Marketing teams are being asked to achieve more with a reduced or flat budget - a difficult task when click fraud is on the rise. In fact, click fraud is a growing concern for 78% of marketers, so it’s important to get a handle on how it’s affecting your advertising.
According to Lunio's Wasted Ad Spend report, $16.59 billion is forecasted to be wasted on Google Ads in 2024 due to the impact of invalid traffic and click fraud. Another $54.78 billion is set to be lost on non-Google channels such as Meta, LinkedIn, TikTok, and X. And that equates to a huge lost revenue opportunity for marketers and brands across the globe.
But it’s not all doom and gloom. By better understanding click fraud and putting the right click fraud prevention measures in place, you can stop your marketing budget going to waste. Here, you’ll learn all you need to know about click fraud, including:
- What click fraud is (and how it differs from invalid traffic)
- Types of click fraud (and who’s behind it)
- How click fraud affects businesses
- How ad networks are tackling click fraud (and why click fraud is going up)
- Why click fraud is so profitable for bad actors
- How to detect and stop click fraud
What is click fraud?
Click fraud is the malicious practice of generating clicks on digital ads without any intent to buy or take conversion action with the advertiser. This can be done by people, automated scripts, or bots.
In 2024, the vast majority of click fraud is carried out by bots: automated programs that rapidly click your ads and drain your budget.
Neil Andrew, Lunio’s founder and CEO, defines click fraud:
"Click fraud is any malicious website visit that doesn’t come from a real person with a genuine interest in your product or service. At the most obvious level, this includes bad bots that are out there to cause harm and eat budgets. But it could also include clicks from fake user profiles on social platforms, misserved ads, and clicks from competitor brands intended to waste your budget."
Neil Andrew
CEO, Lunio
Click fraud always has malicious intent behind it. But there are other more benign types of non-converting traffic you should also be aware of.
Invalid traffic vs click fraud
Invalid traffic (IVT) is a broader term that encompasses all kinds of invalid user activity affecting your site. As well as bad bots and fake users, it includes good bots (such as SEO crawlers and web scrapers), accidental clicks from real humans, clicks from VPNs and IP proxies, and clicks from current employees or jobseekers. Essentially, it includes any ad click that has no chance of conversion, regardless of whether the source is malicious.
Click fraud is a subset of invalid traffic. It refers to invalid clicks generated with malicious intent by bad actors, and is also known as sophisticated invalid traffic. Click fraud may be used to:
- Deplete your ad budget without generating revenue
- Diminish your campaign performance by reducing your reach to genuine prospects
- Create financial gain for scammers
- Generate fake likes and upvotes on social media
So in short - IVT is any click that would never lead to a conversion, whereas click fraud always has malicious intent behind it. Those who commit click fraud are likely doing it for illegal profit, or a black-hat advantage over their competition.
Who commits click fraud?
The term ‘click fraud’ brings to mind images of hackers, fraudsters, and competitors sitting in a dark room commanding legions of bots to waste your ad spend and ruin your analytics.
This isn’t always the case. Click fraud can come from a range of sources, each with their own duplicitous goals in mind. The most common click fraud culprits include:
- Advertisers are the most common type of click fraudster. They use click fraud to inflate their own CTRs and improve their ad rankings. They may also commit click fraud in order to artificially increase the number of impressions for their ads - which can result in higher ad revenue.
- Competitors may commit click fraud in order to waste an advertiser’s budget, or to lower their ad ranking.
- Affiliates may engage in click fraud to earn greater affiliate fees from those they’ve partnered with. This type of fraud is usually done using automated scripts that generate fake clicks on ads.
- Publishers falsely inflate their numbers by clicking on ads themselves to generate more revenue. They make money by inflating the number of page views on a website or by generating fake clicks on ads.
Types of click fraud
There are several types of click fraud marketers need to be aware of. Let’s take a look at each type of click fraud in more detail.
Bot networks
Bots are programmed to perform specific actions automatically. More than 47% of the world’s online traffic consists of bots. But we can expect this proportion to grow, thanks to Moore’s Law. In our webinar on the true cost of invalid traffic, David Triger, Lunio’s CTO, explains:
"According to Moore’s Law, computing power nearly doubles every two years (with some adjustments). This means that the power of hardware is growing much faster than the proportion of the population that has access to the internet. This trend will continue for quite a while. If no preventative measures are taken, it’s quite likely we’re going to be in the single digits of real human activity across the web in ten years time."
