and methods.

Marking your own homework

The company who charge for every click, are the very same company who ask you to rely on them to validate every click, and the company who define what an invalid click is.

See the potential problem there? Even if you’re not a tin foil hat wearing conspiracy theorist, most people are aware of the dangers in organizations when incentives misalign.

Even if you believe (as we do), that the world's biggest advertising platform would not intentionally mislabel blatantly invalid traffic, there’s still no reason for them to pour more money than just about necessary into combatting click fraud.

To wrap up

You may be asking the sorts of questions above because you’re seeing problems with your own Google search traffic quality.

The advice is to keep a close eye on your own logs if you want to be sure about the traffic you're paying good money for. Even better, get set up with a click fraud protection tool such as our own (Hitprobe), that will give you 100% visibility and provides a second line of defense against all types of click fraud.