The definition of “Click fraud” is the practice of abusing pay-per-click ads to generate the appearance that an ad is being viewed by far more users far than it actually is, thus dishonestly generating revenue for the ad service that does not reflect any actual benefit to the company which placed and paid for the advertisement. This article discusses the many forms of click fraud and ways to combat click fraud.
Fruition’s click fraud tool is in private beta for Fruition clients. By signing up for Fruition’s SEO/SEM software you are placed in the public queue. We’re keeping the click fraud prevention software in private beta to keep it relevant and stay a step ahead of the individuals committing the frauds. If they do not know what we’re catching and how we’re catching they won’t adjust their strategies.
Pay-per-click advertising is a common form of online advertisement involving three parties: (1) advertisers, (2) advertising networks, and (3) publishers. An advertiser creates an advertisement or link to their site, which they wish to be displayed on a publisher’s website. Advertising networks locate publishers with websites relevant to the content of the link, whose viewers are thus more likely to be interested and click on it, and place them there. Each time a user clicks on the link, the advertiser pays a fee to the advertising network, which in turn passes a portion of the fee to the publisher.
In addition to advertising networks and publishers, click fraud is also sometimes carried out by competitors of the company which placed the ad. In that case, the perpetrator’s goal is not to make money themselves, but to deplete the advertisement budget of the company which placed the ads and thereby provide the competitor an advantage. It may also be carried out by unrelated third parties for purely spiteful reasons, such as a personal grudge against the company which placed the ad. This type of click fraud falls into a legal grey area since, unlike click fraud perpetrated by a publisher or advertising network, there is no legal contract or obligation between the user and the advertiser.
Because the fee is paid regardless of whether the user who follows the link actually proceeds to buy anything or indeed has any legitimate interest in its contents at all, there is a strong financial incentive for both the advertising network and the publisher to see that the link is clicked on as many times as possible. In order to make money, they may try to make it look like the ad is being clicked many more times than it actually is, using methods such as running a computer script which repeatedly clicks on the ad hundreds of times. In this scenario, the advertising network e.g. Google, AOL, Yahoo!, Bing, Outbrain, etc pays the affiliate a percentage of the fee. This is known as click fraud.
The simplest form of click fraud is that which is carried out from a single computer. This can be as simple as a person manually clicking on an ad over and over. More sophisticated users may set up an automated script which carries out the tedious work for them. While primitive, this type of click fraud can nevertheless be damaging if the fraudster is persistent enough to keep it up over a prolonged period of time and the advertiser is lax enough to not notice the high number of suspicious clicks. This is typically the easiest form of click fraud to detect, as it comes from a single source; other forms of click fraud involve distributing the attack across many different IP addresses so as to conceal its nature.
One method publishers use to increase the clicks on their ads without doing the clicking themselves is “crowdsourcing”. For example, a publisher might include text next to their sponsored links saying “support this page by clicking these ads”, resulting in many clicks by people with no actual interest in the ads’ content. In many cases, the users clicking on the ads may be doing so innocently, only desiring to support a site which they enjoy and unaware that their actions constitute participation in click fraud. The publisher requesting that they carry out the clicking also might not think that what they are doing counts as fraud, rationalizing that since they are encouraging real people to actually view the advertisements, the traffic should count as legitimate. Google’s guidelines for AdSense forbid this type of behavior from publishers, but other advertising networks may not hold their publishers to the same standards.
One step shadier than crowdsourcing is “incentivized traffic”, where a site offers some reward to visitors for clicking on the advertisements – for instance, a store giving a discount code to visitors who click on ads, or a video game site asking players to click on ads in exchange for in-game bonuses. This can generate many ad clicks from people who have no actual interest in the advertisement and are simply doing it for the in-game benefit. Unlike crowdsourcing, an actual reward is being offered to those who click the ads, which is likely to result in a higher rate of fraudulent clicks.
Incentivized traffic taken to its extreme results in a “click farm”, where people are outright paid money in exchange for clicking on advertisements all day. Using actual humans rather than automated scripts is considered advantageous because the people participating in a click farm can be instructed as to how to make their actions appear more “natural” and thus more likely to evade detection by automated filters; for instance, after following a link to an advertiser’s site, they can subscribe to the company’s newsletter in order to make their interest appear valid. Click farms are most commonly run in developing countries, where there are large numbers of impoverished and unemployed people who can be hired to work for a very low price.
