What is click fraud? Click fraud is the act of clicking on online content, including organic or paid ads online, with malicious or vindictive intent. For instance, it could take place on a display ad or a sponsored search result, on links you publish on your social media accounts, or rake clicks across your website.
This can be to deplete the advertisers’ marketing budget, damage the performance or reach of the ad, or even steal the cost of that click for yourself (a practice known as ad fraud).
When it comes to click fraud on organic content – like fake clicks on your social media posts or generating fake website traffic – fraudsters may aim to gain a competitive advantage, overwhelm your website, or hurt your online efforts by injecting fake data into your analytics.
We will look more in-depth at the sources and motives for click fraud later in this article. But suffice it to say, there is a huge industry that has grown around defrauding programmatic ads and advertisers.
From paid-to-click apps (PTC apps), to click farms, generating large volumes of fake clicks is easier than ever.In fact, the issue of click farms is widely reported, with many of them selling their services to inflate likes and followers on social media.
But this same technique can also be used for criminal gain, with millions of dollars at stake for enterprising gangs who know how to make click fraud pay using complex technological solutions and malware.
What is ad fraud?
The practice of ad fraud is an organised form of click fraud. Ad fraud is often used to fraudulently inflate the payout for website publishers, mobile app developers, or on social posts or videos.
Often when referring to click fraud, people use the term ad fraud interchangeably. However, where click fraud can be either accidental (for example from bad ad placement) or malicious; for example, rivals aiming to deplete your marketing budget; ad fraud is usually intended to line the pockets of the fraudster.
Is click fraud really that big a problem?
The actual rates of fraud vary based on:
- Your industry
- Geographic location
- Time of year
Some research found that the average rate of click fraud across the campaigns we protect here at ClickCease is 14%.
However, there is a huge variation of fraudulent ad clicks within that, depending on the industry. For example, the industries with the highest volume of fraud were found to be:
- Photography – 65%
- Pest Control – 62%
- Locksmith – 53%
- Plumbing – 46%
- Waste Removal – 44%
Other notable industries subject to high levels of click fraud include real estate (31%), financial services (20%), and legal and law services (14%).
The truth is, click fraud affects almost every industry, with 90% of all campaigns on Google Ads being impacted in some capacity.
In this guide we’ll be taking an in-depth look at the world of marketing, what click fraud is, and how it can cause you a real headache.
And more importantly, we’ll show you how you can fight back and prevent click fraud on your online marketing operations.
The practice of click fraud
As we’ve seen, there are multiple reasons to commit click fraud or ad fraud. It can occur on any link, whether organic, paid search, social media, in-app promotion, or other forms of digital marketing activities.
The most common reasons to get fake clicks on your PPC ad campaign are:
- Vindictive competitors or customers who want to negatively impact your online presence or brand reputation in general
- Organized fraudulent developers who have created a way to get paid for clicking your ads, usually using fake publisher inventory
- Malware apps or software created to collect the payout from ads (often with some help from bots)
- Paid-to-click apps that pay users to click or watch ads in exchange for a small reward.
When you consider that the price for some keywords in Google Ads (previously known as AdWords) can be upwards of $50, or over $100 per click, you’ll soon see why multiple fraudulent ad clicks can really start to cause a problem. In fact, even with clicks at a dollar or so each, the volume of click fraud can quickly cause problems for the average marketer.
In 2017 it was estimated that around 1 in every 5 clicks on a PPC ad campaign were fraudulent in some capacity. Since then, the techniques have become more advanced, and the sheer volume of fraudulent activity online has increased.
A study by the University of Baltimore and CHEQ found that click fraud cost marketers over $35 billion in 2022. And this is forecasted to reach $100 billion in 2023 and beyond.
What are the main sources of fake clicks or click fraud?
If clicking on someone’s ad repetitively sounds like a lot of hard work, you’d be right. A competitor clicking on your ad five or ten times a day might be a drop in the ocean for your advertising spend, but there are more damaging ad-clicking methods.
Bots and web crawlers
Designed to crawl the web looking for information, usually for spam or data collection purposes. There can be ‘friendly’ bots, that are just looking to scrape contact info, for example. Or deliberately vindictive bots that have the sole purpose of clicking on your ads hundreds or thousands of times to deplete your ad budget.
The issue of bot traffic is a complex one, with bots coming in a huge variety of flavors. Take a look at our guide to bot traffic to understand this issue in more detail.