David Triger
CTO, Lunio
The success of bot-driven click fraud relies on their ability to mimic human behaviour. Because botnets consist of compromised computers, they usually have legitimate IP addresses belonging to real human users. This makes it much easier to avoid detection.
Ad publisher click fraud
Ad publishers take a percentage of the revenue generated by each click on their site. So it’s easy to see how click fraud could enable abuse of this system for financial gain.
Some rogue ad publishers commit click fraud by clicking ads in their own ad inventory, boosting their revenue. In addition, higher click volumes (even if they’re artificially inflated) can make ad space more appealing to advertisers.
These fraudulent money-making tactics are much more likely on low-quality websites. So advertisers should ensure they know where their ads will be shown before signing up with less established ad publishers.
Note: To avoid placements on low-quality sites while running Google Display campaigns, download and use Lunio's free 100k+ exclusion list which features junk domains, mobile app inventory, and irrelevant YouTube channels.
Fake users on social media
Platforms like LinkedIn, X (formerly Twitter), Meta, and TikTok have massive volumes of bot users. Our research shows levels of invalid traffic across social platforms ranging from almost 10-25% of all paid traffic:
The impact of fake users on important global events like elections has been widely reported. But they can also affect your advertising efforts.
More fake social media users means there’s a much higher chance of bots clicking your social ads. This drains your social media ad budget and skews your performance marketing results.
Competitor clicks
Once thought to be commonplace among small businesses, our Wasted Ad Spend report shows click fraud conducted by competitors isn’t actually a huge problem. Companies with less than 50 employees see an average IVT rate of 7.58%, compared with 17.58% at companies with 10,000+ employees. So you’re much more likely to be affected by sophisticated bot networks and fake user profiles than competitor clicks.
But competitor clicks do still exist, especially in highly competitive industries. Competitors purposely clicking your ads can deplete your PPC budget, so you’re unable to reach actual potential customers. Competitors may hire click farms to conduct this type of click fraud on their behalf.
How does click fraud affect businesses?
Click fraud affects businesses in three major ways:
- Wasted ad spend and reduced return on ad spend (ROAS)
- Wasted time and effort monitoring fake users and chasing fake leads
- Skewed data and analytics
Let’s take a deeper look at these click fraud-related issues.
1. Wasted ad spend
Click fraud wastes your PPC budget on worthless bot clicks. This reduces your return on ad spend, so you’re getting less from your marketing campaigns than you could be.
Some marketers chalk these losses up to the cost of doing business, as long as they’re still getting reasonable ROAS rates. But with $71.37 billion in ad spend expected to be lost to click fraud in 2024, advertisers can’t afford to be passive in their approach. Our CEO Neil says:
"We know that brands and agencies have a pressure to do more with tighter resources. And click fraud is a huge driver of marketing inefficiency. The lost revenue opportunity for brands as a result of fake traffic polluting their campaigns amounts to billions of dollars per year. So at a time when every penny counts, taking a proactive approach against click fraud should be every marketer’s campaign strategy , regardless of channel."
Neil Andrew
CEO and Founder, Lunio
You don’t have to (and shouldn’t) accept this level of inefficiency. In fact, in today’s tough economic climate, it’s important to wring as much revenue from your budget as you can, so you can hit your revenue targets and advertising KPIs.
2. Wasted time, effort and resources
It costs a lot to manually monitor your site traffic for signs of click fraud, both financially and mentally. To block bots most effectively, you’ll need 24/7 monitoring, which means members of your team need to proactively watch your site analytics for signs of invalid traffic. This not only costs money, but takes staff away from more valuable tasks that contribute to business growth.
In addition, high levels of click fraud can lead to an increase in spam or fake leads. This eats into your sales team’s resources, as they’ll spend time chasing fake leads with zero chance of conversion. So click fraud doesn’t just directly drain your ad spend — it also impacts business growth and puts revenue opportunities at risk.
3. Data distortion
Click fraud can seriously compromise your campaign performance metrics. In fact, all types of invalid traffic will skew your site analytics, making it harder to get an accurate picture of your PPC success.
Without clean data, it’s much harder to make informed decisions around campaign and budget optimisation. This often leads to a drop in performance and ad revenue, as well as further wasted ad spend and stifled growth opportunities. So it’s important that you filter out fraudulent clicks from your data.
What are ad networks doing about click fraud?
Click fraud is a big problem in digital advertising. So what are ad networks doing to tackle click fraud?
Unfortunately the answer is: not very much.
