News & Insights


How to detect and stop Click Fraud in PPC advertising

pwd staff OLIVER WOOD
Oliver Wood

|4th July 2017

With the right knowledge and techniques, PPC marketing can bring you great success. It can create more awareness around your brand, send traffic to your website and even increase conversions to deliver more profit. However, novices and experts alike know that PPC management isn’t always easy.

There is plenty to keep you busy with choosing the right audiences, keywords, ad copy and targeting. Unfortunately, the day to day grind of PPC management is not the only thing you have to worry about.

Beyond the quality of your own PPC efforts, other external problems are lurking. Even marketers with the best-structured PPC accounts can fall victim to the disease of click fraud.

What is click fraud?

Click fraud affects PPC advertising and wastes your budget with fake clicks. Instead of an interested user clicking on your ads, a bot or malicious person clicks on it, with no intention of buying.

Since PPC platforms like Google and Bing primarily charge by click, this eats your budget quickly, without allowing your ads to serve their true intent, hence it is unpleasant fraud against your account.

Click fraud can be implemented automatically with programmes and scripts designed to carry out the click fraud or by actual people malevolently clicking your ads. Click fraud not only eats your budget and produces no conversions, it also means you will have less money to use on genuine users. Click fraud is, therefore, no laughing matter but akin to a disease for PPC advertisers.

Why does click fraud happen?

There are many reasons for click fraud but most commonly, whether it is bots or humans committing the act, the source is your own competitors or publishers.

Competitors will want you to perform poorly in your advertising efforts. By committing click fraud they waste your money, reduce your customers and if your budget is used up quickly each day, there will be more chance for their own ads to show at a lower price.

Publishers on display networks receive more revenue if there are more clicks to the ads hosted on their site. This is a prime motivation for click fraud. Sometimes they will hire people to commit the click fraud on their behalf, do it themselves, or have bots created to implement their dirty work.

Understandably click fraud is a crime. If your competitor or a publisher were caught committing click fraud, they could be banned from an ad network and in some countries, it is a more serious crime and there have been cases of arrests.

You should therefore never be seduced by the evils of click fraud to use it against competitors under any circumstances. It is in no way a valid PPC management tactic.

How severe is the problem of click fraud?

There is much disagreement over how much of a problem click fraud really is. There has been less talk on the problem of click fraud among the PPC industry in the last few years, as search engines became aware of the issue and took steps against it.

Some in the industry claim click fraud is still a problem, others barely pay it any mind and companies like Google and Bing claim it is a very small issue which they have under control.

In the early 2000s, when the problem first came to light, it was a massive issue for advertisers and the reputation of search engines. Lately, it has fallen out of the spotlight but that does not necessarily mean the problem has gone away, so let’s analyse some real data around click fraud.

One of the biggest cases that brought click fraud to public attention was the 2006 case where Google paid out $90m in a click fraud settlement to advertisers. That was big money, even for Google and it shows that they knew there was a problem.

Seven years on the situation seemed to remain serious. The following chart from Acquisio shows that in 2013 less than 40% of all traffic was from humans. That is not even taking into consideration additional click fraud carried out directly by humans:


This is troubling but the data is from several years ago. Since then Google and other search engines have introduced more systems to tackle click fraud, so do advertisers really need to worry anymore?

Despite discussions on click fraud reducing, recent research would suggest the problem has not gone away and could even be getting worse thanks to PPC technology becoming more automated. According to siphon cloud, in 2016 click fraud costs actually increased. Their recent surveys reported advertisers estimating between 3 and 27% of traffic coming from automated bots.

In 2014 and 2015 the Association of National Advertisers (ANA) undertook a large study into the issue of click fraud on a global scale. In 2014 the official range of traffic from bots via ads was in the scope of 2 – 22% but rose to 3 – 37% in 2015.

Most worryingly they predicted ad fraud costs to advertisers would rise to $7.2billion globally in 2016.

