How to Spot Click Fraud (and Prevent It)

If you’re advertising digitally, chances are you’ve been stung by click fraud (and maybe without even knowing).

The saving grace for advertisers is there are ways to spot and prevent it. Thanks to Google ramping up their efforts to stamp out click fraud, there are now several ways to track and eliminate it on your Google Ads account and, if all else fails, software you can use to stop it happening.

In this guide, we’re going to look at what click fraud is, how scammers do it and what your business can do to prevent it.

What is Click Fraud?

Click fraud, or in Google’s terms “invalid clicks”, is when a paid advertisement is clicked repeatedly on a website to drain revenue from an advertiser, or gain revenue for a website hosting the ad.

More and more of the world’s consumers are moving online for their purchases, so advertisers are now increasing their ad budgets into digital channels to meet demand. This means the amount of money being pumped into PPC is also increasing, and PPC fraudsters are upping their game.

As click fraud continues to gain traction, digital advertisers are becoming increasingly concerned about the effect it is having on their ad budgets. So much so that click fraud and bot activity have become the top concerns for US brand marketers, according to BI Intelligence:

58909f1d475752d75b8b50ba 640 488

As Google Ads is the largest arena for PPC marketers, Google have stepped up their game to take control of the problem. They now have their own investigation team in place, and have set up a range of filters and analysis to spot fraud while it’s happening, and before it chews up ad budgets:

Screenshot 2019 05 29 at 10.04.26 AM

The system is built on algorithms and offline analysis, and it does manage to pick up large numbers of invalid clicks made on PPC accounts.

If Google does find invalid clicks on an account, the clicks are automatically filtered from an account’s reports and you won’t ever be charged for them.

Unfortunately, there are times when Google’s advanced systems fail to pick up on click fraud, and they are only found through analysis after the fact. If found to be fraudulent, these clicks will eventually be refunded as a credit (shown as an ‘invalid activity’ adjustment on your statement):

asg wDwyQIridxOIMcOC2Fart Pj42ZdwC1a7fNjPl2F1548260255662 InvalidActivityBilling

There are three main types of click fraud you need to be mindful of:

1. Manual Clicks to Increase Your Ad Costs

These types of clicks are usually done by a competitor looking to drain your ad budget.

Let’s say you are ranking higher than your competitor in PPC search results. Your competitor doesn’t like it, clicks on your ads (a lot) to drive up your costs and, eventually, drive them so high that you can’t afford to advertise for those search terms anymore.

This type of click fraud goes beyond a disgruntled businesses owner sitting on their computer clicking competitor ads.

A 2013 investigation by The Guardian found there were agencies called “click farms” popping up that performed click fraud as a full-time business. Their aim was to (relentlessly) click on a competitor’s advertising campaigns to destroy their advertising budgets and drive them out of the market.

2. Manual Clicks to Increase Publisher Profits

If your PPC campaign is running on the Google Display Network, you could be open to this type of click fraud.

Each time an ad running on your campaign being hosted by a third party website is clicked, they earn a cut.

How? Every third party website that hosts Google Ads are part of the Google AdSense program. Once they’ve been accepted as a partner into the program, they’re given a whopping 68% cut of the ad spend given to Google on content searches.

Screenshot 2019 06 01 at 12.00.21 PM

Let’s say a webmaster runs several ads on their website and, through clicks, they tally up to a $100 ad spend. If they are an AdSense partner, they will be pocketing around $68 of that ad revenue.

3. Automated Clicks Using Software

Hackers have built sophisticated click fraud systems that use fake IP addresses and web sessions, sometimes known as “bot farms.”

Screenshot 2019 05 29 at 10.09.57 AM

Automatic click fraud is often targeted through data stored in cookies. Bots will look at demographic information, browser histories, past purchases and many other data points before targeting a certain ad.

The Methbot Report by WhiteOps discovered a bot farm was defrauding marketers out of $5 million a day on video ads. It is believed to be the biggest ad fraud found to date, and is a stark reminder of the depth and sophistication of automatic click fraud.

Luckily, with sophisticated technology, they can be detected:

Screenshot 2019 05 29 at 11.17.25 AM

Google has recently joined forces with the Trustworthy Accountability Group (TAG). The group’s aim is to build a database of the most common click fraud tactics (crawler traffic, cookie-stuffing).

How Can I Prevent Click Fraud?

As sophisticated as click fraud can be, it’s surprisingly easy to trace once you realise the fraud is taking place.

Most click fraud activity tends to come from the same IP address, so it becomes manageable once you spot it. However, it’s important to be aware of the warning signs that come along with click fraud activity.

These are usually:

  • Unusual spikes in the number of ad clicks or impressions (with no conversions)
  • A higher bounce rate despite more clicks
  • Reduction in page views during unusual traffic spikes

Think you’ve been targeted by fraudsters? Here are 4 ways you can stop them in their tracks (and prevent it from happening to future campaigns):

1. Be Proactive in the Analysis of Your Ad Data

Accountability is a huge part of battling click fraud.

It’s up to you to take responsibility for your Google Ads account and make sure you know exactly what’s going on with your ad spend. Make it a weekly (or monthly) activity to monitor any invalid interactions that appear in your account stats.