While Google and other ad networks are reasonably good at detecting and eliminating general IVT (GIVT) from your traffic and site data, they have a much harder time with sophisticated IVT (SIVT). Google is processing a lot more data than most other networks making them better equipped to detect traffic anomalies. To add to that, Google has an entire knowledge base on invalid traffic, showing advertisers how to prevent it and educating them on the problem. But keep in mind that most of this focuses on dealing with GIVT. It’s SIVT that’s becoming the problem nowadays. Most social platforms like Meta and LinkedIn are not equipped to deal with sophisticated invalid traffic, whereas Google might be in a slightly better position.
Google offers refunds if you can prove your ads have been affected by click fraud. This isn’t an ideal system, but it’s more than any other network currently offers. Meta is clear that they take no responsibility for click fraud or IVT and its impact on your PPC campaigns:
“Facebook shall have no liability for click fraud or other improper actions, or for invalid clicks or other technological issues, each of which may affect the cost of advertising.”
There’s not much financial incentive for ad networks to clamp down on click fraud. Analysing real-time traffic is expensive, and costs are going up as sophisticated bots become harder to detect. So it’s unlikely we’ll see any big policy changes in the near future.
The increasing prevalence of click fraud
Click fraud is on the rise. In 2023, PPC ad fraud is estimated to have risen by almost 10% over two years, from 19.3% in 2021 to 28.7% in 2023. This is largely due to increases in computer power, AI tools like ChatGPT and Gemini, and the low risk, high reward nature of click fraud.
A 2016 Hewlett Packard report shows ad fraud as the only entry in the ‘low risk, high reward’ category of hacking attractiveness, based on financial gain vs effort:
Click fraud is relatively easy for scammers to perform without detection, unlike certain other criminal online activities. As AI makes bots easier to program and unleash, we don’t expect to see a downturn in click fraud any time soon.
How much money can bad actors make from click fraud?
Click fraud is a very lucrative business for those who can get away with it. Individual scammers committing ad fraud can make millions of dollars every year — but fully-fledged ad fraud corporations can make many times this.
In one of the best known cases of click fraud — the Methbot scam — Aleksandr Zhukov was sentenced to ten years in prison after generating more than $3 million a day from click fraud.
At the height of Methbot operations, this fraud ring hosted video ads from more than 250,000 URLs, resulting in 300 million ad views each day. Approximately 570,000 bots (most of which were part of botnets) were used to mimic real human behaviour, enabling Zhukov and other bad actors to evade detection.
Methbot isn’t the only highly profitable click fraud scam. Other well-known click fraud operations include:
- 3ve — Infected more than 1.7m computers and generated more than $30m in profit over five years.
- HyphBot — Generated up to 1.5 billion fake ad requests a day, resulting in $500,000 profit each day.
Click fraud vs law
Unfortunately, Methbot and other click fraud organizations aren’t the only ones committing click fraud on a large scale. It'll come as no surprise that click fraud is illegal in many jurisdictions around the world, and can be punished by both civil and criminal penalties. However, the perpetrators are often based in countries where the laws are not as strict - making it difficult to prosecute them.
In addition, most advertising networks do not have a mechanism in place for reporting or tracking click fraud. This makes it difficult to prove that fraud has actually occurred, which further complicates things from a legal standpoint.
Despite the challenges, there have been a few notable cases of click fraud that have resulted in legal battles:
- In 2006, Lane’s Gifts and Collectibles sued Google for click fraud, claiming the company had not done enough to prevent invalid clicks on ads. Google settled the case for $90 million.
- In 2018, a small business Investor Village filed a lawsuit against Facebook claiming that the social media company was inflating metrics to boost ad revenue. 62% of small business owners in the U.S. believed that Facebook ads they bought were missing their targets, according to Pennsylvania television station YourErie.
- In 2020, Motogolf sued Top Shelf for repeatedly clicking their ads and running up their PPC expenses. Although some charges were dropped, the judge still ruled that Top Shelf interfered with the plaintiff’s business relations through wrongful means.
Automated campaign types and click fraud
While all performance marketing campaigns are at risk from click fraud, automated campaign types like Google’s Performance Max and Meta’s Advantage+ have seen particular problems over the last few months.
Click fraud is just one of many known issues with PPC automation. Limited control over targeting and less visibility in analytics has made it harder for advertisers to detect and mitigate click fraud, leading to more fake lead submissions and wasted ad spend.
