Major search engines like Google and Bing recognize how serious click fraud is. Back in 2005, Google, along with Yahoo! and Time Warner, were sued by Lane’s Gifts & Collectibles in a class action lawsuit which ended in a $90M settlement and a commitment by the defendants to improve their monitoring and detection of fraudulent clicks. While things have certainly improved in the last ten years, it’s unlikely any PPC advertiser – or ad network – believes the problem has gone away. Click fraud protection on search engines such as Google and Bing ensures the largest money makers in the business are actively protecting their advertisers and the network as a whole.
So what exactly is click fraud?
Click fraud happens when bots are used to artificially inflate the click-thru rate (CTR) of ads, the effect of which is to reduce or even eliminate altogether the number of clicks you receive from legitimate prospects. In many cases, the bot is focused on using up the daily ad impression for a website by redirecting the clicks to a different site.
Bots are also being used by less-than-ethical competitors to hijack the search terms you’re using to drive ad traffic to your site, in effect diverting your carefully targeted prospects to their own sites. SpyFu, for example, offers its customers the opportunity to “Download Your Competitors’ Most Profitable Keywords and Ads For Paid and Organic Search” for just $79 a month.
The end result is that your ad budgets are rapidly exhausted, your cost per click (CPC) goes through the roof, and a large delta appears between your planned/budgeted and actual overall traffic and conversion rates.
If you’re new to the world of PPC advertising, eConsultancy, a support organization for marketers and ecommerce professionals, provides some good foundational information.
What protection do the ad networks offer against click fraud?
To protect their customers, and as a result of lawsuits like Lane’s Gifts & Collectibles, Google and Bing provide a level of built-in click fraud protection, summarized below and described in more detail on each company’s website (links included below). So why is click fraud still costing advertisers $6B in wasted ad spend, reduced conversion, and loss of competitive advantage in SEM? Clearly, the measures described below fall far short of what advertisers actually need in order to protect their marketing investment.
Google’s click fraud protection
Google has an Ad Traffic Quality Team whose job is to “isolate and filter out potentially invalid clicks before they ever reach your account reports”. In February of 2014, Google purchased spider.io, a click fraud detection startup, and a new fraud detection tool appeared in their arsenal later that year.
The company deploys three primary strategies to prevent click fraud:
- Proactive filtering: These filters analyze ad traffic and click patterns, looking for indications of any fraudulent activity. Clicks from known sources of invalid activity are automatically discarded.
- Offline analysis: Additional automated tools may be deployed to analyze algorithms on a deeper level, an effort which on occasion is complemented by manual (human) analysis. However, this typically only happens if something especially suspicious is found by filters or reported by a customer.
- Reactive investigations: Much of what search engines do is reactive, investigating fraudulent clicks aftera customer has noticed something suspicious and expended time and effort to file a report with Google. As well as leaving the advertiser to do all the heavy lifting, these one-off investigations are generally not helpful in dealing with the broader problem of continuing fraud.
You’ll find more information on the Google web site.
Bing’s click fraud protection
Microsoft also maintains a Traffic Quality Center to provide information on the protection the company offers customers across the Yahoo Bing Network. The approach is similar to Google’s but appears to incorporate more human involvement and less automation:
- Proactive: An invalid click filtration system deploys various algorithms to automatically detect and neutralize invalid clicks. Additionally, engineers review system alerts and trends in order to identify suspicious activity and address clicks that may have escaped their automated filtration systems.
- Reactive: Support teams work with advertisers to address issues of traffic quality, review advertiser complaints around suspicious click activity, and work across internal teams to verify data accuracy and integrity.
So how good are these click fraud protection systems?
In a dramatic example of detection evasion, uncovered last summer by security blogger Brian Krebs, a Russian hacker has for at least two years been offering a click-fraud service under the name GoodGoogle, which he promotes on YouTube and and Gmail. For $100, you can block three to ten ad units for 24 hours and, for a flat fee of $1,000, you can target specific competitors’ ads indefinitely. And he’s been doing this right under Google’s nose without apparently alerting their click fraud protection.
