Why blocking IP addresses won't protect your ads from click fraud

August 3, 2022 ∙ 5 minute read

It's a mistake to believe click fraud can be eliminated by blocking bots' IP addresses. In this article we'll prove IP blocking is ineffective, and present an alternative solution which is simple, powerful, and proven to work.

What is click fraud?

Click fraud is a scam which steals money from advertisers and enriches publishers and ad networks. It works like this:

  1. A criminal creates a website which can display search results. The content of the website is irrelevant; the criminal just needs the website to be able to display search results.
  2. The criminal contacts an ad network like Microsoft Ads, and applies for a publisher advertising account. This publisher advertising account allows the fraudster to display adverts on his scam website. For example, if he searches for "lawyer miami" on his website, adverts for lawyers in Miami will be displayed.
  3. The criminal hires a programmer to create a bot which can simulate a human browsing the internet. This bot will visit the criminal's website, perform a search, and then click on one of the ads. For each of these clicks, the advertisers pay money to the ad network, and the ad network shares this money with the criminal.

To learn more about click fraud, you can read our article What is click fraud?

Why aren't the ad networks detecting click fraud?

Many ad networks do a bad job at detecting click fraud. For example, if a criminal creates a bot using Puppeteer-Extra and its stealth plugin, and routes the bot's traffic through a residential proxy service, Microsoft Ads won't detect the bot, and the criminal will profit from every fake click.

Similarly, Google Ads also struggles to detect Puppeteer-Extra and its stealth plugin, both on the search network and display network. For example, Puppeteer-Extra and its stealth plugin are often used for retargeting click fraud on Google's search network.

Will blocking IP addresses prevent click fraud?

Most click fraud bots route their traffic through random residential IP addresses. That means the bot changes its IP address every time it visits a criminal's website. By using random residential IP addresses for each visit, the bot looks like a random internet user. Additionally, it disguises the bot's real IP address, which typically will be a server IP address at a hosting company with a reputation for spam and fraud.

To quantify the assertion that most click fraud uses unique IP addresses, we randomly selected 10,000 IP addresses which have previously been used for click fraud, and analysed them to see how many are unique, and how many are repeatedly being used for click fraud.

The result: over 80% of the IP addresses used for click fraud were used once. That means if you're trying to stop click fraud by blocking IP addresses, you're going to have a greater than 80% failure rate.

To make matters worse, ad networks like Google Ads only allow you to block 500 IP addresses from seeing or clicking on your ads. Therefore if you have 10,000 IP addresses which are known to have previously committed click fraud, you're limited to blocking 500 (5%) of the IP addresses.

We already know only 20% of the 10,000 IP addresses have been used more than once to commit click fraud. Therefore if you randomly block 500 of the 10,000 IP addresses, only 100 of the 500 blocked IP addresses have any chance of preventing click fraud, as 20% of 500 is 100. In other words, out of the 10,000 IP addresses used to commit click fraud, you might be able to block 1% of the click fraud bots.

If we try to be smart about our IP blocking, and only block 500 IP addresses which have been used more than once to commit click fraud, we're still going to have a 95% failure rate, as 500 is only 5% of 10,000.

The best way to prevent click fraud

As you've seen, trying to prevent click fraud by blocking IP addresses is ineffective. Thankfully, there's a simple, powerful, and proven way to protect your ads from click fraud.

Polygraph monitors the activities of click fraud gangs, so we understand the techniques they use and how to detect them.

We check every ad click for bots, and can detect even the most advanced bots, such as Puppeteer-Extra and its stealth plugin. When a bot clicks on one of our customers' ads, we note the date and time of the click, which IP address was used, which website sent the fake click, which ad keywords were targeted, and why the click is fraudulent. Using this data we can prevent future click fraud, and provide the information needed to request a refund from your ad network.

Our click fraud prevention strategy can be broken down into the following four steps:

  1. The ad keywords targeted by click fraud gangs aren't random. For example, the reason the bot searches for "lawyer miami" on the criminal's website is because ads for lawyers in Miami have a high cost per click (CPC), which maximises the criminal's earnings. Polygraph analyses your ad keywords and warns you if any of them are being targeted by click fraud gangs. You then simply remove those keywords from your ad campaigns to avoid being targeted.
  2. We keep track of the criminal websites doing click fraud, so you simply add these websites to your placement exclusions list at your ad network, preventing the websites from being able to display or click on your ads. This tactic alone eliminates most click fraud.
  3. It's possible to get refunds from the ad networks if you supply them with the details of every fake click. Polygraph makes this easy. Our articles How to get click fraud refunds from Google Ads? and How to get click fraud refunds from Microsoft Ads (Bing Ads)? guide you through the refund process.
  4. Finally, Polygraph shows you which ad networks are doing a good job at detecting click fraud... and which ones aren't. You can use this information to move your ad spend away from the bad ad networks, and towards the good ones.


Blocking IP addresses from clicking on your ads will miss at least 95% of click fraud bots. That's an ineffective solution, and should not be used as a click fraud prevention strategy. Instead, you should use our simple, powerful, and proven to work technique to eliminate click fraud from your ad campaigns. This includes: removing at risk ad keywords from your campaigns, blocking click fraud websites from displaying your ads, claiming click fraud refunds from the ad networks, and reducing your ad spend at the poor performing ad networks.

Polygraph makes this easy, and we'd love to help you keep your ad campaigns free of click fraud.

Try Polygraph today to protect your ads from click fraud.