Click Farms
Either automated setups or human-powered factories designed to click multiple times on specified links. Yes, they do exist, usually in developing countries where people can be paid as little as $5 for 100 clicks.
Click farms are used by all sorts of businesses, often to inflate their following or engagement, and they can be hired to do multiple actions, from liking social media accounts, watching videos, sharing links or information, leaving comments, and, of course, clicking on PPC adverts multiple times.
Although the bulk of click farms can be based in developing countries, there have been increasing instances of click farms based in Europe and the USA. By hooking up phones and tablets to a computer, you can automate the activity of hundreds of people.
Fraud rings and bot networks
Criminal gangs establish a mixture of publisher websites and automated bots to defraud advertisers. One of the best known is Methbot, a highly sophisticated scam bot network with a complex setup that is designed to fraudulently collect the payout on video views using a network of computers. Thought to have originated in Russia, Methbot is estimated to make around $5-6 million each day in fraudulent clicks.
Ad fraud
Publishers create a website designed to host banner and text ads, then channel fake clicks through the website to collect a payout. Ad fraud often involves placing ads on websites with little chance of genuine traffic being able to find it but with the opportunity for the site owner to maximize their income.
As a complex issue with many threads, you can check out our ad fraud guide for more information.
Medium to low volume clicks:
Competitors
Your direct competitor can try and siphon off your PPC budget so that their ad ranks higher for relevant searches. They might just click your ad every time they see it, or they might instruct everyone in the office to click your ad – which could be potentially quite damaging.
Although competitors can try to manually inflate your PPC spend, you might find that this is a temporary measure or occasional practice.
We actually looked recently at a case of competitor click fraud, where a business orchestrated a campaign against local competitors.
There are some simple steps to minimize your exposure to competitors clicking on your ads, which we will look at later on.
Human error
People searching for something may accidentally click on your site in the SERPs but then click out again. They may not even realize it’s a paid ad. Technically this wouldn’t be classed as click fraud but an invalid click. There is no strategic sabotage going on here; it’s simply a mistake, although repeated mistakes can cost advertisers a fair amount of money.
Vindictive parties
Your ex-employee, unhappy customer, or even your sociopathic ex might have a reason to click multiple times on your ad just to pee you off. You’d best go and apologize.
What’s so concerning about click fraud?
Now, you’re probably wondering why the hell anyone would really want to go to all that trouble. Is this really something that people do?
If you haven’t already, then we suggest you run a quick search for ‘buy clicks’.
What you’ll find is a whole industry built around fake website traffic, often designed to boost views on websites or inflate the popularity of social media accounts.
Sites like Fiverr offer plenty of options for users to buy ‘likes’ or website traffic. And most of these services can, of course, be used maliciously.
Many marketers can also run bots to find new clients or to build an email list that they can sell. These simple bots may not be fraudulent, but with enough of them, you could be looking at losing quite a lot of money through non-purchasing site visitors.
Bots can be used in a variety of ways and are relatively simple pieces of programming, meaning that pretty much anyone with a decent level of coding knowledge can make their own bot. You can also buy bots from a variety of sources for everything from research to more nefarious purposes.
It’s been proven that the bulk of internet traffic is actually bots, with some sources estimating 40% and others putting the figure at upwards of 50%. So when you’re aiming to run your next PPC campaign, this is definitely an issue that you’re going to have to bear in mind.
Those running a PPC campaign might find that the amount of PPC ad fraud sits around 20% of their total traffic. Bear in mind that Google doesn’t refer to the practice as ‘click fraud’ but prefers the term ‘invalid clicks.’ This covers all bases from genuinely mistaken clicks to the actual vindictive bot or click farm traffic.
Who is affected by Click Fraud?
You might think that click fraud is the kind of thing that only really affects the big boys; the Amazons, Citibanks, and Teslas of this world.
Of course, they are in the firing line as they target high-value keywords. But in reality, every online business is at risk of click fraud to some degree or another.
Automated click fraud doesn’t discriminate, with bots often just scouring the web for specific search terms. Even accidental clicks can really add up if your banner or sponsored result is in a competitive industry.
An industry with a huge amount of traffic and expensive keywords means more room for fraudsters to hide. It also means less risk of getting caught and a higher payout.
Here at ClickCease, we see that the most affected micro industries are locksmiths, lawyers, water damage repair, and… dentists. It seems that local service providers are prone to a higher rate of click fraud due to the competition, high CPC, and knowledge of the market.
No matter how little or how much money gets spent on campaigns, one thing is for sure. Every company that’s using PPC networks like Google Ads or Bing Ads is either vulnerable to click fraud or has been a victim of click fraud.
On occasion, some of the bigger cases of click fraud make it into the press, especially when there is some serious money at stake. These examples can be on the more extreme end of the click fraud spectrum, but they give a good insight into the lengths some people will go to.
Like other forms of fraud, those big examples are just the tip of the iceberg, with many smaller click fraud campaigns hiding under the surface.
The botnet hacker
Italian citizen Fabio Gasperini was sentenced in 2017 to one year in jail in the USA, as well as a $100,000 fine as a result of his involvement in a botnet hacking scam. Gasperini targeted servers that are used by companies for large-scale data storage and transfer, gaining control of these servers to use as simulated web browsers.
Gasperini was able to use the servers to set up a network of around 100,000 computers around the world and use them to send automated clicks on ads that were embedded on websites that he owned. He also defrauded big businesses that were paying for these ads, including Nike and Walt Disney.
When you consider that one man was able to do such extensive damage, it just goes to show what can happen when you have a seriously organised criminal network.
Search engine clampdown
Microsoft and their Bing search engine are the second biggest player in the PPC world (excluding social media sites), and they have been known to take click fraud very seriously. Back in 2009, Microsoft sued a family team based in Vancouver, BC, for their part in a click fraud scam designed to drive traffic to their World of Warcraft and auto insurance-based websites.
Microsoft was awarded $750,000 in damages, although they also stated that they lost out on $1.5 million in refunds as a result of fake clicks by the scammers.
Criminal bot networks
We mentioned Methbot earlier, but this huge criminal scam is a long-running and hugely profitable bot network that is designed to make money off video advertising. The network makes around $3-5 million a day by using fake websites to stream videos, racking up views, and huge payouts.
It is alleged that the gang has set up around 250,000 URLs that host video adverts which rack up around 300 million video ad views each day!
The sophistication of the Methbot set-up is staggering, with domain names made to look like they belong to well-known brands like ESPN and Vogue, around 570,000 bots, and the software making the interaction with the videos look like genuine human behavior.
Another sophisticated bot setup that was uncovered in 2017 is Hyphbot. With around a million URLs registered, Hyphbot was a prime example of ad spoofing, a practice where fake websites are made to look like big-name publishers like
The Economist or The Financial Times. Advertisers then place their ads on these spoofed sites, which then receive a high volume of bot traffic, inflating the PPC payout.
Although there has been a decline in Hyphbot-related activity, it is still thought to be active and making around $500,000 a day.
The click farm
One of the most notorious click farms discovered was in Thailand in 2017. With around 500 smartphones linked up to 350,000 SIM cards and nine computers, the click farm was connected to Chinese fraudsters who used the click farm to boost likes and engagement on the Chinese social media site WeChat.
The owners of the click farm were allegedly paid $4400 a month to run the set-up.
Bangladesh and India are also regularly listed as some of the top places to set up click farms, thanks to the low wages paid to workers. One report suggests that workers paid $120 a year work in shifts to click on multiple smartphones, liking posts, and following profiles on sites like Facebook, Instagram, and Twitter.
The next time you see an Instagram account that seems to have an unfathomably large following, it might be thanks to click farms. In fact, many popular influencers and business accounts, and even some celebrities, have used click farms to inflate their popularity online.
When it comes to Google Adwords fake clicks, companies who want to waste their competitors’ advertising budget can easily hire a click farm to click on ads. A simple search online will net plenty of places where you can buy fake clicks for a low price, for whatever purpose you want. Click farms are a very real and growing business.
DCCBoost attack
The bad cyber actor DCCBoost, also known as the Grinch, resurfaced back in late 2020. Hiding beneath layers of fingerprinting, client-server communication, and intricate client-side traps, its goal was to redirect victims to gift card and lottery scam pages.
The scammers used a chain of JavaScript codes to encode and decrypt the initial payload inside the source attribute of the displayed ad banner.
It was discovered that over 25 million fake ad impressions with some variation of this payload have been registered over the internet spread across just about 40 distinct malicious domains hosting the server-side infrastructure.