Another insidious scam, uncovered by Harvard professor Ben Edelman, involved hosting PPC ads through a long string of Google affiliate partners, each of which agreed to place their ads on other sites in exchange for a share of those ads’ revenues. Then the originating fraudsters made sure surfers’ machines were infected with spyware, which in turn displayed fake purchase browser windows on top of popular ecommerce sites. That fake window is what delivered the goods by invisibly simulating a click on the original hosted PPC ad, generating revenue share – and the site that paid for the ad doesn’t suspect a thing, because they’re still getting what appears to be real traffic.
Some take matters into their own hands
Scott Hendison, who operated a web-based insurance consultancy in Oregon, got so frustrated, he took matters into his own hands. Having discovered that a huge number of clicks were coming from a single IP address, which was costing him hundreds of dollars a month, he set a trap. The next time that IP address started clicking on his ad, a very targeted message popped up: “Stop, you weasel! I know who you are and have reported you to the proper authorities.” One click later, the problem was solved.
Good for Mr. Hendison! Unfortunately, most fraudsters cycle through thousands of IPs, use anonymous proxies, or use botnets spread across thousands of infected PCs.
Claiming compensation from Google against click fraud
While Google does provide a form for customers to report potential click fraud asking for suspicious IP addresses, referrers, or requests which could explain invalid activity. the company also makes it clear that it is your responsibility as an advertiser to analyze your click-thru reports and take appropriate action. There is no formal financial compensation policy and Google states they may not even respond to your request.
Claiming compensation from Bing against click fraud
Microsoft specifically calls out a couple of ways in which customers may be compensated for invalid clicks:
- Pricing discounts: In some markets, the quality of syndicated partner traffic is evaluated in real time and prices charged to the advertiser adjusted for associated clicks. Such discounts are applied automatically
- Advertiser credits: When invalid activity is identified through automated systems or reactive investigations, Bing issues credits to affected advertisers.
There is no formal reporting system; customers are simply advised to contact the Bing Ad Support Center.
Stopping click fraud before it hits your bottom line
While these approaches may be viable for small businesses and small ad budgets, larger and more complex SEM campaigns need a solution that’s designed from the ground up to prevent fraudulent online activities. The importance of click fraud protection on search engine sites like Google and Bing ultimately determines the quality of traffic that is generated by paid avenues contributing to your bottom line. Detection and mitigation by IP address alone is not a practical option to prevent such fraud, since bots can and do hop from IP address to IP address. IP blocking also runs the risk of blocking human customers who happen to be using the same stock of IP addresses as the bot (e.g. a cable company, university or large corporation)
Distil Networks’ technology, on the other hand, develops a unique fingerprint for each bot and uses that information to prevent fraudulent clicks. It also “learns” what typical human behavior looks like when interacting with your site, so that atypical behavior can be flagged and mitigated. This technology, coupled with a cloud-based repository of fingerprints and behavior patterns accessible to all users of that technology, enables Distil Networks to deliver a real-time, intelligent bot detection and mitigation solution that separates good clicks from bad with 99.99% accuracy.
Want to know if click fraud is impacting your business? Check out our blog post Five Telltale Signs You Have a Click Fraud Problem; if you spot these signs in your web traffic reports, contact Distil Networks today. Our click fraud identification solution can stop fraud bots, theft bots, and web scrapers all in one fell swoop, protecting your site and your business in the process.
About the Author
Courtney Brady is the Director of Marketing at Distil Networks. She comes to Distil Networks from a variety of start-up companies, routed in SaaS and DaaS solutions. Formerly the global communications manager at multiple companies, Courtney is responsible for developing the company’s marketing strategy and branding campaign.Follow on Twitter More Content by Courtney Brady