click fraud detection

9 Tips On How to Detect Click Fraud in 2021

April 26th, 2021

If you’re a PPC marketer then the chances are you already know what click fraud is. Or, at least, you’ve come across the term before. But do you know how to prevent and eliminate click fraud?

Interestingly, many PPC marketers think fraudulent clicks are a relic of the past. Something that happened in the wild west days of the internet back in the early 2000’s. Those same people often think click fraud no longer exists, or is already handled by the ad networks who sell you clicks. Maybe you’re even one of these people!

Well, I hate to say it, but those people are wrong. The data shows that click fraud absolutely still exists and is growing year on year. In search campaigns alone, the least impacted ad campaign type, click fraud can account for up to 11% of all ad activity.

So what is click fraud?

Click fraud is a type of ad fraud. Its goal is to create a click interaction with an online ad and having no genuine interest in a conversion action.

For example, this could be a malicious action to drain the ad budget of a competitor in niches with very high competition levels.

But ad fraud can also be non-malicious. We routinely see suspicious clicks that come up from good bots. For example, web scrapers can rack up significant ad spend costs from repeated clicks for advertisers despite no specific targeting or malicious intent. 

For example, a PPC keyword research tool may be looking to find out what landing pages the ads for a certain keyword point to. To do this, it loads a Google search, locates the ads, and clicks them. This costs the advertiser their ad budget, and is technically click fraud. But there’s no malicious intent here, just collateral damage.

It’s estimated that anything up to one quarter of all online advertising interactions occurs as a result of click fraud – with some industry leaders saying the number could be even higher still.

What is the impact of click fraud?

Whilst the impact and effects of fraudulent clicks can be wide ranging, it ultimately falls down to financial damages.

Ad budgets are wasted to non-genuine fake click activity, conversion rates are lowered, an that skews user data. It becomes harder to make data-driven decisions in your paid media marketing campaigns, non-genuine users begin to infiltrate your paid media funnel and you’re left questioning every piece of data you see.

Was that click legitimate? Can I trust this campaign data? Am I remarketing to real people or bots? Are my leads from real people?

The impact of click fraud is wide-ranging, infiltrating the data used by marketing, revenue, finance, operations, and data teams.

It’s so wide-ranging that the cost of invalid clicks alone is expected to top $20bn in 2021. That’s before we account for the opportunity cost of lost conversions, time cleaning the data, and so on.

The different types of click fraud

Click fraud can broadly be summarised into four categories, with some overlap between them. These are:

  • Malicious click fraud is when a bad actor is deliberately trying to deplete your advertising budget and cost you money. It occurs purely to harm you as a digital advertiser, for example from a competitor. There may be ancillary benefits such as their own ad positions improving, but the core of malicious click fraud is causing harm to another business.
  • Passive click fraud occurs when there’s no specific intent to harm your business or ad campaigns, but they’re just caught up in the collateral damage. For example, this could be web scrapers clicking PPC ads to get information, or it could be an organised ad fraud ring using your display PPC ads to generate fraudulent impressions and therefore payouts for themselves. The reason this would be passive click fraud is because these types of operations don’t specifically target you – they target anyone who the fraudsters can take advantage of.
  • Manual click fraud is when a specific user is undertaking manual actions themselves to commit click fraud against you. We often find that malicious click fraud is a type of manual click fraud. This type of click fraud makes up less than 5% of all click fraud activity on the web.
  • Automated click fraud is when non-human users (bots, botnets, scrapers etc) interact with your own ads in a fraudulent manner. We find most automated click fraud is passive in nature, as the scale required for these do not allow for manual inputs. Over 95% of all click fraud activity on the web is automated.

So, who is responsible for fake clicks?

There are many, many sources of fake clicks all around the web but the primary responsibilities sit with:

Malicious publishers who place display ads on their site, spoof traffic to them and automate clicks with click farms to receive a portion of the ad payout.

