If you work in online marketing or regularly run pay per click campaigns, you’ve probably heard the term click fraud or ad fraud. Google uses the term ‘invalid clicks’ to refer to the practice of automated or non-genuine clicks on paid advertising links, but what really constitutes click fraud? And is it really that big of a deal to your business and your marketing budget?

Simply put, click fraud is the practice of clicking on paid ads with the sole intention of depleting or diverting the budget of the advertiser. It could be a disgruntled competitor who knows how much you pay per click and wants to hit you where it hurts (in the wallet), or it could be a shady network of criminals running multiple websites designed to channel those advertising dollars into their own accounts.

Does click fraud really happen?

Do both of these scenarios really happen? Absolutely they do. A famous example of the competitor running a click fraud scam is the case of WickFire vs TriMax in Texas. It was found that TriMax, a rival digital marketing agency, used multiple nefarious tactics to both damage WickFire in the eyes of their clients and to deplete their PPC budget.

These practices included clicking repeatedly on ads run by WickFire and their clients which inflated the price of each click - essentially click fraud. The whole case got extremely messy, with TriMax launching a legal and publicity counterattack accusing WickFire of being the original perpetrators. However, a Texan court found TriMax to be the guilty party and made them pay out $2.3 million in damages to WickFire.

Although a big case, this isn’t an isolated incident, with reports of click fraud and ad fraud popping up with alarming regularity over the past few years.

How is ad fraud different?

When it comes to the slightly more sinister case of ad fraud, this is where we see criminal organisations getting involved. The reason for this is that with an orchestrated ad fraud campaign, you can potentially turn over hundreds of thousands, or even millions of dollars a day.

How does ad fraud work? In most cases, content marketing works fine for everybody, But if you’re an unscrupulous website owner, you can create a website page which is absolutely crammed full of display ads. Some of these might not even be visible to the human eye, with banners on top of banners, or autoplay video hidden in tiny 1x1 pixel displays.

It’s then just a case of directing visitors, or clicks, to these ads to collect the payout for hosting them on your site. In fraudulent terms, this often means using automated bots to click on these ads or generate a view.

The best known example of this, on an industrial scale, is Methbot. Thought to be run by Russian mafia, Methbot is estimated to be making up to $5 million per day by spoofing premium domain names, embedding them with video ads and then using bots to view them. In fact, Methbot is just one of several known click fraud networks, known as botnets. Another huge botnet operation known as 3ve was taken down in late 2018 in a joint operation between Google, WhiteOps (an online security firm) and the FBI.

Although law enforcement has had success against these criminal enterprises, it’s normally just a matter of time before another more sophisticated iteration pops up. 

Increasingly, click fraudsters are using apps or VPNs to hijack users phones and web browsers to do their dirty work. As we’ve reported here on Tech Radar, some popular antivirus apps have actually been the perfect platform for mobile ad fraud, with both Android and iOS being targeted.

Online traffic

So exactly how much of the traffic online is fraudulent? By some estimates up to half of all internet traffic is non-human, including web crawlers, bots and other automated processes. Ilan Missulawin of anti click fraud company ClickCease said, “Although anything up to 50% of internet traffic is automated, we estimate that fraudulent traffic accounts for at least half of that. So, around 20-25% of all online traffic comes from either those botnets, or click farms.”

But don’t Google or the other online powerhouses have processes in place to safeguard against click fraud and ad fraud?

“Yes, Google do automatically block clicks from known suspicious sources”, says Ilan, “The problem is that the software and the processes are getting increasingly sophisticated. Where it used to be quite simple to spot bot activity online, improvements in programming mean that the bots are able to mimic human activity.”

Increasingly, the digital giants are being seen to be active against the fraudsters, with Microsoft and Facebook both making statements by closing down ad fraud on their networks. 

But, anyone running a PPC campaign could be horrified about how much they spend on fraudulent clicks. And although Google, Microsoft and co are starting to up their game, their efforts are still falling short for many advertisers. 

Predictions for automated and fraudulent traffic are only set to grow in this lucrative industry. In fact, estimates suggest that 2019 could see marketers spend over $42 billion on ad fraud and click fraud. 

There is no denying that click fraud rates are on the rise and not only among big advertisers. SMBs and even local service providers such as locksmiths and dentists often find themselves subject to click fraud and ad fraud. And with the rise in malware, with fraudsters leveraging the popularity of apps and browser extensions, the landscape is constantly changing. Even ransomware can be used to hack into accounts to steal data to make fraud more effective. This is the new advertising reality anyone running a PPC campaign can be affected and we are seeing more and more marketers getting protected.

Oliver Lynch is a freelance copywriter, marketer, and PR provider.

• Protect yourself online with the best antivirus.