What is click fraud?

March 17, 2022 ∙ 5 minute read

You've probably heard of click fraud, but aren't really sure how it works, who's doing it, or why they're doing it. This article will answer these questions, and clear up some myths and misconceptions about modern day click fraud.

The basics of pay-per-click (PPC) advertising

Before explaining click fraud, we need to be sure we understand how PPC advertising works. We'll use a fairly simple example to get the main points across.

Tom owns a website which sells luxury shoes. He wants to attract more visitors, so he registers an account at Google Ads, creates an advert for his website, and asks Google to display his ad across the internet. Tom will have to pay up to $5 every time someone clicks on the ad, as the luxury shoes ad space is very competitive, with a lot of advertisers competing for our attention.

Jerry runs a popular fashion blog and wants to earn money through advertising. She registers an account at Google Ads, but instead of creating an advertiser account she creates a publisher account. That means she can display other people's ads on her website, and will earn money every time an ad gets clicked. For example, if a person goes to Jerry's blog and searches for "luxury shoes", Tom's ad might appear. If the visitor clicks on the ad, Tom will be charged $5. This $5 is split between the ad network and publisher: Google Ads keeps around 40%, and the rest goes to Jerry.

The problem with PPC advertising

PPC advertising works very well, but there's a problem with fake clicks, otherwise known as click fraud.

Organized criminals are creating publisher websites, sending large amounts of traffic to those websites, and using technology and trickery to generate fake clicks on the ads. This is costing advertisers billions of dollars every year, and making the criminals (and ad networks!) very rich.

The anatomy of a click fraud gang

Click fraud gangs consist of the leaders, software engineers, account managers, and digital marketers. The leaders are criminals, usually with ties to organized crime. Their role is to come up with the overall fraud, and to manage the various team members. The software engineers create websites, research and develop click fraud techniques, and manage the server infrastructure. The account managers are responsible for the relationships with the various ad networks. This includes opening the publisher accounts and handling all communications. The digital marketers research the various ad networks to figure out which ones should be targeted. This includes seeking out ad networks who have unsophisticated click fraud detection.

The click fraud process

When the criminal gang have a publisher account and a website to display ads, they can begin the click fraud process.

  1. The digital marketers buy a large amount of cheap traffic, and send it to the fraudulent website.
  2. The software engineers redirect this traffic so it will automatically trigger a search. For example, if the traffic is sent to evil-website.com, it will be redirected to searches like evil-website.com?search=luxury+shoes. This redirection ensures high paying adverts are shown to the visitors.
  3. The software engineers use technology and trickery to guarantee a certain percentage of visitors click on the ads. For example, a pop-up might appear warning the visitor that a virus is about to download. When the visitor clicks cancel on the pop-up, the click is hijacked and redirected to the advert.

The above three steps happens millions of times per day, and at the end of the month the fraudsters receive a pay check from the ad network. Most fraudsters have hundreds of publisher websites, so their profits are enormous.

Click fraud targets specific keywords

The ad keywords targeted by cybercriminals aren't random, and almost always have a high cost per click (CPC). The criminals only force around 10% of visitors to click on the ads, as a higher click through rate (CTR) would raise suspicion. That means almost 90% of the traffic they purchase does not generate income. Therefore they use searches like evil-website.com?search=pay+day+loans to guarantee high paying ads will be displayed, and the 10% CTR generates enough income to pay for the entire traffic cost, the staff's salaries, and a hefty profit.

Why click fraud remains undetected

The ad networks don't want click fraud on their networks, but generally they consider a click from a real person to be valid. That is why the digital marketers in step one bought real traffic instead of using bots. By using real traffic, every click comes from a real person, and will be considered valid by most ad networks.

Some fraudsters continue to use bots instead of buying real traffic, as bots are far cheaper to buy or produce, however the downside is their detectability: most ad networks use sophisticated bot detection techniques, so will flag the clicks as invalid. This could lead to the criminal's publisher accounts being closed, hence why real visitors are used.

How to stop click fraud

Polygraph are experts at detecting and stopping click fraud. We monitor click fraud gangs, so we understand the techniques they use, and we know how to detect and block them. As a Polygraph customer you can see which of your ad keywords are being targeted by criminals, how much fraud you're receiving from each ad network, and the details of every fake click so you can get refunds from the ad networks. We also monitor the bots being used to commit click fraud, so we can automatically block bots from being able to see your Google Ads.

Other types of click fraud

There are a few other types of click fraud worth mentioning, although they account for a small percentage of the click fraud you are likely to experience. Competitors sometimes click on each other's ads, with the goal of draining each other's ad budgets. This type of fraud is typically detected by the ad network, and many of the clicks would be discarded and the advertiser would not be charged. Another type of fraud which is sometimes discussed in the media is "click farms" which consists of dozens of phones and laptops connected to the internet, and a team of people clicking on various ads throughout the day. In reality, this type of setup is rare, and has been replaced by the type of fraud discussed in "The click fraud process" section above.

Conclusion

Click fraud is a sophisticated crime, with teams of marketers, software engineers, and account managers working together to defraud advertisers. Most fraud happens on publisher websites, as that is how criminals can profit from fake clicks. There are many methods for achieving click fraud, with hijacking the visitor's clicks being just one technique. Occasionally there is fraud on non-publisher websites such as Google's search results, but this is less common and is typically detected by the ad networks.

To reduce your risk of click fraud, you should limit your advertising to Google's search results only (exclude publisher accounts from displaying your ads), or use a click fraud detection service like Polygraph to ensure your risk is minimized. Try Polygraph today free of charge.