August 17, 2015
When I speak with advertisers who are debating whether to explore paid search, one of the biggest sources of hesitation is click fraud. It may sound like paranoia, but it’s actually a very valid concern for many PPC practitioners. That said, fearfulness of click fraud is no reason to avoid PPC altogether. As long as you are cognizant of the phenomenon, committed to keeping a watchful eye on your account and have employed proactive measures to protect yourself, you’ll be in good shape!
What is Click Fraud?
Click fraud is a black-hat technique of falsely inflating the number of clicks on a pay-per-click ad. Click fraud is usually driven by one of two incentives:
- Advertisers are trying to sabotage their competitors by driving up their costs and meeting their budget caps early on in the day
- Ad publishers are clicking on the ads displayed on their own sites to generate more revenue for themselves.
What Are Search Engines Doing About It?
For years, search engines have been getting a lot of flak for not going the extra mile to identify and quash click fraud. This suspicion is not unwarranted. Remember, regardless of whether a click is malicious or not, it’s generating dough for the search engine displaying it. So, to uphold their reputations (and put weary advertisers’ minds at rest), all of the major ad platforms have designated their very own task forces to take on click fraud.
Google has created, by far, the most robust anti-click fraud program. Their system of detection uses a three-pronged approach that starts with automated filters. Advanced algorithms detect and filter out invalid clicks in real time before advertisers are even charged. Since these filters cannot be relied on to catch all fraudulent clicks, Google’s Ad Traffic Quality Team also conducts manual, offline analysis and removes any clicks that they deem invalid before advertisers are charged. Aside from these proactive measures, Google also launches investigations based on advertisers’ reports of suspicious activity. Anytime malicious clicks are detected, they are labeled as “invalid” and credits are issued to the account.
How to Identify Click Fraud in Your Account
So now that you know the ins and outs of click fraud, you’re probably wondering whether malicious clicks are happening in YOUR account. Welp, before you launch into a full-on bout of paranoia, let me reassure you that there is a TON you can do to identify whether you are a victim of click fraud! To get the full rundown, I turned to WordStream’s Evan Cummins to see what our Managed Services Team is doing to monitor their clients’ accounts. Evan explained that, depending on the time and resources you can commit to monitoring click fraud, you can approach the problem one of two ways: through manual analysis or an automated solution.
Going the DIY Route
If you elect to go the DIY route, here’s Evan’s two cents on how to go about it:
Firstly, you will need internal reporting. In general, it’s always good to have internal reporting in some form, regardless of whether you think you have click fraud, because while Google can only tell you if a click became a lead. Internal reporting would tell you if that lead became a sale. Knowing this information can help you adjust your bidding to favor terms that are more likely to result in a sale.
In order to track click fraud with your internal reporting, there are a few pieces of information you’ll want to ensure you collect:
- IP address
- click timestamp
- action timestamp
- user agent
The necessity for the IP address is pretty self-explanatory, but why do you need the other three? Click timestamp and action timestamp should be used together because you want to see the IP addresses which are arriving at your site by clicking on an ad, but not converting or rarely converting. The click timestamp is the time when someone arrives on your site after clicking an ad. The action timestamp is the time when that person completed an action on your site. If you see an IP address with a bunch of click timestamps but no action timestamps, then that is likely click fraud. Lastly, user agent really is useful for identifying whether someone on a particular IP is the same person. It takes note about all the features of the device being used to access your site such as type of computer or device, internet browser, software, and more.
Once you discover a potentially fraudulent IP address, you should always perform a quick check of the IP on a site to see who it belongs to. Tools like an IP Address tool or sites like www.whatismyipaddress.com, www.whatismyip.com, and www.ip2location.com are good resources to turn to.
One thing to keep an eye out for is proxy servers. It’s not unusual for a client to panic because a significant portion of their traffic is coming from the same place, only to finally discover that the suspect IP address belonged to proxy server at a public place like a coffee shop, airport, or university. Doing some research on your IP can help you discern whether this is the case. If you’re still unsure, look at all of the searches triggered from the IP in question. If the searches are very different, it’s likely a proxy server. If the search queries are similar and are occurring over a super short time period, the clicks are probably fraudulent.
If you identify click fraud in your account, don’t hesitate to report it via the AdWords Support line.
How to Eliminate Click Fraud in your Account
Despite Google’s claims that it’s going the extra mile to eradicate click fraud, many advertisers still consider it to be a major issue. If you feel as though you can’t solely rely on Google to weed out invalid clicks, take matters into your own hands!
Sometimes you just have to take matters into your own hands.
Here are my top 4 tips to protect yourself from click-happy criminals:
- Turn to Facebook/Twitter Ads: The great thing about utilizing these platforms is that your ads will ONLY show on these platforms (!)—meaning there are no third-party publishers involved in the process. This cuts out a significant source of click fraud. OK, so but what about malicious competitors’ clicks? Actually, this version of click fraud is also less prevalent on paid social networks because their advanced targeting options are so specific. Since ad placement is based on a keyword search, it’s much more difficult for competitors to find your ads.
- Set up IP Exclusions in AdWords: If you’ve done your due diligence and identified the IP address associated with fraudulent clicks, you can block your ad from being served to that IP in the future. To set up an exclusion, all you need to do is head to the Settings tab and scroll down to the IP Exclusions setting. From there, you just need to plug in the offending addresses and you’ll be good to go!
- Run GDN Remarketing Campaigns: If you’re concerned about publisher-based click fraud, this is the way to go. It is easily avoided with remarketing because ads are only displayed to those who have visited and displayed interest in the advertiser’s website. There’s no risk of publishers clicking on the ads, because they can’t see them!
- Adjust Your Ad Targeting: Sometimes all it takes is a small tweak to your targeting to weed out invalid clicks. If you suspect click fraud is coming from a specific geographic region (oftentimes “click farms” are based in poorer countries with low labor rates), it may be worthwhile to exclude these locations and their respective languages. Or, if you suspect that a competitor is committing click fraud, you can exclude their zip code, city, etc. One caveat to be mindful of here is that it is critical that you are not eliminating GOOD traffic as you do this. Only set these exclusions if you truly believe that the majority of the clicks generated in these areas are fraudulent.
So, now I turn to you, my fellow click-fraud victims, what clever tactics have you employed to eradicate malicious clicks in your accounts?