Even shadier than employing people to generate false traffic is the practice of redirecting legitimate user traffic, called a “hit inflation attack.” With crowdsourcing and incentivized traffic, users are at least presented the choice of clicking on ads and the opportunity to view their contents. However, some websites utilize redirects to automatically bounce visitors to advertisements and then immediately back to the page they clicked on. The visitor doesn’t actually see the ad, or even notice anything other than a slightly longer than usual load time, but it’s counted as a hit by the advertisement. Visits to the site are converted directly into clicks on the ad; and since the fraudulent clicks are based on the natural flow of web traffic, they don’t look suspicious in the way that repeated clicks from a single source do.
Finally, organized criminals can carry out click fraud using “bot nets”, large networks of computers which have been infected with malware and carry out instructions without the owner’s knowledge. The malicious user behind the bot net can instruct the compromised computers to visit certain sites and click the ads, generating many seemingly unrelated clicks from different IP addresses. Larger bot nets can be comprised of millions of compromised computers, and have been used to commit various types of computer crime, including click fraud.
It might seem like click fraud could be stopped by identifying the IP addresses from which fraudulent clicks are originating and using a firewall to block them. However, even the simplest click fraud scenario, an automated script running on a single computer which repeatedly clicks on an ad, a simple IP block can be circumvented by using a proxy or an anonymizing service like Tor. Other types of click fraud by their very nature rely on single clicks from a great variety of different IP addresses rather than repeated clicks from a single IP address. With methods such as crowdsourcing, incentivized traffic, click farms, hit inflation attacks, and bot nets, the distributed nature of click fraud makes it difficult to differentiate false visitors from legitimate ones, let alone block them. Further, the ad networks such as Google and Bing do not want to, nor could they effectively, block huge blocks of IP addresses from accessing their services. Ultimately, a firewall cannot stop well-organized click fraud.
Google AdWords is one of the largest advertising networks on the Internet. It is also represents a special case with regards to click fraud, because Google is acting as both publisher and advertising network: it not only matches ads to appropriate sites, as the typical advertising network does, but also runs ads on the results pages of searches conducted using the Google search engine, giving it the role of publisher. Some critics claim that this is a conflict of interest because it means that Google stands to profit from click fraud which is committed against the clients which pay it to place ads. Google AdWords uses its own methods to determine fraudulent clicks, which they don’t charge for; however, these methods are also proprietary and therefore unverifiable, requiring the advertiser to trust Google. As a public company whose primary source of revenue is ad clicks; just a percent or two of fraud could represent hundreds of millions of dollars. Google contends that click fraud is ultimately harmful because it lowers the quality and therefore the value of the ad placements it sells.
Google uses a three-tier system to detect click fraud: first, automated filters which filter out suspicious clicks as they occur; second, offline analysis by automated algorithms and human analysts; and third, in-depth investigations of complaints of click fraud presented to Google by advertisers. According to Google, around 10% of clicks on ads placed through AdWords are detected to be fraudulent, which would potentially total hundreds of millions of dollars of wasted payment if they went undetected. Google does not charge AdWords customers for clicks on their ads which it determines to be fraudulent, and claims that only 0.02% of clicks which pass their detection system are fraudulent.
In the case of simple click fraud, such as an automatic clicking program running on a single computer, it is extremely easy to identify clicks which cannot possibly be valid; for instance, no human could click on an ad a hundred times in a single second. More sophisticated methods of click fraud, however, are much harder to identify. Fruition uses sophisticated machine learning systems to analysis log files and recorded user behaviors both post and pre ad click to perform an in-depth forensic analysis to determine if there is fraud.
Perhaps the most basic sign that click fraud is occurring is a large, sudden increase in the amount of money which is being spent on a pay-per-click ad. In such a case, one can hire a company to investigate, and request a refund from the advertising network if evidence of fraud is detected.
The drawing below is from a click fraud patent application that demonstrates an initial take at how to prevent click fraud.
Jeff Williams is an SEO Project Manager at Fruition based in Denver, Colorado. Jeff uses his deep understanding of SEO and internet marketing to guide clients, optimize websites and ultimately improve search rankings.
President & Founder, Tru Family Dental
Marketing, Dependable Cleaners
President, Frame Destination
President & Founder, Family Travel Association