Click fraud fakes clicks target pay-per-click ads, boosting webpage search rankings or artificially inflating the popularity of a post. Click bots are often responsible for click fraud.
What is click fraud?
Click fraud is when a person or a bot pretends to be a legitimate website visitor and clicks on an ad, a button, or a hyperlink. Click fraud aims to trick a platform or service into thinking real users interact with a webpage, ad, or app.
Click fraud usually occurs on a large scale – each link is clicked many times, not just once, and usually multiple links are targeted. To automate this process, click fraudsters often use bots that “click” repeatedly. Bots comprise roughly 50% of all Internet traffic.* As much as 20% of websites that serve ads are visited exclusively by fraudulent click bots.**
Click fraud can have a variety of motivations. Most often, especially with ad fraud, the fraudsters are after financial gain. Sometimes, companies use click fraud to hurt their competitors’ ad budgets by targeting their PPC (or “pay per click”) ads with fraudulent clicks. Click fraud could also have ideological motivations – artificial likes or upvotes to a post to make particular sentiments seem more popular than they are, for instance. Cybercriminals can also use click fraud to construct a malicious webpage that shows up higher in search rankings to appear legitimate.
Common types of click fraud
One example of click fraud is ad fraud when a website operator drives fraudulent clicks on PPC display ads on their website. Click fraud perpetrators can set up web pages that display PPC ads and then use click bots to “click” on those ads. With each click, the ad network has to pay the website operator (the scammer). The more fraudulent clicks there are, the more the ad network has to pay the website if the fraud goes undetected.
Ad fraud can also financially attack the company paying for the ads. In such a scenario, scammers target PPC ads on a web property they don’t own. The scammer isn’t looking to make money from the clicks, but the targeted company has to pay the ad network for each click, costing them money.
Another use case for click fraud is when someone tries to game search engine rankings by artificially boosting the click-through rate. “Click-through rate” refers to how many users out of all the total visitors to a page click on a particular link. Click-through rate is a ranking factor that search engines like Google consider, although it’s not known how much of a factor it is. The goal of click fraud in this scenario is to increase the click-through rate of a webpage, thereby increasing the search engine ranking and causing more real users to visit the page.
What is a click bot?
A click bot is a bot that is programmed to carry out click fraud. The most straightforward click bots will access a webpage and click the desired link. Well-designed click bots will also be programmed to take actions that a real user would take – mouse movements, random pauses before taking a step, mixing up the timing between each click, and so on. In this way, the scammer who wrote the bot hopes to disguise the bot clicks as being from legitimate users.
Because hundreds or thousands of clicks from a single device would immediately look suspicious, a click fraud campaign typically uses bots installed on many devices. Each machine has a different IP address; therefore, it seems like each click comes from another user. Such a network of devices, each running a copy of a bot, is known as a botnet.
Botnets involve thousands or even millions of user devices with bots installed. These botnet click bots often run on the devices without the users’ knowledge due to a malware infection. Several large, well-known botnets have been used for click fraud – for instance, “Clickbot.A” was a click fraud botnet that infected over 100,000 user machines.
Botnets aren’t required for click fraud; a single bot can also propagate illegitimate clicks. However, bot traffic from just one machine is easier to detect and block. The web server could stop serving that IP address.
Does click fraud always come from bots?
While bots are commonly used to carry out click fraud, low-paid human workers can also carry it out. A group of such workers is called a “click farm,” click farms are often run out of areas where wages are relatively cheap, such as in developing countries.
Click farm workers will be assigned to go to specific web pages and click on designated links to artificially inflate click-through rates or traffic totals for those pages. They can also be active on social media networks and “like” specific posts or pages to boost their visibility.
From a scammer’s perspective, the advantage of a click farm is that the behavior of the human click farm workers is more likely than a bot’s behavior to imitate a legitimate user convincingly. The disadvantage is that using a click farm is much less efficient for fraudsters and more resource-intensive.
Most click fraud artists don’t have access to dozens or hundreds of human workers, and it’s much easier for them to write a few lines of code and create click bots. This is why bot management is essential for companies looking to prevent click fraud.
How much money does click fraud cost companies?
Click fraud costs ad networks billions – advertisers were estimated to lose $19 billion due to fraud in 2018 alone. If scammers have a botnet or hijacked IP address, they can carry out click fraud on a large scale: in a long-term scam discovered in late 2018, a single criminal organization earned over $29 million via ad fraud.
Similarly, the companies running the PPC ad campaigns can also find themselves paying for fraudulent clicks from bots. One source reported that in 2016, marketers lost $7.2 billion to ad fraud.
How does click fraud affect website analytics?
Click fraud can wreak havoc with website analytics. If bots interact with a web property, their activities are included in the data. As a result, the people running the website can’t measure the effectiveness of a display ad or judge the natural behavior of legitimate users. This is a problem for companies that want to measure how well their content engages an audience or like accurate information about traffic and user behavior on their site.
A strategy for managing bot activity is extremely important for any website, application, or API available over the Internet. Without the ability to mitigate malicious bot traffic like click fraud, bots can negatively impact customer experiences and cost companies money.
How does click fraud prevention work?
Some advertisers have automated detection programs to block clicks that are probably from bots – Google, for instance, uses machine learning to filter out ads-related activity from bots, along with a manual review process.