If you can’t see the invalid clicks on your reports, they are easy to set up.

Click the Campaigns tab and select “modify columns”. Underneath the performance tab, you’ll be given several options to show invalid clicks and interactions in your campaign data:

modify interactions

Once these are selected, any invalid clicks your campaigns have received will show in separate column:

modify interactions 1

Google will reimburse you for these invalid clicks, but it’s important you use these figures to reconcile the costs on your account’s transaction history:

Untitled design 11

Any invalid credits that you’ve received will be available here, labelled ‘invalid activity’ on the transaction history page. If your account reimbursements don’t match, make sure you raise a support ticket with Google so aren’t paying for fraudulent clicks.

Pro-tip: If you suspect a campaign is being targeted by fraudsters, but Google hasn’t picked it up, you can raise a ticket through their dedicated click quality control service.

Screenshot 2019 06 01 at 1.09.03 PM

To help them with their investigation, Google will ask you to identify when the activity began, what ad groups were affected and any supporting screenshots you can have to back up your case.

2. Exclude Unwanted IP Addresses

Fraudulent clicks usually come from a single IP address. The good news is, once you’ve found the offending IP address, you can simply exclude it in your Google Ads account and they will never see your ads again.

Here’s the catch: Google Ads data is all about privacy protection, so you can’t track IP addresses from your ads account. To spot a pattern and identify an offending IP address, you’ll have to dig into your server’s logs.

How you access this information will vary greatly depending on your operating panel. If you’re using cPanel, for example, InMotion Hosting have put together this simple guide on how to access your server’s logs. Once you have access, a simple look over the IP addresses should tell you if there is a recurring pattern in your account.


There will likely be hundreds (if not thousands) of lines of data once you do this. To manage it, export the data into an Excel sheet and sort the columns by time, date or IP address. You should be able to spot any suspicious activity

Once you’ve found a dodgy IP address, log into your Google Ads account and click the “settings” tab and select “IP Exclusions:”

Screenshot 2019 06 01 at 1.28.10 PM

Type in the dodgy IP Address, click save and you’re set.

3. Adjust (and Exclude) Geographical Areas Through Ad Targeting

It’s not just single IP addresses that will target your ad campaigns. If you notice a pattern of suspicious clicks coming from a certain geographical area—exclude the area immediately.

Head to your “Settings” tab and click “Locations”. Type in the offending geographical area and then click “Exclude” in the options on the right hand side of the match.

Untitled design 12 A word of warning: this tactic is tricky as you are at risk of eliminating legitimate traffic by killing off a whole geographical area.

The best way to power forward with this tactic is to weigh up the pros and cons of the geographical area. If you think the majority of clicks coming from the area are from click fraud, it’s best to cut your losses. But if they aren’t, try raising a support ticket with Google before writing the area off completely.

4. Enlist Specialist Software to Track Suspicious Activity

If you don’t have time to track and monitor fraudulent activity (or you think it’s too complicated), it’s best to invest in some professional help.

There are several options available on the market that will provide you with dedicated reports that identify suspicious activity on your ads and your site.

Screenshot 2019 05 29 at 11.16.25 AM

Software like ClickCease can help you build a fraud report on suspicious activity. That way, you can collect evidence to as back up if you need to prove your case to Google.

Screenshot 2019 06 01 at 2.00.57 PM

Or, invest in a worthwhile PPC programming tool. If you’re using a PPC agency and you’re still suffering from click fraud, you should really rethink your investment. Any PPC agency worth their salt would never allow click fraud to happen on their watch.

A dedicated platform like Acquisio can help you fight click fraud and tailor campaigns to achieve your campaign objectives. This is done by providing multi-channel campaign strategies including RTB Display, LinkedIn advertising, video advertising and by exploiting emerging platforms like Spotify ads.

Screenshot 2019 06 01 at 1.54.15 PM


Click fraud and ads are simply a part of advertising we need to accept. It’s up to you to take control so it doesn’t suck your ad budget dry.

If you suspect fraud on your ads, take measures to stamp it out. Avoid countries with high click fraud rates, and block off any IP addresses that are showing suspicious activity towards your ads.

Make sure you monitor any invalid clicks in Google Ads and, if necessary, enlist the help of software that specializes in click fraud to minimize the damage. It seems intuitive, but the more diligent you are and the more time you give to fraud protection—the richer and more valuable your ad traffic will be.


Featured image: via Unsplash / Heidi Sandstrom

Images 2, 4, 7, 8, 9, 10, 12, 13 and 16: Screenshots taken by author May 2019.

Image 1: Business Insider

Image 3: Search Engine Watch

Image 5: White Ops

Images 6, 14 and 15: Clickcease

Image 11: Inmotion

Tom Whatley

Tom Whatley

Tom Whatley is the founder of Grizzle, a content marketing agency that helps B2B, SaaS and tech companies generate more traffic and leads through high-value content and distribution.

The First Machine Learning Marketing Platform
Built to Scale Search for Local Resellers & Agencies

Automate, optimize and track more campaigns, more profitably.