click fraud (pay-per-click fraud)

What is click fraud?

Click fraud -- sometimes called pay-per-click fraud -- is a type of fraud that artificially inflates traffic statistics for online advertisements. In the common pay-per-click advertising model, advertisers pay a fee for each click on their ad, anticipating that they have attracted a potential customer. By using automated clicking programs, the perpetrators of click fraud create the illusion that a large number of potential customers are clicking on the advertiser's links, but in fact, it is unlikely that any of the clicks will lead to profit for the advertiser.

Click fraud is done either to increase an ad hosting website's revenue or to exhaust the advertiser's advertising budget. Cybercriminals also use click fraud to boost malicious websites higher in search rankings, making them look more legitimate.

An organization's customers, competitors or website publishers can commit click fraud. A competing advertiser can click on an advertiser's ads in an attempt to increase the amount the advertiser pays for the search term, which could push competing businesses out of the market if done effectively. Website publishers can click on ads displayed on their own websites to gain more revenue.

When customers click on an ad without intending to make a purchase, most of the time it is not considered click fraud. In this case, a user might regularly click on a paid search advertisement on a search engine result to navigate a website. The clicks could also just register as accidental clicks. However, customers who want to negatively affect an organization can also commit click fraud. Those committing click fraud normally use a program, automated script or bot to increase the number of invalid clicks.

How click fraud works

Large-scale click fraud is typically automated with the use of a bot or other program that appears to be a legitimate visitor on a webpage. The bot clicks on an ad repeatedly with the goal of tricking a platform into thinking it is a user with the intent to purchase whatever the ad is selling. A victim of click fraud is likely to notice a large number of clicks coming from one computer, and this traffic also appears suspicious to the advertising networks and advertisers. But fraudsters can get around this by routing bot traffic through different Internet Protocol addresses that continually change using a virtual private network (VPN). They can also carry out click fraud by using many computers in different geographic locations to avoid detection.

Instead of placing the ad on legitimate websites, the scammers might run a fraud campaign where they place the ad on websites created solely for that purpose. And a site like this likely will not have any real organic traffic, because there is no real content available for users. Once the ads are in place, bots generate large volumes of invalid traffic and fraudulent clicks, for which the scammer bills the owner of the affiliate program.

Malicious entities can also attempt to make it appear as if a publisher is clicking on its own ads to generate revenue. This is done with the intent of causing the advertising network to end its relationship with that publisher.

Types of click fraud

There are numerous types of click fraud that different entities with different end goals can commit. Types of click fraud include the following:

  • ad fraud. Publishers create websites that host banner and text ads to channel fake clicks to gain revenue.
  • Click fraud bots. This method generates clicks by using bots to automate the process of clicking on ads.
  • Click farms. Organizations hire people only to click on ads all day. Click farms are normally hosted where labor is cheap.
  • Pixel stuffing. Publishers load ads on a website in a 1x1 pixel. Even if end users do not realize it, they view multiple ads, generating revenue for the ad hosting website.
  • Ad stacking. This process is similar to pixel stuffing in that the ads are not visible to end users, but in this case, multiple ads are stacked on top of one another.
  • Location fraud. This type of click fraud attempts to escape detection by using a VPN to change geographic locations.
  • Video viewing fraud. Scammers use bots to watch video-based advertisements. This generates revenue for the ad hosting website.
  • Competitor click abuse. A competing ad service repeatedly clicks on ads to drive up the target's advertising costs.
  • Crowdsourcing. Advertisers increase the number of clicks on their ads by asking end users who do not have any intention of buying something to click on ads.
  • Incentivized traffic. Websites incentivize end users who do not have any intention of viewing ads with rewards for viewing them. An example is a mobile game that offers players in-game rewards for viewing ads.

These click fraud types can overlap, depending on who is committing the fraudulent activity and how they are doing it.

How can you identify click fraud?

Signs that can indicate click fraud include the following:

  • repeated clicks from the same internet service provider (ISP);
  • high click-through rates with low Conversion rates; and
  • a drop in page views while experiencing peaks in impressions.

These three signs may be noticeable if an organization continuously keeps track of its ad performance.

How can you prevent click fraud?

To help prevent click fraud, organizations should take the following steps:

  • Monitor user behavior. Monitoring how many potentially suspicious clicks are coming from the same ISP can help determine if a user is committing click fraud.
  • Be aware of what competitors are doing. Organizations can use click-tracking software to create reports that include unique and total clicks to catch competitors committing click fraud.
  • Use software programs that block fraud. Fraud-prevention software detects potentially malicious or suspicious activity while blocking potentially bad traffic sources automatically.
  • Generate referral reports using software programs. These reports can help identify content-targeted websites that are sending suspicious amounts of visitors to a website.
  • Set different prices for ads on different websites. This should help limit financial risks by restricting the amount paid for a single ad.

Ad networks also implement measures to prevent click fraud. For example, Google's automated detection system uses different algorithms and machine learning to analyze potential instances of click fraud. If the system detects an issue, Google reviews the instance manually.

How does fraud affect a website?

This process eventually drives up advertising costs while lowering conversion rates and skews user data for advertisers. If bots and other scripts interact with an ad, those running advertisement campaigns will not know how effective the ad is.

For the end user, advertisements might entice them to watch or view ads where they have no real intention of purchasing whatever is being advertised, or the ads may be practically invisible to them.

According to ClickCease, a provider of click fraud detection software, the industries that click fraud affects the most include photography, pest control, locksmithing and plumbing -- though click fraud affects almost every industry.

Is click fraud illegal?

Click fraud is illegal in several countries. For example, in the U.S., the District of Delaware maintains that click fraud is in violation of the federal Computer Fraud and Abuse Act. Violating this law carries a penalty of one to 10 years in prison.

Most countries do not have laws specifically about click fraud, however. For example, Germany does not have a specific law against click fraud, but fraud-related laws could apply to this type of fraud. Specifically, organizations could fight against competitor click fraud in Germany with cybersecurity or other possible legislation.

Learn how the COVID-19 pandemic and the pivot from brick-and-mortar retail stores to online advertising affected click fraud.

This was last updated in January 2022

Continue Reading About click fraud (pay-per-click fraud)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing