There are many different types of click fraud and whether or not it’s a problem for most PPC advertisers is hotly contested. In this article, I’ll explore the many varieties of click fraud, how native platforms handle it, what 3rd party tools do, and whether they are worth the money.

click fraud protection

Ad Inventory Types

Click fraud occurs to some degree on all ad platforms and placement types. For the purposes of this article, I’ll mainly be dealing with Google Ads, MS Ads, and Facebook Ads. These are the only three platforms that are well supported by third-party click fraud protection tools.

Google and Microsoft offer two main types of inventory, search and display. For the most part, search ads run on trusted search engines. Display ads are a little more complicated as there are Google’s fully controlled properties such as Gmail and Newsfeeds which I’ll generalize as Discovery. There are also 3rd party content placements that run on Google’s platform, i.e. YouTube ads. And finally, there are placements completely hosted by 3rd parties, which we’ll call Google Display Network (GDN).

On the Microsoft side of things, their display inventory is mainly made up of third parties, which they call audience ads.

Facebook offers in-platform ads, mainly those that run in Newsfeeds, ads on chat, and ads on their audience network. Facebook’s Audience network is just like the GDN. In that regard, it’s subject to the exact same issues.

The Many Faces of Click Fraud

Unfortunately, click fraud occurs in many forms. I’ll break down the most common sources of click fraud.

click fraud types

Competitors

Clicks from human competitors happen for a few different reasons.

First and foremost your competitors are going to click on your search ads in order to check you out, i.e. perform competitive research on your creatives and landing pages. Secondly, and less common, your competitors may click on your ads to use up your budget on clicks that won’t net you any business. The idea is to make your search campaigns unprofitable and hopefully push you off the platform completely.

While Google and Microsoft may charge you for some “one-off” clicks they will automatically credit back all PPC charges for duplicate clicks from the same user.

This can be a bigger problem, though, if a competitor crowdsources click activity as it’ll be harder to detect and stop.

Search Engine Bots

There are all kinds of bots probing search engines to scrape information about the ads or the companies running the ads, or more often to review organic results. The most common bots are organic position trackers such as SEMrush, AHREFS, Moz, and so on. These bots only register impressions and don’t “click” on your ads. But some other types of bots do click through the ads.

Most bot clicks are caught by Google and Microsoft and automatically credited back. Although an occasional click may slip through, it’s usually not enough of a problem for a typical advertiser to worry about.

VPN Users

VPNs are used widely by people all over the world. Depending on what you sell, quite a lot of your clicks may come from VPN users that are located outside of your intended target area. For example, you are targeting US users with your SaaS offer but people from other countries are able to view and click on your ads.

This is a legit problem that quite a few advertisers face, and it applies to all ad types (search, display/audience, video, and discovery). Thankfully, Google and Microsoft do a pretty good job of catching most of this.

Click Farms

Click farms are large groups of “publisher” websites that run Google display and Facebook audience ads and offer no value to real people. Their sole purpose is to generate revenue from fraudulent clicks. The clicks may be generated via crowdsourcing or automated bots, typically incorporating VPNs and constantly rotating IPs to evade click-fraud protection methods.

More sophisticated schemes will also pay people to click through ads and submit registration forms on advertiser sites. This secures them a higher volume of traffic when advertisers are using pay per conversion bidding methods.

Unfortunately, while the ad platforms do prevent a good portion of this some sites and clicks still slip through.

How Big is the Issue?

According to a 2020/21 report from PPC Protect, 11% of search ad clicks and 36% of display ad clicks are fraudulent or invalid. That’s a lot! But we should take those numbers with a grain of salt since invalid can mean many things such as accidental clicks, multiple clicks from the same user, legit clicks that don’t register as visits, and clicks from well-known bots. One could argue that any click that doesn’t lead to a conversion is theoretically invalid. There is a big difference between the odd irrelevant click and true click-fraud schemes, it’s an important distinction.

Also, Google, Microsoft, and Facebook already capture most of these clicks and filter them out or credit them back later. More specifically, native click fraud protection (in this case Google) defines “invalid” clicks and outlines the “various methods” they use to prevent it. This sounds awfully similar to what most paid services do. And, you would expect that with the resources the large ad platforms have, they would be better at catching this than 3rd parties would. But that is, of course, conjecture on my part. It could also be that the ad platformers are happy to let a portion of fraudulent clicks through, they get paid for those after all. I don’t believe that, but it is possible.

Another thing to consider is this is simply part of the cost of advertising. Advertisers routinely waste money on irrelevant search queries, poor performing creatives, terrible landing pages, lacklustre sales processes and more. That said, if you can easily cut click fraud costs you should absolutely do so.

Click fraud affects advertisers differently depending on several factors. For the most part, if you’re only running search and/or Discovery/Newsfeed ads you’re well protected by Google, Facebook, and Microsoft. In this scenario, unless somebody purposefully attacks you, you probably don’t need to worry about click fraud at all.

The issue can become a nuisance or much worse if your search ads are targeted, however.

Display ads with targeted (non-remarketing) audiences are where there tends to be a bigger problem. The reason for this comes down to dollars and cents. While search ads click fraud is restricted to disreputable competitors, there is commercial value in running click farms. In that sense, everybody that runs display or audience ads is a potential target.

What Can You Do About It?

Besides relying on ad platform providers to capture fraudulent clicks there are a number of ways you can protect yourself.

As the bigger issue tends to be with display and audience network ads you may decide to simply avoid running those types of ads. At my agency, we currently run very little on Google’s Display Network (GDN) and almost nothing on Microsoft’s Audience Network. There are a number of reasons for this besides click fraud, most of which relate to performance and client goals in one way or another.

In the case of Google, we’ve migrated much of our client spend from GDN to Discovery inventory, which performs better and has zero true click-fraud.

Also, importantly, if you’re only running display remarketing ads, you have an extra layer of protection against click farms. Since the fraulent clicks are generated by bots or users that haven’t visited your website, there is no chance for them to see your ad on their publisher sites.

If you do run “targeted” display/audience ads here are some steps you can take to reduce click fraud.

Dealing With Display Ads

First, get aggressive with content exclusions in your campaign settings. Many click farms will be tagged with one of these content labels so you will eliminate the possibility of your ads running there. Limit where your ads can run by using contextual targeting such as topics. These steps will make it a bit easier to review your placement reports for “bad” sites.

If you have access to placement reports (supported by most campaign types) the click farms will stand out due to very high click-through rates and/or very high conversion rates. You can then block them manually as you go.

Consider running one or both of these great scripts to help manage your display placements. The placement analyzer script reports on page authority, domain authority, # of backlinks, and age of the site, making it fairly easy to tell whether a site has been recently created – a tell-tale sign it may be part of a click farm. The placements exclusion script automatically finds and blocks display placements based on keywords you include and/or TLDs (domain extensions) you exclude. As most click farms are not hosted on .com domains this can be an easy way to help prevent click fraud.

Many accidental clicks happen on mobile app ads. I don’t consider these to be click fraud, but if you do you may want to simply create exclusions for all app categories to eliminate these. Note that it’s much faster and easier to block all of them using Google Ads Editor rather than selecting them one by one in the web interface.

Lastly, keep an eye out for a sudden increase in fake leads. If you see a spike it’s a good bet that these may be coming from a click farm, often multiple sites. It’s always a good idea to add some kind of form submission protection to your website. This can include adding a CAPTCHA, honey pot, blocking off-shore traffic from visiting your website, and more.

One thing to note is that the new Performance Max campaigns from Google do not yet support placement exclusions. You can work with your Google rep if you find potentially fraudulent placements, but the process is slow and inconvenient.

Dealing With Search Ads

Detecting click fraud on your search ads can be tricky. Some things to look for include:

  1. A sudden increase in click-through rate and a corresponding decrease in conversion rate
  2. A high volume of visits from IPs that don’t belong to trusted users
  3. A dramatic increase in bounce rate or decrease in time on site/pages visited from your paid search traffic
  4. An increase in PPC visits from non-targeted countries
  5. An increase in invalid activity refunds in Google or Microsoft financial statements
  6. A significant volume of clicks all coming from a single location such as one zip code or small radius

Okay, so you’re getting too many fraudulent search ad clicks, what can you do about it?

Start by reporting the activity to Google or Microsoft as appropriate. Support will likely ask you to provide the landing page(s) involved, server logs, and other details so they can launch an investigation. Importantly, this will get you a refund but may not solve the root cause.

If all the fraudulent activity is coming from a few IPs you can block those IPs in campaign settings. This is probably just a temporary fix, however, as serious fraudsters will change their IPs to get around this problem.

If all the fraudulent activity is coming from one physical location you can exclude that location in campaign targeting settings. This will prevent everybody in that location from seeing your ads. They may, of course, move to another location, but that won’t be practical for a small competitor that’s clicking on your ads from their home or office.

Dealing with Performance Max Ads

The new Performance Max campaigns include both search and the GDN. The percentage of ad spend dedicated to GDN is typically small but at the same time, it’s very difficult to deal with click fraud. You can see placement reports for P-Max, noting they are shown account-wide. If you have multiple P-Max campaigns there is no way to know which placements are coming from which campaign. Also, Google only provides impressions data, which makes it nearly impossible to spot potentially fraudulent placements to block.

We recently tried an experiment with an account that was receiving fake leads. Every day for two weeks we would block every single placement Google reported as having received at least 1 impression. While the number of fake leads was reduced it didn’t clear up completely until we paused the campaigns completely. This means that Google isn’t providing a complete placements dataset.

Furthermore, there is no way to block IPs in this campaign type. That means even a click fraud protection service would be rendered useless here.

What do Click Fraud Protection Services Do?

While each service provider will claim they have the best “secret sauce” they all use similar methods to detect and prevent invalid clicks. I want to make a clear distinction here between click fraud, which are clicks made with bad commercial intentions, and low-quality clicks, which are mainly accidental.

The distinction is important because a very large portion of what these services call “click fraud,” are not actually that.

Here’s a grocery list of what the services detect:

  • multiple clicks from the same IP
  • website visits from Bots
  • clicks from VPN users (outside of your geo-targeted range)
  • visits from undesirable IP ranges

Here I’ll break down in a little more detail how each of these works.

Multiple Clicks from the Same IP

This is the core functionality of click fraud protection services. IP addresses from each click are saved and matched to new clicks. If there are frequent clicks from the same IP the service will block that IP by adding it to the ad platform’s campaign IP exclusions list. The service will also log the extra clicks from that IP so that you can send that to the ad platform to request a credit.

Based on our own experience, both Google and Microsoft already capture extra clicks and prevent them at source or credit them back. This is evidenced by the vast majority of refund requests coming back with no credit or a very small credit.

One other important thing to note is that Google and Microsoft have hard limits on how many IPs can be blocked. For Google, it’s 500 IPs per campaign and for MS it’s 100 IPs. That’s fine to block a mom and pop competitor but it’s not nearly enough to deal with a click farm. Given that, click fraud services will rotate out older IPs and replace them with newer ones. It’s not a great solution but it’s the best they can do.

Website Visits from Bots

The ad platforms already know most of the common bots by their IPs and filter out those clicks. Click fraud services may find some additional bot visits by detecting non-javascript browser activity and/or by looking at on-page behaviour. Bots tend to have a pretty distinctive pattern that’s much different from a real person.  As above, these IPs will be logged and blocked.

Clicks from VPN Users

People use VPNs for all kinds of reasons. In the case of click fraud, it’s mainly used by users/bots located outside of the campaign’s desired location target. This is an area where it does seem like the ad platforms accept a lot of invalid clicks, particularly from display campaigns.

The logging and blocking of VPN users is probably the most useful feature of click fraud protection services. We have had a few cases at our agency where we’ve been able to recover large credits related to click farm schemes using VPNs in combination with rotating IPs.

