Start your free trial High-volume or established business? Request a demo. How to Identify and Prevent Fraudulent Clicks. BigCommerce helps growing businesses, enterprise brands, and everything in-between sell more online. Microsoft and their Bing search engine are the second biggest player in the PPC world excludng social media sites , and they have been known to take click fraud very seriously. Back in , Microsoft sued a family team based in Vancouver, BC for their part in a click fraud scam designed to drive traffic to their World of Warcraft and auto insurance based websites.
We mentioned Methbot earlier, but this huge criminal scam is a long running and hugely profitable bot network which is designed to make money off video advertising. It is alleged that the gang have set up around , URLs that host video adverts which rack up around million video ad views each day!
The sophistication of the Methbot set up is staggering, with domain names made to look like they belong to well known brands like ESPN and Vogue, around , bots and the software making the interaction with the videos look like genuine human behaviour.
Another sophisticated bot setup which was uncovered in is Hyphbot. With around a million URLs registered, Hyphbot was a prime example of ad spoofing ; a practice where fake websites are made to look like big name publishers like The Economist or The Financial Times. Advertisers then place their ads on these spoofed sites which then receive a high volume of bot traffic, inflating the PPC payout.
One of the most notorious click farms discovered was in Thailand in With around smartphones linked up to , SIM cards and 9 computers, the click farm was connected to Chinese fraudsters who used the click farm to boost likes and engagement on Chinese social media site WeChat. Bangladesh and India are also regularly listed as some of the top places to set up click farms, thanks to the low wages paid to workers. The next time you see an Instagram account which seems to have an unfathomably large following, it might be thanks to click farms.
In fact many popular influencers and business accounts, and even some celebrities have used click farms to inflate their popularity online.
When it comes to Google Adwords fake clicks, companies who want to waste their competitors advertising budget can easily hire a click farm to click on ads. A simple search online will net plenty of places where you can buy fake clicks for a low price, for whatever purpose you want.
Click farms are a very real and growing business. As click fraud is a huge problem, and one that is growing by the day, there are several steps you can take to minimise and mitigate your exposure to it.
The good news is that the major search engines like Google, Bing and even Facebook, do have some strategies in place to combat ad fraud and click fraud. For example, Google does block things like high bounce rate visits often the sign of an accidental click or obvious web scraper or some multiple visits from the same IP address. It is the increasingly sophisticated click fraud approaches that cause the biggest headaches. With software able to imitate human behaviour, switch IP addresses using VPNs and proxies, or even those click farms pulling the wool over the search engines virtual eyes, additional measures are often needed to minimise exposure to click fraud.
In the USA and several European countries, practices such as wire fraud, racketeering, deceptive business practices and data manipulation are illegal. So when it comes to legal challenges against click fraud, it will most often come to proving practices such as these.
The act of defrauding advertisers is also one that is illegal in most countries, but the problem is policing it. Although digital crime is an area that is becoming increasingly complex, and profitable, there are few resources globally to combat it. Clicking multiple times on a search result; creating a website designed to host banner ads and then channelling traffic though it; hiring a click farm to download an app times a day.
This is all obviously highly damaging and fraudulent practice, but hard to prove and a grey area when it comes to legality. There are some cyber crime authorities who you can report activity to if you believe there is a serious and organised threat occuring. However, most of these agencies are set up to tackle more obvious cyber crime threats such as identity theft, people smuggling, drug dealing, terrorism, pornography and other more tangible problems. There are several manual checks you can do yourself to see if there has been any fraudulent activity on your ad campaigns.
You can also check your website visitor logs to see how many times the same IP address pops up over a specified time. If you notice that the same obscure location or IP address has been visiting your site regularly then this might be a red flag for you to try and block this IP address or location.
Google does offer some protection against multiple visits from a single IP address or device. If you think any of them might be fraudulent you can block them from your publishers list. A few giveaways that a site is fraudulent include pages which appear to be covered in ads, no content or very little content of any substance and recently registered domains. Suspicious timings or spikes in engagement might be a sign that someone is targeting your ads.
Especially if you seem to be getting lots of clicks and little in the way of engagement. You might also spot a high click rate from a country that might have little to do with your market.