Some advertisers are even avoiding Performance Max altogether until automated campaigns get better at weeding out spam leads:
Advertisers using Meta’s Advantage+ have run into similar problems. We decided to run an experiment to see how much Advantage+ had changed since its launch. It was a lead gen experiment, so we set a target cost-per-lead. Within 24 hours, we generated 200 sign-ups. We were amazed. But then, when looking at the cost-per-lead, something seemed off. Our cost-per-lead was £0.07. So we downloaded the list, and found 200 fake email addresses, all in the same format and with a similar timestamp.
Even a low cost-per-lead is expensive if every lead is fake. In addition, cheap low-quality leads can create a negative feedback loop within your campaigns, causing the algorithm to seek out more junk conversions to reduce acquisition costs, without generating any revenue.
How to detect and stop click fraud
Detecting and stopping click fraud can be hard, especially if you’re relying on manual methods. But there are certain steps you can take to stop click fraud affecting your PPC campaigns.
1. Get to know your site traffic and costs
When you know what normal traffic patterns look like on your site, it’s easier to spot and eliminate anomalies. Patterns to look for include:
- Which referral sites visitors usually come from.
- When you can expect normal traffic peaks and troughs.
- How long most people spend on your site.
Keep a close eye on your costs. If you notice a sudden increase in ad costs, without a corresponding increase in conversions, it could be an indication that you’re experiencing click fraud.
2. Avoid ad networks you don’t trust
Lesser-known ad networks are more likely to resort to shady tactics to boost their own revenue. While Google Ads and mainstream social platforms are vulnerable to click fraud, most do offer some protective anti-fraud policies. So it’s best to stick with known entities when it comes to ad networks.
3. Don’t pay for site traffic
Services that claim to send more traffic to your site almost always use bots to make up the numbers they’ve promised. Even if these bots target your organic content and don’t directly affect your PPC campaigns, they will skew your figures and make reporting unreliable. So avoid paying for site traffic, as it won’t help you in the long run.
4. Exclude IP addresses
Block specific IP addresses and ISP networks to stop suspected IVT clicking your ads. You can block up to 500 IP addresses per campaign in your Google Ads account, which may be useful if you notice a lot of suspicious activity coming from the same IP.
Blocking IP addresses can impact real users, so be careful when adopting this method of click fraud prevention. It’s also a manual method that uses a lot of time and resources.
Note: Use AbuseIPDB.com to help with the exclusion of fraudulent IP addresses in Google Ads. It crowdsources IP addresses that have been associated with malicious activity online and provides a central blacklist to cross reference against.
5. Blacklist suspicious domains and URLs
In Google Analytics 4, use the “List Unwanted Referrals” feature to exclude suspicious domains from your GA4 data. Find this feature under Data Streams in the Property column of the Admin section.
If necessary, you can block specific URLs that don’t send valuable traffic to your website to minimise the risk of click fraud from these sites. Alternatively, take the opposite approach and whitelist sites you trust, so your ads are only shown on legitimate sites.
Like IP blocking, domain blacklisting and whitelisting can take a lot of time to set up and maintain. But if you stay on top of it, this can help you eliminate a certain level of click fraud.
How Lunio detects click fraud ad platforms don’t catch
The manual methods above will go some way to tackling click fraud. But you’ll need to invest significant resources into implementing and monitoring these — and there are much more efficient ways to eliminate click fraud.
Lunio automatically detects and blocks click fraud affecting your ad campaigns quickly and effectively. Our software assesses the validity of every traffic source hitting your website in real-time. Clicks that come from known blacklisted IPs or show several signs of automated behaviour are immediately marked as invalid, and blocked from interacting with your ads again.
If a click is deemed suspicious (but not automatically invalid), Lunio investigates further. After a few additional clicks from the same source, Lunio assesses hundreds of data points until it has enough information to accurately categorise it as invalid or legitimate. This process virtually eliminates the risk of flagging real interactions as invalid, and leads to more efficient spending and higher profitability across all your campaigns.
Click fraud FAQs
How common are fraudulent clicks in paid search advertising?
Fraudulent clicks are a major problem in paid search advertising. In fact, it’s estimated that as much as 25-50% of all clicks on paid ads are fraudulently generated. This means that businesses are losing billions of dollars every year to click fraud.
How can I tell if I’m being targeted by click fraud?
There are a few signs that you may be being targeted by click fraud. For example, if you notice a sudden or unexplained spike in website traffic, it could be a sign that your ads are being clicked on by a botnet. If you’re receiving a high number of clicks from a single IP address, it’s worth investigating that further too.
What is the difference between click fraud and click bombing?
Click fraud is when someone artificially inflates website traffic numbers by clicking on ads without any intention of engaging with the ad. Click bombing is when someone repeatedly clicks on an ad in order to cause it to be removed from an advertising platform. Both activities are illegal and can lead to fines and jail time.
