PPC Click Fraud

What is click fraud/ ad fraud?

Around 40% of all internet traffic originates from non-human sources. This is nothing new as fake traffic has been a problem for well over a decade. Back in 2004, Google’s then CFO George Reyes said that fraud was the biggest threat to internet economy.

Ad Fraud has now overtaken credit card fraud.

If you carry out any form of online advertising you cannot afford to ignore the impact of ad fraud.

Ad Fraud is any attempt to defraud digital advertising networks for financial gain. Scammers and criminal gangs frequently use bots and click farms to carry out Ad Fraud, but they’re not the only methods.

Ad fraud using bots is typically referred to as click fraud and is common in the following types of digital advertising:

  1. PPC (ads on Google, Bing)
  2. Social media promoted posts
  3. Programmatic advertising
  4. Other paid for media, such as display banner ads
  5. Influencer marketing

Understanding the ad network

An ad network is a technology platform that serves as a broker between a group of publishers and a group of advertisers.

The ad network acts as a mediator responsible for introducing the right impression to the right buyer. It partners up with publishers (supply-side) and advertisers (demand-side) to help them reach their ad campaign goals.

Ad networks operate in conjunction with ad servers (AdTech used by publishers, advertisers, ad agencies to manage and run online advertising campaigns).

Ad servers are responsible for making decisions about what ads to show on a website, then serving them. On top of that, an ad server collects and reports data (such as impressions, clicks, etc.) for advertisers to gain insights from and monitor the performance of their ads.

And it is here where the majority of vulnerabilities occur.

In addition to click fraud, advertising fraud also happens in other ways:

Hidden ads

This occurs when an ad is displayed in such a way that it’s not obviously visible to the website user. It targets the ad networks that pay out based on impressions (views of adverts) rather than active clicks.

Click hijacking

Used when an attack redirects a click on one advert and sends the user to a completely different ad result – effectively stealing the click. For this type of fraud to work, the attacker has to have compromised the user’s computer, the ad publisher’s website or a proxy ad server.

Ad fraud click hijacking

Similar to the above. The attacker replaces an advert for Joe Bloggs Jeans with one for Sam Brown Chinos.

Fake app installations

Click farms* are set up to install apps thousands of times and interact with them in bulk, thereby distorting the number of times an advert might be shown within an app – especially on mobile apps.


Scammers create botnets and fake click farms to generate thousands of false impressions on an advert or fake visits to a website which displays ads.

Why are botnets so effective?

Imagine a thousand bots, all accessing different websites, mimicking human behaviour and looking like a real person surfing the web. The botnet creator now has a network which appears to be real and which can then be directed to a fake website.

This fake website now looks like it’s genuine, receiving high volumes of traffic from thousands of real people. Advertisers place ads on the website because they believe their ads will receive a high number of impressions.

The ad network that serves the ads pays the bot owner for the ads displayed and the scammers profit from a completely fake set-up.

Who runs the ad fraud scams?

Economists at the University of Baltimore have found that at present, one-in-ten ad-clicks across all eCommerce campaigns are fraudulent.

Many scams are run by illegal organisations and gangs who funnel the proceeds into organised crime, including money laundering, human trafficking and drugs.

What can you do to mitigate against ad fraud?

Being aware of the issue, and making sure your internal team and external agencies managing your paid media are, is vital.

Acknowledge that you are not going to be able to completely remove all bots from your campaign traffic, but you can put in place automated protection to prevent it.

Award-winning malicious bot protection.

Cyber Award Winner 2021

AI-Enabled Data Solution of the Year – DataIQ Awards 2023 Finalist

Tech Innovation of the Year Winner – Leeds Digital Festival Awards

Cyber Security Company of the Year – UK Business Tech Awards 2023 Finalist

Tech Leader of the Year – Tech Awards 2023 Finalist

Best Use of AI – Tech Awards 2023 Highly Commended