PPC-ads-are-big-money

Why Do Fraudsters Engage in Click Fraud? (+How to Stop It)

March 16, 2022

Pay-per-click (PPC), or cost-per-click (CPC), advertising has been around since the 1990’s. However, it really took off when Google, the search engine that most of the world uses today, launched their PPC Adwords service in 2002.

Click-based marketing is often measured by cost-per-mille (CPM) statistics, which is the amount of money a company spends on getting a specific number of clicks on its PPC campaign ads.

Over the years, PPC advertising has become a multi-billion-dollar business with companies often spending between $108,000 and $120,000 per year on PPC. It’s easy to see why. For example, Google boasts that for every $1 a marketer spends on their Google Ads platform, your return on investment (ROI) is $1.50.

However, there’s a darker side to PPC campaigns—a seedy underbelly that is rife with PPC fraud propagated by scam artists who work for a variety of motives. But, what motivates these cybercriminals to commit PPC/CPC fraud against you? More importantly, what can you do to stop click fraud before you lose all of your ad money for no return on your investment?

What Are the Most Common Motives Behind Click Fraud?

Fraudsters have all kinds of reasons for engaging in click fraud. Why does their reason matter? Because, the motive behind committing fraud may affect how the fraudster goes about their business—and how they react to your ad fraud prevention measures.

Here’s a list of some of the most common motivations behind click fraud schemes:

1. Click Fraud Is Easy Money

Pay-per-click-with-coins_110161128Even more so than many other forms of ad fraud, click fraud is an incredibly easy source of money for fraudsters. With lead generation fraud, fraudsters often need to program a bot to fill out forms, leverage stolen consumer data to create realistic-looking form submissions, and get around honeypots. Click fraud, on the other hand, is often much simpler.

PPC fraud bots attacking a click-based ad campaign can simply click the ad and generate revenue for their botmaster. Even when companies use tools like CAPTCHA or reCAPTCHA to fight bot-based clicks, the makers of these programs have long since found ways to bypass these basic public Turing tests.

Additionally, there are a bunch of different ways for fraudsters to take advantage of your click-based ad campaigns. For example, a crafty fraudster might create a fake website, disguise it as a more well-known (and expensive to advertise on) site, then sell you ad space at a premium appropriate to the other site’s value. This ad fraud strategy is known as domain spoofing. Though this isn’t exclusive to click fraud (since it can be applied to impression fraud, too), it bears mentioning here.

Another common click fraud strategy is ad injection. This is when a cybercriminal uses browser extensions, plugins, and malware to put their ads on websites where they don’t belong. In some cases, they may replace the ads that are actually supposed to be on the webpage! When website visitors click on these ads, the fraudster gets credit for the click, even though they don’t own the website the visitor is clicking on.

Finally, some fraudsters can just hire a click farm to click on ads for them. Here, large groups of workers in high-tech sweatshops use a variety of devices to just click on ads over and over again—earning clicks for the fraudster so they can get paid.

The average cost per click for PPC campaigns can vary depending on industry. For example, the insurance industry’s average cost for a click in Google Ads search advertising was roughly $20.12 in 2021. Meanwhile, the average cost per click for the electronics industry was about $0.77 during that same time period. So, money-motivated CPC fraudsters are more likely to target insurance PPC ad campaigns.

With the sheer amount of money that can be made with PPC fraud and the ease with which it can be performed, it shouldn’t be a surprise that there are a lot of fraudsters out there looking to commit this type of ad fraud.

2. Stifling the Competition

Sometimes, the objective behind click fraud isn’t to steal your money (or, at least, not only to steal your money). A few fraudsters are more competitively minded than that. Instead of committing fraud to take your money, their primary goal is to drain your ad budget as quickly as possible so that your ads stop appearing in Google search and programmatic display ad spaces.

For example, let’s say that there are two jewelry brands that are operating in the same market—Let’s call them Bee Jewelers and Sea Accessories. Both companies decide to launch PPC ad campaigns through Google and programmatic marketing networks. Bee Jewelers outbids Sea Accessories for their Google Ads, meaning their ads will appear first until their ad budget runs out.

However, Sea Accessories decides that they really don’t want to wait for Bee Jewelers’ ads to run their course before consumers get to see some Sea ads. So, they hire a click farm to run through Bee Jewelers’ ads over and over again until they ads stop appearing.

This helps to keep local jewelry shoppers from seeing Bee Jewelers’ ads. Instead, Sea Accessories’ ads are the only ones left for consumers to peruse—leading to increased sales for Sea Accessories and reduced sales for Bee Jewelers.

Here, the fraudster isn’t making any money directly from their click fraud. Instead, the click farm is getting a commission for doing advertising hitman work and the fraudster (Sea Accessories) is getting extra business while draining their competitor of money.

3. Trolling a Business/Personal Empowerment

Some people don’t want to make money. They just want to watch the world burn while getting their kicks. Because it amuses them. Because it will earn them notoriety among their peers. Because, frankly, they can and it gives them a sense of empowerment to do so.