How much does click fraud cost businesses?
Click fraud is a major problem for businesses that rely on paid advertising to generate traffic. It’s estimated that businesses lose $120 billion each year to click fraud. This money could be used to improve products and services or to hire more staff. Instead, it’s being wasted on fraudulent clicks.
Where do click farms operate?
Most click farms are located in developing countries where labour is cheap, for example in China and India.
Do malicious actors click their own ads?
Yes, malicious actors will often click their own ads in order to generate revenue. This is known as “ad fraud” and it’s a major problem for businesses that rely on paid advertising.
Do legitimate users do anything that could be considered invalid clicks?
There are a few legitimate reasons why a user might click on an ad without intending to engage with it. For example, if they accidentally click on an ad while trying to scroll past it, this doesn’t mean that they’re trying to commit fraud.
Additionally, some users may click on an ad out of curiosity, even if they have no intention of purchasing the product or service. While this isn’t ideal from a business perspective, it’s not necessarily indicative of fraud.
Is it possible to eliminate click fraud completely?
Unfortunately, it’s not possible to eliminate click fraud completely. However, there are steps that businesses can take to minimise the risk of being targeted by criminals. Apart from manually checking clicks for signs of fraud, businesses can also use professional click fraud prevention solutions. These solutions work by analysing click data and identifying patterns that are typical of click fraud. By using a click fraud prevention solution like Lunio, businesses can significantly reduce the amount of money they lose to click fraud.
If I accidentally click on a pay-per-click ad without malicious intent, am I committing fraud?
No. If you click on an ad by accident, you’re not committing fraud. However, businesses have to pay for every click, whether or not it’s from a real person. So, even if you’re a legitimate visitor, accidental clicks can still waste their advertising budget.
What happens when click fraud skews user data?
Businesses may make bad decisions based on fraudulent data, such as investing in ads that aren’t getting clicked on by real people. Additionally, ad networks may charge higher rates for advertising space if they believe that there’s a high demand for it. However, if that demand is based on fraudulent clicks, businesses will end up paying more than they need to.
Do search engine algorithms factor in click fraud?
The algorithms used by search engines are constantly evolving, and it’s difficult to say definitively whether they take click fraud into account. However, it’s likely that they do consider it to some extent. After all, if a large number of clicks on a particular ad are coming from bots or click farms, it’s not a genuine indication of interest. As such, it’s possible that search engine algorithms could penalise ads that are being targeted by malicious invalid traffic.
Does click fraud affect your conversion rates?
Yes, click fraud can affect your conversion rates. This is because, if numerous clicks on your ad are coming from bots, it’s likely that few of those clicks will result in actual sales or leads. As such, your conversion rate will be lower than it would be if you were getting genuine clicks from legitimate visitors.
Can a high number of suspicious clicks affect your search rankings?
Repeated clicks from the same computer or from different computers with suspicious user profiles can certainly affect your search rankings.
Click fraud is a problem for search engines and websites alike and can greatly reduce the quality of the user experience. Some webmasters resort to shady tactics like hiring click fraudsters to generate fake traffic and boost their page rankings artificially – a technique known as black hat SEO, which usually only works short-term.
How can you stop bot clicks on your own websites?
There are a few things you can do to stop bot clicks on ads displayed on your websites. For example, you can use CAPTCHAs to verify that users are human. Additionally, you can monitor user behaviour and block IP addresses that seem suspicious. Finally, you can use a business-grade click fraud prevention solution to filter out invalid clicks automatically, which is often the most effective and pragmatic option.
How can fraudulent clicks affect your advertising budget?
Fraudulent clicks can affect your advertising budget in a few ways. First, you’ll have to pay for the clicks even though they’re not coming from real people. Additionally, if your conversion rates are lower than expected because of fraudulent clicks, you’ll end up spending more money on ads than you would if those clicks were legitimate. Finally, if your click-through rate is artificially inflated by bots, you may end up paying more for advertising space than you would if the number of clicks was accurate.
Get a free click fraud audit with Lunio
Want to know how much invalid traffic is affecting your ads? Get a free two-week traffic audit with Lunio. We’ll monitor your site for 14 days and determine if your site is at risk of click fraud. There’s no obligation to buy after your free trial, but if you decide to go ahead, you’ll get protection across all your ad platforms with our click fraud prevention tool.
Say goodbye to wasted ad spend
Discover how Lunio can help you eliminate invalid ad clicks and maximize paid media performance