Beware of click fraud protection gimmicks

September 28, 2022 ∙ 4 minute read

An unfortunate aspect of the click fraud detection industry is the number of ineffective gimmicks which offer little to no protection against click fraud. In this article we will discuss three click fraud protection gimmicks, and explain the correct way to protect your advertisements against click fraud.

What is click fraud?

Click fraud is an online scam which drains advertisers' budgets, and enriches criminals. It works like this:

  1. A criminal creates a website, and contacts an advertising network like Google Ads or Microsoft Ads to request a publisher advertising account. This publisher advertising account allows the scammer to place genuine adverts on his website. Every time one of these ads are clicked, the advertiser pays money to the advertising network, and the advertising network shares this money with the scammer.
  2. The criminal hires a bot programmer to create a click fraud bot. This bot will visit the criminal's website and click on the ads. The bot will simulate a real internet user, fooling the advertising networks into believing the clicks are real. To ensure the bot remains undetected, the programmer will use software such as puppeteer-extra-plugin-stealth to ensure the bot closely resembles a human, and a residential proxy service to ensure a unique IP address is used every time the bot visits the scammer's website.
  3. The bot will generate fake conversions on the advertisers' websites to further trick the advertising networks into believing the fake clicks are real. You can read more about this in our article What is conversion fraud?.

There are thousands of publishers using the above click fraud technique to steal tens of billions of dollars from advertisers every year.

How to detect click fraud?

Before we discuss click fraud detection gimmicks, let's explain the correct way to detect and prevent click fraud.

The first thing you need to do is inspect every ad click to see if the visitor is a bot, or if the click was generated through trickery. For example, the Polygraph click fraud detection service is able to detect bots created using puppeteer-extra-plugin-stealth by asking the bot a series of questions which forces it to reveal its true identity.

After detecting a fake click, you can then check to see which website sent the click, and then block that website from being able to display your ads in the future. Additionally, you can see which of your ad keywords are being targeted by criminals, so you can either remove those ad keywords from your campaigns to avoid click fraud, or price the fraud into your product.

Finally, you can send the click fraud data to your advertising network to receive refunds for the fake clicks on your ads.

Polygraph uses the above techniques to detect and prevent click fraud. Try our free service today (no credit card required) to protect your advertising budget from scammers.

Click fraud detection gimmicks

The first click fraud detection gimmick we'll look at is trying to prevent click fraud through IP address blocking.

Google Ads lets you block up to 500 IP addresses from seeing or clicking on your ads. That means, in theory, you can protect your ads from 500 "bad" IP addresses. The problem with this technique is it misunderstands how click fraud works. As we explained above, click fraud bots are routed through proxy services to ensure unique IP addresses are used every time the bots visit the scammers' websites. That means most IP addresses are used once, and then never used again. Therefore if you try to block 500 of these IP addresses from clicking on your ads, you're not going to reduce your click fraud risk, as it's unlikely any of these IP addresses will be used in the future by click fraud scammers. You can read our article Why blocking IP addresses won't protect your ads from click fraud to see the results of our study which proves IP address blocking is a gimmick.

The second gimmick to be aware of is the idea of automatically pausing your ad campaigns if any click fraud is detected. The theory here is the click fraud bots will get frustrated by this, and move onto a different target. This technique also misunderstands the reality of click fraud. As we explained above, click fraud bots are automated, so they don't care (and won't even notice) if your ads have been paused. They simply go to the criminal's website and click on whatever ads are presented to it. That means if you pause your ads for a week, as soon as they're restarted the click fraud will continue.

A third gimmick to be aware of is flagging VPN traffic as fraudulent. The problem with this theory is VPN use by itself doesn't mean anything. The visitor could be using a VPN, cellphone, or their own private internet connected satellite. The click is either real or fake, and using a VPN doesn’t automatically make someone a criminal. As we stated earlier, detecting click fraud is a science, so there's no need to guess a click is fake, just because a VPN is being used.


It's important you use a click fraud detection service who understands the reality of click fraud, and sticks to the science when it comes to protecting your ads against fake clicks.

Click fraud can be detected, and preventing it involves blocking click fraud websites from displaying your ads, removing at risk ad keywords, and getting click fraud refunds from the ad networks to ensure you're not wasting money on fake clicks.

You should avoid click fraud detection gimmicks such as trying to prevent click fraud by blocking IP addresses, temporarily turning off your ad campaigns to frustrate click fraud bots, and assuming anyone using a VPN is a criminal.

Polygraph understands the reality of click fraud, and sticks to the science when it comes to detecting and preventing click fraud. Try our service today, free of charge, and protect your ad budget from click fraud.