Aside from locations, devices, IP addresses and dodgy publishers, it can be hard to spot other forms of fraudulent traffic. Forms of fraud that mimic human behaviour or hide behind proxy servers are going to be hard for you to spot yourself. And as the processes and techniques are becoming more sophisticated, keeping track of developments and fraud can be a Herculean task.
This is where using click fraud protection software comes into play and can really make a big difference. One of the main benefits of using fraud protection software is that it is constantly learning about the new threats and adapting its algorithms.
It can be tricky and a little labour intensive to get everything battened down, but it is definitely worth doing these manual fixes. And where possible we have linked to the resources to help you use some of the best techniques to minimise your click fraud exposure.
As an IP address normally refers to a specific device or location, this can cut out fraudulent PPC activity from specific users. We have a guide to setting up IP address exclusions.
It looks at visitors who have visited your site before and pops up on partner websites, ensuring your brand stays in their mind and possibly even encouraging repeat custom.
By tweaking your targeting for your ad campaign you can hugely reduce the exposure of your PPC campaign to fraudulent activity. Excluding certain geographic locations, languages, demographics and devices can make a big difference to the success of your advertising. If you see suspect activity coming from one particular demographic, exclude it and see what happens. You can always change it again later…. As the click fraud industry remains unchecked by controls and the profits just keep getting bigger, more and more companies are waking up to the impact that click fraud is having on their budgets.
But a surge coupled with one of the other factors on this list might suggest fraudulent activity. Peaks in clicks or impressions at strange times, such as the middle of the night, might suggest traffic coming from overseas. Lots of clicks equals lots of conversions, right? Not necessarily. If you regularly see a low conversion rate, again, it might be worth looking at your ad first.
Consider features such as your call to action or how easy it is for your site visitors to complete the required action check out, get in touch etc. But, sometimes even locally targeted ads can see traffic from an unusual location. By using VPNs virtual private networks , users can get around location settings and view ads meant for a targeted audience. The actual location primarily from China and Malaysia masking their location as UK buyers which is considered invalid by the client as they do not ship to these regions.
All of this probably has you asking, what is being done to prevent click fraud? And, is there anything I should be doing to prevent fraud or invalid clicks on my paid ads? To answer the first question, yes there are initiatives to stop click fraud, and many of the PPC platforms do offer some protections.
Google, for example, has a dedicated team who work to identify and prevent invalid clicks around the clock. There are manual methods, which can be useful to reduce your exposure to click fraud or invalid clicks. As part of this, you can also exclude certain areas which might be hotbeds of fraudulent activity. You can monitor the IP addresses that are clicking on your paid ads, and if you see suspicious activity, you can add these addresses to an exclusion list.
This is probably not the best way to get value for money on your pay per click advertising. Who has time to manually tweak your pay per click advertising to avoid click fraud? CHEQ for PPC offers the most comprehensive protection against click fraud , protecting pay per click campaigns of all shapes and sizes. Return to top. What is Click Fraud? What are invalid clicks? But, to be fair to Google and co, invalid clicks covers everything, not just fraud. How Does Click Fraud Work? High volume clicks.
Botnets are often used by organised criminals to commit wide scale ad fraud. Data Centers. Click farms. Web crawlers. Low volume clicks. Business Competitors. Vindictive parties. People who hold a grudge can easily hit you where it hurts online; in the wallet. Accidental or repetitive clicks. Malware and click fraud. Domain spoofing. All without the advertiser or genuine publisher knowing a thing about it. Examples of Click Fraud.
Botnets and organised ad fraud. Competitor click fraud. After developing a solution that helped him block click fraud attacks targeting his previous business, Ralph Perrier realized he could help other advertisers overcome the same challenge — and launched ClickGUARD in Accidental clicks, for example, when someone double-clicks on an ad Clicks and impressions by automated tools or manual clicks intended to increase someone's advertising costs or stop their advertising Clicks and impressions by automated tools or manual clicks intended to increase profits for website owners hosting your ads.
Out of the examples listed above, the latter two are examples of click fraud — an interaction between a user and a PPC ad with the goal of profiting from charges made to marketers. Sometimes humans, not bots, are behind click fraud. The following sections describe the most common cases of small-scale click fraud attacks.
Sometimes, especially in highly competitive industries, competitors resort to click fraud to get an edge on their rivals. When everybody else's budget would run out, there'd be one or two particular vendors that would advertise only during that period of time. As soon as everybody else replenishes their budget, they would bow out of the auctions again, and the fraudulent clicks would start again.