There is a whole subset of fraudsters and cybercriminals who aren’t out to make money, but rather to make a statement. That statement being “I’m here to wreck your day because I can and you can’t stop me.” These can be some of the hardest fraudsters to find and stop because there’s no money trail to follow. Instead, they’re just out to “troll” your business and might not stop to do anything beyond tweaking their click bots to better hurt your PPC campaigns.

It’s hard to anticipate when one of these cybercriminal pranksters might target your campaigns, since you don’t know what will attract their attention. In a few cases, they might be politically motivated and target a business for some perceived infraction against a cause they support. In other cases, they may simply decide that a business seems like a fun target to mess with.

In short, these fraudsters could target anyone for any reason. Their schemes could run the gamut from employing extremely simple click bots that just rapid-fire click on ads in an obvious way to sophisticated PPC fraud scams that can bypass CAPTCHA tools and imitate human web browsing behaviors to disguise their actions.

How to Stop Click Fraud

So, how can you prevent CPC fraud that drives up your ad spend while killing any momentum that your online ad campaigns would normally generate? There are a few different strategies that you could use, such as:

Changing Revenue Models

One of the simplest fixes to prevent PPC fraud is to change your revenue model away from reliance on clicks. For example, you could focus on paying based on the number of leads generated. This keeps fraudsters from simply clicking on ads to generate revenue.

However, this still isn’t a perfect solution. After all, some advertising platforms only really offer PPC or impression-based options. So, changing revenue models isn’t really an option with those channels.

Additionally, lead generation fraud is still a significant risk factor. While lead gen fraud generally requires more effort than click fraud, the skill bar is still low enough for it to be relatively easy for most fraudsters.

Blocking Bad IP Addresses

Another common strategy for dealing with click fraud is to block the IP addresses where the phony clicks come from. The theory is that if you can block the IP address behind the bots and fraud farms abusing your PPC campaigns, then you can put a stop to the fraudulent clicks.

The problem is that IP address blocking doesn’t really work too well. Restricting an internet protocol (IP) address might stop a cyberattack (for a little while, at least), but it isn’t a permanent solution.

Some of the problems of blocking IP addresses as an anti-fraud measure include:

  • Some IP Addresses Are Dynamic. Dynamic public IP addresses change frequently as needed. So, if you blocked a bot from a device with a dynamic IP address, the next time that bot tries to click your ad, their address might have changed. Naturally, this makes blocking IP addresses ineffective as a click fraud prevention tool.

  • You Might Block Legitimate Traffic, Too. Public IP addresses may cover a large number of connected devices. So, if a fraudster is working from a shared network, blocking their traffic might block every other legitimate potential customer on that network!

  • Botnets Use a Vast Number of IP Addresses. Modern fraudsters often use gargantuan botnets with hundreds or even thousands of infected devices—giving them access to a few hundred or a few thousand IP addresses that you need to block. Worse yet, many PPC campaign tools limit the number of IP addresses you can block. For example, Google’s ad campaigns limit you to 500 IP address exclusions.

  • Because VPNs Exist. Virtual private networks (VPNs) are a modern privacy protection tool used by many consumers who don’t want their private browsing information shared with every company on the web. The problem is that, when using a VPN, the consumer’s IP address is hidden—replaced with the IP address of the VPN service provider. Blocking one bad actor using a VPN means blocking every legitimate lead who also employs that VPN. Also, the bad actor can just switch VPN data centers to get around the block.

Ultimately, IP address blocking is a temporary measure for interrupting an ad fraud scheme in progress while you employ other methods to put a stop to the fraudster’s actions—not a primary tool for stopping click fraud.

Using CAPTCHA/reCAPTCHA

As mentioned before, CAPTCHA and reCAPTCHA aren’t ideal for stopping fraud schemes of any level of sophistication. Only the most basic of click bots would be stopped by CAPTCHA tools these days.

In fact, studies from over half a decade ago show that bots could bypass reCAPTCHA over 99% of the time. Additionally, human fraud farms render CAPTCHA completely ineffective as a fraud prevention tool, since real people are sitting behind the screen in those cases.

Overall, CAPTCHA just isn’t a reliable click fraud prevention strategy on its own.

Applying an Ad Fraud Solution to Your Campaigns

Instead of relying on antiquated tools that don’t do enough to accurately identify and put a stop to click fraud and other ad fraud schemes, you could employ a purpose-built fraud prevention tool in your next PPC ad campaign.

Ad fraud solutions like Anura help you weed out fraudulent clicks, form fills, and other malicious activity from fraudsters by checking website visitors in real time and comparing their actions to an enormous database of real conversion data. Hundreds of data points about each visitor are checked against decades of conversions—helping to eliminate false positives while uncovering as much fraud as possible.

Anura’s ad fraud solution also helps you by providing all of the data you need to understand why each fraudulent click or form fill was flagged. This, in turn, helps you confront the fraudsters yourself when you need to.

Why wait for thieves, unscrupulous competitors, and pranksters to wreck your PPC campaigns? Protect your ad budget and your marketing ROI now by using a proven and reliable ad fraud solution!

Download the Dirty Secrets of Ad Fraud Series