Why blocking IP addresses won't protect your ads from click fraud

August 3, 2022 ∙ 5 minute read

It's a mistake to believe click fraud can be eliminated by blocking bots' IP addresses. In this article we'll prove IP blocking is ineffective, and present an alternative solution which is simple, powerful, and proven to work.

What is click fraud?

Click fraud is a scam which steals money from advertisers and enriches publishers and ad networks. It commonly works like this:

  1. A criminal creates a website which can display search results. The content of the website is irrelevant; the criminal just needs the website to be able to display search results.
  2. The criminal contacts an ad network like Microsoft Ads, and applies for a publisher advertising account. This publisher advertising account allows the fraudster to display adverts on his scam website. For example, if he searches for "lawyer miami" on his website, adverts for lawyers in Miami will be displayed.
  3. The criminal hires a programmer to create a bot which can simulate a human browsing the internet. This bot will visit the criminal's website, perform a search, and then click on one of the ads. For each of these clicks, the advertiser pays money to the ad network, and the ad network shares the money with the criminal.

To learn more about click fraud, you can read our article What is click fraud?

Why aren't the ad networks detecting click fraud?

Most ad networks do a bad job at detecting click fraud. For example, if a criminal creates a bot using Puppeteer-Extra and its stealth plugin, and routes the bot's traffic through a residential proxy service, none of the ad networks will detect the bot, and the criminal will profit from every fake click.

A possible explanation for this is the ad networks have little to no motivation to detect click fraud, as they get paid for every click, real or fake.

Will blocking IP addresses prevent click fraud?

Most click fraud bots route their traffic through random residential IP addresses. That means the bot changes its IP address every time it visits a criminal's website. By using random residential IP addresses for each visit, the bot looks like a random internet user. Additionally, it disguises the bot's real IP address, which typically will be a server IP address at a hosting company with a reputation for spam and fraud.

To quantify the assertion that most click fraud uses unique IP addresses, we randomly selected 10,000 IP addresses which have previously been used for click fraud, and analysed them to see how many are unique, and how many are repeatedly being used for click fraud.

The result: over 80% of the IP addresses used for click fraud were used once. That means if you're trying to stop click fraud by blocking IP addresses, you're going to have a greater than 80% failure rate.

To make matters worse, ad networks like Google Ads only allow you to block 500 IP addresses from seeing or clicking on your ads. Since there are more than four billion IP addresses, what are the odds you're going to correctly guess which ones are being used to click on your ads?

We monitor over 100 million ad clicks every month, and we can see IP address blocking misses over 99.99% of click fraud.

Bottom line: IP address blocking doesn't work and should be avoided.

The best way to prevent click fraud

As you've seen, trying to prevent click fraud by blocking IP addresses is ineffective. Thankfully, there's a simple, powerful, and proven way to protect your ads from click fraud.

Polygraph monitors the activities of click fraud gangs, so we understand the techniques they use and how to detect them.

We check every ad click for bots, and can detect even the most advanced bots, such as Puppeteer-Extra and its stealth plugin. When a bot clicks on one of our customers' ads, we note the date and time of the click, which IP address was used, which website sent the fake click, which ad keywords were targeted, and why the click is fraudulent. Using this data we can prevent future click fraud, and provide the information needed to request a refund from your ad network.

Our click fraud prevention strategy can be broken down into the following four steps:

  1. The ad keywords targeted by click fraud gangs aren't random. For example, the reason the bot searches for "lawyer miami" on the criminal's website is because ads for lawyers in Miami have a high cost per click (CPC), which maximises the criminal's earnings. Polygraph analyses your ad keywords and warns you if any of them are being targeted by click fraud gangs. You then simply use your negative keywords list to block the bots' search terms from triggering your ads.
  2. We keep track of the criminal websites doing click fraud, so you can add those websites to your placement exclusions list at your ad network, preventing the websites from being able to display or click on your ads. This tactic alone eliminates most click fraud.
  3. It's possible to get refunds from the ad networks if you supply them with the details of every fake click. Polygraph makes this easy. Our articles How to get click fraud refunds from Google Ads? and How to get click fraud refunds from Microsoft Ads (Bing Ads)? guide you through the refund process.
  4. Finally, Polygraph shows you which ad networks are doing a good job at detecting click fraud... and which ones aren't. You can use this information to move your ad spend away from the bad ad networks, and towards the good ones.

Conclusion

Blocking IP addresses from clicking on your ads will miss at least 99.99% of click fraud bots. That's an ineffective solution, and should not be used as a click fraud prevention strategy. Instead, you should use our simple, powerful, and proven to work technique to eliminate click fraud from your ad campaigns. This includes: using negative keywords to avoid bots, blocking click fraud websites from displaying your ads, claiming click fraud refunds from the ad networks, and reducing your ad spend at the poor performing ad networks.

Try Polygraph today to protect your ads from click fraud.