Visits from Undesirable IP Ranges

Another fairly useful feature from providers is the ability to pro-actively block entire IP ranges known to be from bad players. The click fraud protection services can do this by looking for IPs that appear across a large swath of existing clients. The problem with this goes back to the hard limits that Google and Microsoft have on how many IPs can be blocked at once.

Click Fraud Service Reporting

Click Fraud services provide a wide range of reports indicating the different types of traffic they have logged and blocked. The “saved” dollars and cents can look impressive. But there are quite a few problems with the calculations.

ClickCease sample report

First, the average CPC that’s used is based on your account average. Since click fraud by percentage, mainly occurs on display ads, this is not a very accurate way to assess savings. Instead, you would have to break out display fraud from search fraud in order to perform these calculations since search clicks are often 5-10x the cost of display clicks.

Second, the “cost savings” include logged invalid clicks that you’ve already paid for. One of two things is going to happen here. Either the ad platform will already be crediting this back as invalid activity, or you will attempt and probably fail to get much of a refund. These savings are, therefore, way overstated.

Third, many clicks reported as fraud are simply legitimate multiple clicks from interested visitors. The classic example of this is regular users of a SaaS that search for the brand, click on the ad, and log in. You can easily eliminate these clicks (if you want) by adding an audience exclusion for your existing customers.

Click Fraud Protection Options

First, my agency doesn’t have any affiliation with these services nor have I spent time to formally review them. We do have some hands-on experience with ClickCease but haven’t worked with the others. ClickCease and PPC Protect cover Google Ads, Microsoft Ads, and Facebook Ads. ClickGUARD appears to only cover Google Ads at the moment.

The services start from around $60/month with higher prices to protect more clicks and to enable additional features. Even fairly large ad spend clients (north of $25K) should pay no more than a few hundred dollars per month for click fraud protection. This means that these services are very affordable for large advertisers but might push up your overhead if you’re spending less than say $1K/month in direct ad costs.

Also, somebody needs to set up the service and maintain it, which isn’t free. While you can set it and forget it, it’s probably a good idea to review the reports and monitor for any significant changes in performance. If you’re engaged with an agency to manage your campaigns, you should ask if they will include oversight of your click fraud protection service.

Some of the services offer a free trial, which allows you to evaluate the product before investing.

Use-Cases for Click Fraud Protection Services

Here are the times when you would likely benefit from a click fraud protection service.

You’re Being Attacked!

If you are noticing tell-tale signs of being attacked and can’t find an easy fix by blocking offending IPs, locations, or placements, you should try out one of the service options listed above.

You Spend a Lot on Display Ads

If you have a fairly large percentage of your ad spend going towards display ads you may want to invest into click fraud protection. This will be particularly true if you’re routinely seeing unnaturally high click-through rates or conversion rates from many placements.

You Have a Substantial Ad Spend

If you’re spending more than $10K/month, click fraud protection may cost you 1% or less of your total ad spend. While the service may not do much for you, even a few percentage points of saved clicks should put you into the black. Think of it as an insurance policy to protect your account against something bad happening in the future.

When Not to Get Click Fraud Protection

If you have a small ad spend (<$5K), don’t run any GDN ads, and haven’t noticed any anomalies, I would pass on this for now. Besides the added cost, you’re going to end up spending a bunch of extra time setting up and monitoring the system. If you are DIY, this is especially true as you may find yourself dazzled with the crazy numbers that your service will pump out.

Summary

While click fraud is a legitimate problem, it’s not rampant or that big of an issue for the majority of advertisers. Even when you encounter click fraud, ad platforms take care of most of it. And, when they don’t, there are a bunch of manual actions you can implement to prevent this without paying somebody else to do so.

If you’re spending a significant amount on PPC, however, it may be worth adding a service, especially if you run targeted (non-remarketing) display campaigns on Google’s display network (GND) or audience ads with Microsoft or Facebook. Likewise, you may want to seriously consider adding a service if you know you’re being attacked and are having a tough time stopping it using other methods.

But if you’re staying away from audience/display networks, it’s very likely that your ad platforms already have you well taken care of. For now, just keep an eye out for anomalies.