And then they started up again, as soon as everybody else's budget ran out. There were some very nontechnical, but obvious patterns within the niche that clearly would point to you who was behind it all. In simple scenarios where non tech-savvy competitors try to sabotage your campaigns, you can recognize competitor clicks by their IP addresses and block them.
Some disgruntled customers go beyond writing bad reviews online. Instead, they repeatedly click on the ads of a particular company. Fortunately, this is fairly unlikely to happen. And, unless one of your unhappy customers happens to be tech-savvy, it is also easy to identify and stop due to the repetitive nature of clicks. All told, compared to cybercriminals or click-fraud-as-a-service actors, solo click fraudsters are just a tiny part of the problem.
Organized click fraud criminals Cybercriminals use software to generate profit for their illegal enterprises, which can include click fraud. Below are some examples of how criminals can profit from fraudulent clicks — they are not mutually exclusive, and can overlap. Criminals often rely on bot traffic to generate profits at scale. However, not all of those bots visit websites with malicious intent. Bad bots engaging in click fraud are designed specifically to click on ads.
One of the common signs of bot attacks are unusual peaks in clicks outside of the targeted geo-location. Another way bad actors avoid detection is by masking their physical location with VPNs and proxy services or simply "anonymizing" their IP address.
Sophisticated robots designed to mimic human behavior can spoof their device type, accept and remember cookies, simulate mouse movement, and even fill out forms. One common practice among cybercriminals is infecting the computers of internet users with malware to create bot networks, or botnets to achieve various nefarious goals.
Click fraud is one of them. We've previously written about one example, Redirector. Paco malware. Unfortunately for advertisers, botnets can avoid detection more efficiently because the clicks they are programmed to perform will come from a range of regular machines with legitimate IP addresses.
To detect botnets, you'll need to set up advanced visitor behavior tracking. Bad actors joining advertising networks as shady publishers In this case criminals profit from fraudulent clicks through websites specifically set up to host ads. At first they bombard their newly created websites with huge amounts of bot-generated traffic. Once they have the required statistics, the criminals join ad networks as publishers and start profiting from false clicks.
In most cases, such websites are easy to identify by strange-sounding domains, low-effort or copy-pasted content, and an overabundance of ads.
Click farms are located primarily in third-world countries where they employ low-wage workers to generate fake likes or followers on social media — or to click on ads.
While cybercriminals use botnets and bots to their own advantage, they also offer their services to interested parties, such as competitors ready to gain an unfair advantage for their digital ads. It just seemed very well coordinated that while my budget would run out immediately within minutes, other individuals would then start their campaigns. The idea behind their actions was that once you completely drain someone's budget, that removes them from the auction.
I noticed that time spent on site was significantly less than usual: you'd get clicks and they'd spend less than two or three seconds on the website. There was no way the clicks could have been human: we would pause our ads and then we would restart them at odd hours. And within a short period of time, the clicks would start again. A lot of those clicks were distributed through VPN and proxy networks, which means a lot of it had to have been automated.
There are some cases when clicks are, strictly speaking, not malicious, but still hurt advertisers, because there is no intent to purchase the advertised product or service. At the same time, they are not accidental, since the users click on them to get to your website.
Still, since these clicks do not result in a purchase, they will affect your ROAS. Lookie-loos will often conduct multiple web searches and click on an ad numerous times without ever making a purchase.
This may not be alarming for companies that bid on low cost-per-click campaigns, but advertisers running high cost-per-click campaigns will want to prevent lookie-loos from increasing their customer acquisition costs. By tracking visitor behavior and conversions after an ad click you can distinguish good and bad traffic and exclude sources with low-quality interactions. In this case, customers search for a particular brand by name and click on a brand ad to get to the website.
Blocking ads after conversion might make sense to avoid incurring this type of expenses. As we mentioned above, cybercriminals often use VPNs and proxies to mask their location. In many cases proxies are used by regular people concerned about their online privacy or trying to bypass internet censorship in certain regions. VPNs are often used to access region-restricted sites as well. In addition, they encrypt data and so are frequently used to hide browsing activity from third parties, such as when using public Wi-Fi.
0コメント