Only recently (December 2016) reported on a high profile click fraud case which had been unearthed. Even with more systems in place by Google and Bing, Russian hackers managed to steal nearly $5million a day from advertisers.

In 2017 the state of click fraud seems to remain a prevalent threat. In March reported some very troubling stats on click fraud. The report predicted that the costs to businesses caused by click fraud could rise to $16.4 billion this year. This is far higher than the projections by the ANA. It also stated that 20% of total ad spend is wasted by click fraud and that PPC management using automated or programmatic methods were under higher risk of fraud.

Sadly, it does not mean that ads bought directly from publishers are safe. 12% of ad traffic with ads purchased directly from publishers was click fraud and equated to $4.65 billion lost.

The situation for desktop advertising is much worse than tablet or mobile with click fraud rising from 20% to 25% this year according to In January, roughly one in five desktop clicks were found to be fraudulent.

While click fraud remains higher on desktop we are also seeing reports of fraud increasingly finding its way onto other devices. This year found that there had been a rise in mobile ad click fraud of approximately 11%:


Smartphone videos also seemed to be an area of increasing risk with fraud jumping 3 times higher this year:


We can clearly see click fraud has been an unpleasant plague in recent years. An additional issue is that these hackers are rarely prosecuted because the best fraudsters operate from countries where it is legally difficult for companies like Google to go after them. The Click Fraud Network has identified that China, Egypt, and South Africa have generated the greatest volume of high threat-level traffic. The following map from Acquisio shows how much ad traffic is click fraud for countries around the world:


From all this data, we might surmise that click fraud is indeed a highly extensive problem but it is not all doom and gloom. Search engines have a reputation to uphold and they do work to try and combat the disease of click fraud. Just this year Google caught and stopped a large click fraud operation on mobile ads.

Who are the main targets of click fraud?

While small businesses face bigger negative impacts from click fraud, due to their more modest budgets, it is actually larger companies who are the main targets of click fraud.

Click fraud is not more prevalent on cheaper search engines and display networks either, the most reputable and expensive platforms like Google and Bing are major targets. This is probably because fraudsters know advertisers trust them and will invest more money on these platforms. Publishers and competitors alike have more to gain and can cause more damage with click fraud on the largest search engines and display networks.

This research may now have you worried that no matter how hard you try with your PPC management, you will fail because of click fraud. This is not true. Click fraud may be a terrible feature of PPC advertising but not every advertiser will suffer from this affliction.

If you are worried that you might be under attack from click fraud there is a great deal you can do to identify and work to prevent it.

How to identify click fraud

By staying vigilant and knowing the tell-tale signs of click fraud, advertisers can help themselves and make PPC platforms safer for everyone.

  1. Look out for sudden spikes in traffic

Keep an eye on your Google Analytics reports and Google AdWords reports. In Google Analytics you can clearly see which traffic is coming from AdWords. You should review this regularly and look out for strange spikes in traffic that do not correspond with increasing your budget.

Simply head to the acquisition section in your Google Analytics. Scroll to the AdWords section and look under campaigns. You can also review which keywords are bringing in the traffic, so look out for any subtler spikes for your main keywords that do not correspond with a bid adjustment:


These changes could indicate a case of click fraud.


You must have your AdWords and Analytics accounts linked to view the data in Google Analytics.

Additionally, you can look for click spikes in Google AdWords. Dig around in your keyword reports as well as your overall clicks report to see if certain terms are seeing minor spikes that have no correlation to your actions. If you have been receiving a fairly regular amount of traffic for a term or AdGroup, then see a sudden spike that does not correlate to any changes you have made, then it could be click fraud. Remember, while sudden large spikes could be a bot or script committing fraud, humans committing fraud directly could be much more subtle. Think about the keywords that saw the spike. Are these terms popular in your industry and likely to be targeted by an underhanded competitor?

  1. Check for sudden conversion rate drops

A sudden drop in conversion rates despite traffic remaining strong can also be an indication of fraud. Compare your organic conversion rate to your conversion rate during PPC campaigns. You should always try to keep track of the ratio difference. Changes you make onsite can alter the conversion rates for both organic and paid traffic and changes made within PPC management should only affect paid conversion rates. By regularly reviewing this ratio you should notice any strange changes that do not correspond with actions taken by you or your colleagues.

If you have been experiencing fairly steady conversion rates with traffic remaining steady and few changes have occurred onsite or in your account but conversion rates suddenly fall, then this could be a sign of click fraud

  1. Check your display network results

Click fraud can happen across all networks but ads are at highest risk on display networks. This is because display networks, like Google’s GDN, are where your ads show on third party sites. It isn’t just Google who makes money off your ad clicks, these publishers make money from the ads shown on their site.

You should, therefore, review your CTR and CVR rates more thoroughly on the display network. Take care to review results separately from search or shopping networks.

If you see CTR spikes or CVR drops on the display network this could very likely be fraud, if you have not made any PPC management tweaks. If you are using programmatic advertising on display networks you should also be especially wary of strange spikes in traffic.

  1. Check for strange referrals

If you are using display network advertising, check your analytics reports for strange referrals. If there is a sudden spike in referrals all coming from one or two sites with spammy looking domains then you probably do have a case of click fraud.

  1. Look for traffic from weird locations

If you notice surges in traffic, reportedly coming from locations outside your geo-targeting this should be immediately suspicious to you.

If it is one or two clicks it is normally fine but sudden traffic growth from an area you are not targeting may well be fraud. Click fraud experts can use fake IPs to make to seem like their fake traffic is coming from an area when really it is not.

  1. Check for high bounce rates

One of the biggest indicators of click fraud is a sudden rise in bounce rates and shorter sessions on site. This could, of course, be due to your PPC manager targeting a new but unsuitable audience or an unsuccessful change to a landing page. However, if no changes have been made and traffic from AdWords starts to have rising bounce rates and short amounts of time spent on site, then this is a bad sign and potentially click fraud.

  1. Look for traffic spikes by time of day

Look out for traffic spikes and conversion drops by time of day as well. Many click fraud scripts run only at night to avoid arousing suspicion.

  1. Review your invalid clicks report from Google

One of the easiest ways to identify click fraud is to look for sudden surges within your Google AdWords invalid click report. The invalid clicks report shows all the clicks Google has prevented from entering your campaign reporting because they were deemed invalid.

Google will have already dealt with and reimbursed you for these clicks, however, if this number is rising it could be that a competitor is trying their best to undertake aggressive click fraud against you. The more motivated a fraudster, the sneakier they become with their techniques.

It is also good to review the report for your own peace of mind. To access the report, simply click the Columns tab in your dashboard:


Then select modify columns:


Select performance:


Finally add invalid clicks and invalid click rate to your report to view the results:

  1. Don’t get paranoid

The best thing you can do is not get paranoid. Of course, click fraud is a problem but as long as you carry out the right checks as part of your PPC management you can catch foul play.

Remember click fraud is not happening to everyone and you should not start blaming click fraud for every data change you see. Remember you want traffic and results to improve, so change is not necessarily a bad thing. There are many other reasons, besides click fraud, that could cause changes in your CTR, such as:

  • You changed your daily budget
  • You altered your maximum CPC for a keyword or AdGroup
  • You added new, more relevant keywords
  • You changed your keyword match types
  • Your display ads started showing on new third-party sites
  • Your industry experiences seasonal shifts in interest

For more information on what you should be looking out for and why, check out this video from ClickFrauds, a click fraud prevention firm:

How to combat click fraud

By following our click fraud identification advice, it will be easier to discern if your account could be suffering from click fraud.

If you do discover evidence of potential click fraud there is a lot you can do to combat this scourge.

  1. Exclude IP addresses

If you can identify the company, person or better yet IP addresses of those committing click fraud, you can then block them in AdWords. It is discovering their IP that is the hard part. You can look at your server logs or invest in third party tracking software that specialises in revealing IP addresses, such as Lead Forensics or Solarwinds.

Once you have what you need it is easy to exclude them in PPC platforms like AdWords. To exclude IP addresses simply head to your campaign settings tab:


Scroll down to advanced settings:


Open up IP exclusions and click edit:


Now simply enter the IP addresses you wish to exclude and click save.

  1. Keep geotargeting tight

By keeping your PPC geotargeting tight you can limit exposure to countries where click fraud is frequently committed. It also makes your campaign more relevant and discrepancies easier to spot.

  1. Keep keywords relevant and specific

By avoiding broad match and keeping your keywords hyper relevant, you can run a more relevant campaign but you also make it harder for fraudsters to target you. Click fraud tends to target expensive and broad keywords. These terms mean they can waste more money and because they receive high traffic volume anyway, they are less likely to be caught. By having a firm grasp of your keywords, you limit the chances of becoming a target.

  1. Use ad scheduling

If you suspect someone has been leveraging click fraud against you on a particular day of the week or time of day, then use ad scheduling to avoid those times and keep your budget intact.

  1. Use managed placements on display networks

Using automatic placements is the easiest way to get targeted with click fraud on the display network. By using managed placements you can choose only reputable and relevant sites and avoid nefarious publishers.

  1. Use click fraud prevention software

With all these efforts, click fraud can still slip through the net but there are third party specialists in click fraud prevention software. If you are a large brand and are reasonably sure you are losing significant money to click fraud, it could be time to invest in extra software. Some well-known click fraud prevention software is:

  1. Report the problem

If you suspect click fraud, major PPC platforms actively encourage you to report it, so they can investigate it further for you. If you are right they will give you a refund as well. Here is the Google click fraud reporting form. Bing has no form but you can contact their customer support number to report suspected click fraud.

These techniques should help you combat the disease that is click fraud but sometimes it will still slip through. The problem is that click fraud can be quite difficult to detect.

The definition of click fraud can become fuzzy too. Technically, anything that is a click on your ad with no intention of genuine interest could be click fraud. This means that real users clicking by accident would fall into that category or accidental double clicks. Now, logically, this is not fraud but in practice, it is the same as click fraud because it wastes money with clicks you did not intend for your ads. It is, again, not serving your purpose in advertising.

Customers can also be very lazy and search for your site in Google, instead of going straight to your domain and click on an ad, as it is nearer than the organic result. It is not really click fraud but it could look like fraud because the same user with the same IP is repeatedly clicking your ads. This is just what click fraud looks like and so real fraud can be hard to pin down.

Fortunately, Google, in particular, is doing an impressive job to fight click fraud and maintain advertiser trust.

How do search engines work to prevent click fraud?

Over the last 12 years Google and Bing have become far more proficient at preventing click fraud. Both search engines have invested heavily in preventative measures.

In addition to allowing advertisers to report suspected fraud, both Google and Bing have algorithms to filter out click fraud and manual teams double checking for fraud, to launch extra investigations if needed.

Google is especially tough on click fraud. They work hard to detect it before you see the clicks in your reports and they reimburse you as they go. Over the past few years Google has even bought a click fraud detection start up and added new fraud detection software to their inventory. They even have a dedicated Ad Traffic Quality Resource Centre.

Google’s filters look for unusual click patterns and auto discard invalid sources. Their algorithms seek out high bounce rates and low-quality visitors. It also looks out for accidental and double clicks from users. All this spells bad news for click fraudsters.

Watch this video to hear more about how Google fights click fraud and protects you from being charged for accidental clicks:

Bing also has filters and an ad traffic quality team but they use less automation and more manual investigation tactics.

This is all very impressive but advertisers should not let their guard down completely. Google and Bing’s efforts are not always up to scratch.