Competitors who, for some reason or another, despise you and want to cost you money (note: this only accounts for around 13% of click fraud, despite what some marketers & influencers in the click fraud space might say!).

Disgruntled staff/customers who have had a bad experience with you and feel like they’re getting “revenge” by clicking your paid ads continuously. This is a very minor part of click fraud.

Affiliates who want to drive you out of the ad auction so that they can receive more traffic and thus higher payouts.

Scraping tools who collect ad data for a multitude of different reasons.

Malicious bots who are continuously trying to find ways around CAPTCHA systems and search engines own built-in protection measures. These bots find vulnerabilities in search engines, browsers etc and can then be used for larger scale click fraud, account takeover, chargeback fraud and many other malicious activities.

Who’s stopping click fraud?

Unsurprisingly, ad networks are heavily involved in the fight against click fraud. After all, it’s their business model that is on the line if users are inundated with poor quality traffic! For example, companies like Google work alongside companies like us here at Lunio in the IAB Tech Lab to find future solutions to these problems.

That being said, it’s not always the core focus of ad networks who ultimately want to sell you clicks, since that’s how they generate revenue.

Generally speaking, ad networks like Google will provide a reactive layer of defense for click fraud and invalid ad activity. That means they’ll analyze it after it has occurred and, if they determine it to be fraudulent, refund the cost to you later. Of course, that’s a bit like marking your own homework – but it does the job at a basic level.

What ad networks don’t do, however, is proactively stop that click from the whole PPC funnel and buyer journey. For example, an ad network might see a search ad click as invalid and refund it a few days later but that user is now in the funnel. They are being remarketed to, they are filling your CRM with false data and ultimately they are causing your PPC data to be wrong.

How you can identify click fraud

Now that you’ve seen how click fraud can infiltrate and impact almost any ad campaign out there, it’s time to look at how you can detect the extent to which your campaigns are being affected and prevent click fraud from causing more damage.

Below we’ve listed the nine most effective ways to manually detect and prevent click fraud as of 2021. This won’t cover all types of detection, but it will help you to understand if your campaigns are being specifically targeted.

1. Check your conversion rates

Campaigns being specifically targeted by click fraud will often see unusual user behaviour. Check for this by doing the following on any campaign you need to review:

  1. Compare the conversion rate of this campaign against others in the account. If it’s much higher, but the overall conversion value is lower, you could have fraudulent conversion actions occurring.
  2. Check the historical trends in conversion rates for this campaign. Is it spiking at certain times? A campaign hit by click fraud might go from 3% to 20% and back to 3% conversion rates within just a few days.
  3. Check your conversion rates against the industry averages here.

2. Check your bounce rates

Campaigns with a high level of click fraud will generally have a high bounce rate. This is because the bots or malicious actors interacting with your campaigns aren’t browsing around the site like a normal user. They’re visiting the page and bouncing right back. To do this:

  1. Log in to Google Analytics (or whatever analytics platform you use).
  2. Find the landing page of the campaign in question.
  3. Segment the traffic by PPC and Organic users, then compare the bounce rates on each.
  4. Organic will likely be a bit lower, it always is, but if there’s a huge variation you may have an issue.
  5. Check the number of PPC visits recorded in Google Analytics vs the number of clicks in Google Ads. If the clicks are greater than the visits then bots are likely bouncing back before your analytics script even loads – indicating a high likelihood of click fraud.

3. Check your CTR (Click-Thru-Rates)

More malicious clickers means, generally, a higher click thru rate. Of course it’s not always the case, a campaign with an unusually low CTR could have it appear “normal” once malicious activity is taken in to account, but along with other metrics it can be a good indicator. To check this:

  1. Monitor the historic CTR of the campaign – it is peaking wildly on certain days?
  2. Compare the CTR of the campaign to others of the same type. Are they similar, or hugely different?
  3. Check your CTR against the expected industry averages here.

4. Check Expected CTR in Quality Score for each keyword

One easy trick to determine if you’re being impacted by click fraud & invalid traffic is to look at the “Expected CTR” component of the Quality Score metric in Google Ads.

