Why blocking IP addresses won't protect your ads from click fraud

August 3, 2022 ∙ 5 minute read

It's a mistake to believe click fraud can be eliminated by blocking bots' IP addresses. In this article we'll prove IP blocking is ineffective, and present an alternative solution which is simple, powerful, and proven to work.

What is click fraud?

Click fraud is a scam which steals money from advertisers and enriches publishers and ad networks. It works like this:

  1. A criminal creates a website which can display search results. The content of the website is irrelevant; the criminal just needs the website to be able to display search results.
  2. The criminal contacts an ad network like Microsoft Ads, and applies for a publisher advertising account. This publisher advertising account allows the fraudster to display adverts on his scam website. For example, if he searches for "lawyer miami" on his website, adverts for lawyers in Miami will be displayed.
  3. The criminal hires a programmer to create a bot which can simulate a human browsing the internet. This bot will visit the criminal's website, perform a search, and then click on one of the ads. For each of these clicks, the advertisers pay money to the ad network, and the ad network shares this money with the criminal.

To learn more about click fraud, you can read our article What is click fraud?

Why aren't the ad networks detecting click fraud?

Many ad networks do a bad job at detecting click fraud. For example, if a criminal creates a bot using Puppeteer-Extra, and routes its traffic through a residential proxy service, Microsoft Ads won't detect the bot, and the criminal will profit from every fake click.

As to why Microsoft Ads struggles to detect bots created using Puppeteer-Extra, we have no good explanation.

By comparison, Google Ads can detect bots created using Puppeteer-Extra, and are especially good at preventing bots from clicking on ads displayed at google.com. This is a side effect of Google's efforts to prevent bots from scraping its search results - by preventing bots from accessing google.com, it also prevents bots from being able to click on the ads displayed within its search results.

Will blocking IP addresses prevent click fraud?

Most click fraud bots route their traffic through random residential IP addresses. That means the bot changes its IP address every time it visits a criminal's website. By using random residential IP addresses for each visit, the bot looks like a random internet user. Additionally, it disguises the bot's real IP address, which typically will be a server IP address at a hosting company with a reputation for spam and fraud.

To quantify the assertion that most click fraud uses unique IP addresses, we randomly selected 10,000 IP addresses which have previously been used for click fraud, and analysed them to see how many are unique, and how many are repeatedly being used for click fraud.

The result: over 80% of the IP addresses used for click fraud were used once. That means if you're trying to stop click fraud by blocking IP addresses, you're going to have a greater than 80% failure rate.

To make matters worse, ad networks like Google Ads only allow you to block 500 IP addresses from seeing or clicking on your ads. Therefore if you have 10,000 IP addresses which are known to have previously committed click fraud, you're limited to blocking 500 (5%) of the IP addresses.

We already know only 20% of the 10,000 IP addresses have been used more than once to commit click fraud. Therefore if you randomly block 500 of the 10,000 IP addresses, only 100 of the 500 blocked IP addresses have any chance of preventing click fraud, as 20% of 500 is 100. In other words, out of the 10,000 IP addresses used to commit click fraud, you might be able to block 1% of the click fraud bots.

If we try to be smart about our IP blocking, and only block 500 IP addresses which have been used more than once to commit click fraud, we're still going to have a 95% failure rate, as 500 is only 5% of 10,000.

The best way to prevent click fraud

As you've seen, trying to prevent click fraud by blocking IP addresses is ineffective. Thankfully, there's a simple, powerful, and proven way to protect your ads from click fraud.

Polygraph monitors the activities of click fraud gangs, so we understand the techniques they use and how to detect them.

We check every ad click for bots, and can detect even the most advanced bots, such as Puppeteer-Extra and custom headless browsers. When a bot clicks on one of our customers' ads, we note the date and time of the click, which IP address was used, which website sent the fake click, which ad keywords were targeted, and why the click is fraudulent. Using this data we can prevent future click fraud, and ensure the ad networks refund every fake click.

Our click fraud prevention strategy can be broken down into the following four steps:

  1. The ad keywords targeted by click fraud gangs aren't random. For example, the reason the bot searches for "lawyer miami" on the criminal's website is because ads for lawyers in Miami have a high cost per click (CPC), which maximises the criminal's earnings. Polygraph analyses your ad keywords and warns you if any of them are being targeted by click fraud gangs. You then simply remove those keywords from your ad campaigns to avoid being targeted.
  2. We keep track of the criminal websites doing click fraud, so you simply add these websites to your placement exclusions list at your ad network, preventing the websites from being able to display or click on your ads. This tactic alone eliminates most click fraud.
  3. It's possible to get refunds from the ad networks if you supply them with the details of every fake click. Polygraph makes this easy. Our articles How to get click fraud refunds from Google Ads? and How to get click fraud refunds from Microsoft Ads (Bing Ads)? guide you through the refund process.
  4. Finally, Polygraph shows you which ad networks are doing a good job at detecting click fraud... and which ones aren't. You can use this information to move your ad spend away from the bad ad networks, and towards the good ones.

Polygraph offers a free version (no credit card required) which will monitor 500 ad clicks for fraud each month. Our paid accounts start at USD 50, and scale with your needs.

Try Polygraph today free of charge.

Still want to block IP addresses?

If this article hasn't convinced you to reconsider IP blocking as a click fraud prevention strategy, Polygraph offers an IP blocking service, free of charge. Simply sign up to our free account to get started.


Blocking IP addresses from clicking on your ads will miss at least 95% of click fraud bots. That's an ineffective solution, and should not be used as a click fraud prevention strategy. Instead, you should use our simple, powerful, and proven to work technique to eliminate click fraud from your ad campaigns. This includes: removing at risk ad keywords from your campaigns, blocking click fraud websites from displaying your ads, claiming click fraud refunds from the ad networks, and reducing your ad spend at the poor performing ad networks.

Polygraph makes this easy, and we'd love to help you keep your ad campaigns free of click fraud.

Try Polygraph today free of charge.