It is harder to discern click fraud than you might think. It is very difficult for algorithms and humans to know what is going on behind a computer and the intent of users. None of the systems are fool proof by any means.

Unfortunately, most fraudsters cycle through thousands of IPs, use anonymous proxies, or use botnets to spread across thousands of infected PCs. IP detection is one of the primary clues search engines use to identify click fraud but sometimes IP detection will not be enough.

Some click fraud bots are now so sophisticated they can mimic mouse movements and even add items to shopping carts. This makes them look more like real users with real internet histories.

For examples of click fraud succeeding, take a look at the data from Resoucres. They have reports of some disturbing cases of fraud, including one troubling attack that leveraged affiliate marketing.

The controversy around click fraud

Considering some of Google and Bing’s struggles to prevent click fraud, advertisers might be feeling pessimistic but is the problem as bad as it seems?

When trying to gauge the threat of click fraud we can easily underestimate it or blow the problem beyond proportions because there is a great deal of controversy surrounding click fraud.

Most of those reporting on click fraud and the distressing statistics are click fraud prevention software companies. Naturally, they have something to gain by worrying advertisers.

On the other hand, since advertising networks would actually be beneficiaries of fraud in part, it brings controversy into how they deal with click fraud. Remember Google and Bing make money from clicks, so they are not in a neutral position either. Can advertisers really trust them enough to deal with this problem, especially when it is so hard to prove click fraud is taking place? If you suspected click fraud, it would be easy for advertising networks to blame your low conversions on a competitive market, your landing page, your checkout system or business model.

According to SEOChat, a top Google spokesperson claimed that many third party click fraud prevention companies inflate their click fraud reports, report fictitious clicks and even include clicks Google already dealt with and didn’t charge for in their reports.

That is quite the damning accusation, yet according to the same article, when the spokesperson was asked if click fraud was becoming worse, they became evasive.

It seems hard to trust either side fully but Google do have one thing in their favour: vast amounts of data. They are right to claim that adequate and accurate click fraud prevention requires large amounts of data to evaluate click behaviour. Google do have access to far more data than any third party click fraud prevention company.

The truth about click fraud is likely to be between the two extremes. It is a problem to be aware of and defend against but it no reason to despair and pause all campaigns.

Be aware of other types of PPC fraud

Worryingly PPC fraud is evolving and it is not just traditional click fraud you need to look out for.

Two new worrying problems are ad impersonation and conversion fraud.

Ad impersonation is also known as URL hacking and it involves fraudsters making ads with your URL. It means you have to compete against your own ads in search and your affiliates often use this technique to boost their own profits.

Other culprits are phishing sites looking to direct traffic to spoof landing pages to gather personal contact information from your customers.

In May 2014 Search Engine Land reported on a major case of over 300 advertisers who had their ads impersonated.

Conversion fraud is tricky to spot because you won’t see the traffic spikes, as you would with click fraud. It is also more common on the search network, whereas click fraud is more common on display. Bots basically head to your site and actually convert by filling out lead forms with fake details. If you have a lot of leads giving the same phone number and email then this could be a sign of conversion fraud. Naturally, lead generation advertisers are at greater risk.

If you useBing, you will also suffer greater losses than AdWords. This is because AdWords won’t necessary record all conversions from the same users but Bing does.

One way to look out for this problem is to analyse all conversions in Google Analytics emanating from your chosen PPC platform. If returning visitor rates are much higher then it could be fraud.


However, this technique could have you worrying needlessly as we know previous buyers are actually more likely to buy again. It does, however, work well with lead generation, as people who genuinely want your services are unlikely to fill out the form multiple times.

PPC ad fraud might be an issue but you shouldn’t start panicking about click fraud and conversion fraud or start doubting everything you see in your data. The reality is it needs to be on your radar but there are steps you can take to detect and solve ad fraud and the search engines are also working hard to fight the problem. By using a reliable and diligent PPC agency you won’t have to worry because they will be familiar with the problem of click fraud and know the best software and tactics to defeat it.