If you find that a specific keyword has “Above Average” as its expected CTR, whilst other similar keywords in the campaign have “Below Average”, this could indicate a click fraud attack against that specific keyword.

This is because click fraud will generally push the CTR higher on the keyword it is targeting, and Google Ads will think “This keyword performs really well, we expect great CTR!” and tell you as such in the Ads interface. Of course, the traffic that is performing well in this instance isn’t actually traffic we want!

5. Check form submissions, user accounts & comments

If you’re collecting form submissions or comments on your site, or you allow users to create accounts, check the timestamps of each against your paid search activity.

If you see an increase in dormant user accounts, spam comments or fake form submissions which coincide with a peak in PPC activity, you could just have identified click fraud occurring.

6. Check for Smart Campaigns

Here at Lunio, we see 31% higher levels of click fraud on Smart Campaigns than standard campaigns. On Smart Display, this jumps to over 80% higher when compared with standard Display Campaigns.

Smart Campaigns are a great idea in theory, but if you think you’re suffering from a click fraud attack, always check if you are running a Smart Campaign. If you are, create a standard campaign to A/B test against it. This will allow you to see if the Smart automation is resulting in higher levels of invalid activity, or if the issue sits elsewhere in the account.

7. Check your display placements

If you’re running display campaigns then it’s almost a certainty that you are experiencing at least some level of click fraud.

Display campaigns are, by far, the most profitable campaign type to target for fraudsters – so running a tight exclusions list is an absolute must.

Audit your display placements weekly (or daily if possible!) and exclude those that appear to be non-legitimate sites, or those with a high CTR (generally over 3% on display is considered very high).

As a starting point, be sure to use our display placement exclusions list containing over 60,000 low quality placements you should exclude from your campaigns. Also consider running a placement allow-list, where you only run ads on placements you have pre-defined.

8. Fetch IP addresses from your server logs

If you’ve detected click fraud on your campaigns from the steps above, it’s time to do something about it. For that, we’ll need to dive in to our server logs.

Download your server logs (ask your web team for a copy of these, or your web host can provide them) and run them through a tool such as Loggly or Dynatrace.

Each PPC click to your site will have a unique identifier in it. For example:

  • Google Ads = GCLID
  • Microsoft Ads = MSCLID
  • Facebook Ads = FBCLID

You can also append custom parameters in your ads to track ad networks that don’t provide this by default.

Search the logs for visits specifically containing these IDs in the URL, then extract the IP addresses of those clicks.

Look for any pattern in those IP addresses to see if they might be suspicious. For example:

  • Are there many clicks from the same IP in a repeating pattern?
  • Are there many clicks from the same subnet (when only the last 3 digits of the IP address change)
  • When looking up these IPs, do they resolve to datacentres or in locations where you aren’t targeting your ads?
  • Did these IPs go on to complete a conversion action (and if so, was the conversion action legit)?

On larger sites this can take a very long time and would need the assistance of your BI team or dedicated data visualization expert.

The good news is, once you have a list of the offending IPs you can upload them to your exclusions list in Google Ads.

The not so good news is you can only add 500 IPs here, and you’ll have to keep re-doing this analysis as new threats appear. Unless…..

9. Use automated click fraud protection

If all of the above sounds like too much work (and let’s be honest, a full-time team of multiple data scientists would still not be enough to analyze everything possible here) and you’re committing to eliminating click fraud for good, then look into automated click fraud protection solutions like Lunio.

Solutions like Lunio allow you to automate the entire click fraud detection process, ensuring that invalid and fraudulent traffic is removed at every stage of your PPC funnel. That leaves you safe in the knowledge that every bid you tweak, keyword you add, campaign you create, or ad copy you write is attracting genuine user interest & conversions, not invalid traffic.

Chat with us to set up a free Lunio demo to learn more about ad fraud detection.

Stop All Advertising Fraud in Seconds