Why captchas won't protect you from click fraud

May 22, 2024 ∙ 2 minute read

In this article we explain what is click fraud, why captchas can't prevent it, and provide advice on how to properly deal with click fraud.

What is a captcha?

You likely already know what is a captcha, and have certainly encountered them many times. Captchas, such as Google's reCAPTCHA and Intuition Machines' hCaptcha, attempt to differentiate between humans and bots by forcing visitors to complete puzzles or click on buttons. If the captcha is completed successfully, the visitor is allowed continue with his browsing.

What is click fraud?

Click fraud is the USD $100 billion crime almost no one has heard of. Criminals create websites, place ads on them (just like a normal publisher), and use bots to click on the ads. For each of these clicks, the advertiser pays money to the ad network, and roughly half the money is shared with the criminal.

Since the ad networks have a conflict of interest - they get paid for every click, real and fake - they don't have a lot of motivation to detect and prevent click fraud. Most ad networks do barely any click fraud detection, including some of the major ad networks.

You can read more about click fraud here: What is click fraud?

Why don't captchas prevent click fraud?

There are two issues here.

The first is the fact the captcha kicks in after the ad click has occurred, so it doesn't matter if the visitor is a human or bot - you've already been charged by the ad network.

The second problem is the trickery used by bot operators to bypass captchas. For example, Puppeteer Extra, the click fraudster's preferred bot framework, has a plugin called puppeteer-extra-plugin-recaptcha. This plugin automatically solves reCAPTCHAs and hCaptchas, and only requires a single line of code: await page.solveRecaptchas().

How to prevent click fraud?

To prevent click fraud you need to make campaign adjustments so the bots can no longer see or click on your ads. Don't be fooled by click fraud prevention gimmicks, such as blocking IP addresses, as they'll miss most fake clicks.

We recommend the following:

  • Use search networks only and ensure display and search partners are turned off. This is because most click fraud occurs on display networks, and search partners have a serious bot problem.
  • Use exact matching with a large number of negative keywords. This is important as it allows you to blacklist the search terms used by click fraud bots.
  • Use strict location settings, and ensure options such as "located in" are selected. You do not want to target people "interested in" your location, as this will include large numbers of irrelevant visitors.
  • Use highly targeted audience settings, and ensure there are no unknowns.
  • Use a competent click fraud detection service like Polygraph to understand how bots are finding your ads, and quantify your click fraud loss.
  • Use fake lead prevention from a service like Polygraph to ensure bots don't waste your sales teams' time, and to block the leads' conversion signals which train the ad networks to send you more bot traffic.


Captchas are of little use when it comes to preventing click fraud, as they occur post-click, meaning you've already been charged for the fraud. Additionally, it's trivial to bypass captchas, with bot frameworks like Puppeteer Extra only requiring a single line of code to bypass both reCAPTCHAs and hCaptchas.

Try Polygraph today.