Aug 08
20
Stopping click fraud
I know a lot about click fraud, I won’t claim to be a “pioneer” of today’s scene (if that’s a suitable term), but once upon a time I certainly was breaking ground – amongst other things. Does that mean I agree with it? Well, no is the simple answer, but in some cases the answer is perhaps bit a bit more gray – but that’s a topic for another time.
What is click fraud?
Well, I somehow doubt your found this post without knowing, so I’ll keep this paragraph very brief and here purely for the benefit of those very few who don’t know. Click fraud is the act of clicking on Pay Per Click links without any intention of buying, or interest in, an advertisers product or service for personal gain. It’s as simple as that.
Why fraudulently click links?
There are three reasons people would want to do this. There may be other petty reasons but these are the important one’s.
1) To make themselves money. With scheme’s like Google’s Adsense around, clicking on your own links is a profitable venture.
2) To cost competitors money. Smaller businesses are going to be most affected by this since big search spenders would hardly notice your average click fraud campaign.
3) Tactics. Again, this only really works in the arena of smaller business, but if for example I wanted to make the most of my budget, I could reduce my CPC but targeting my competitors on Friday evening, depleting the budget and thus not having a any PPC competition over the weekend. This leaves me to bid essentially the minimum amount and get the top result.
How?
Clicking by hand doesn’t work. If you as a wannabe click fraudster sat clicking endlessly on an advert, you’ll achieve nothing. It’s quite trivial for Google and all the other engines to tell that the source of all these clicks is a single person and they will mark the clicks as fraudulent. If you’re doing this for reason number 1 (as stated above), then expect to loose your Adense account.
Ok, so YOU clicking by hand doesn’t work, but a farm of cheap labour in another country, all clicking from different locations, does. To a point, and very poor point at that.
Bot nets are a good choice for the potential fraudster. In this day and age where people are still silly enough to open random email attachments, and Microsoft can’t plug the holes in IE quick enough, there are more than a few viruses (or viri, or worms) floating around. Once upon a time a virus was a simple creature, who’s sole purpose in life was to damage peoples computers or data for the heavenly goal of entertaining its creator. Not that the creator ever saw any of the damage unless his little beasty got in the news. These days however, they lead far more sinister lives. A modern day virus doesn’t eat your files, or destroy your data, or do anything to give away it’s presence, it just sits on your computer quietly. Waiting for orders. People who control these bot nets have great power in click fraud terms. They have a bunch of real computers, on a diverse collection of IP addresses. Thousands of them, and they can make mincemeat of your budget.
Proxy servers. Not every aspiring click fraudster has access to a bot net. The very act of obtaining control over the computers in a net is illegal and at best if caught you would face a seriously large fine. That is if you have a talented lawyer. You’re probably going to jail otherwise. So, probably the most prolific way to “fake” a load of different click sources, by your average click fraudster at least, is to use proxy servers. These are servers littered around the internet that simply allow website requests to pass through them. If I were a person or program using a proxy server, the process would be like this…
I ask a proxy for google.com, the proxy gets the page, google log’s the proxy servers’ IP address and not mine, then the proxy gives the content back to me. I remain anonymous (in most cases), so using a list of proxies, all with differnent IP’s allows a person or program to keep clicking and clicking, and clicking.
If you have enough proxies this way is a feasible method for a fraudster to use, but the trouble is, or rather the blessing for us advertisers, is that Google aren’t stupid and are aware of most of the publically available proxies. Collecting a large enough list of private proxy servers is a difficult and time consuming process.
Method x. There is another way for a seasoned click fraudster with a little capital behind them to simulate a multitude of clicks. This was is so devastatingly undetectable from ‘real’ clicks that I am reluctant to disclose it, but rest assured, there is fifth method, and as far as I know, not one that is often (if ever anymore) employed. Be thankful.
Stopping click fraud
This biggest lie about click fraud as that the search engines (Google, Yahoo, MSN) don’t try to stop it because they make money from it. Every undetected fraudulent click in money in there pocket and out of the advertisers. I can understand why people would think this, but as evil as Google can be, this is utter rubbish. Google’s entire business model is based on Pay Per Click. That’s BILLIONS of dollars for providing this advertising platform. If thy for one moment neglect commitment to quality of service to the advertiser, they will crumble. It’s absolutely in Google’s interest to stop click fraud, so don’t believe they don’t try.
Click fraud comes in two flavours; that which you can prove, and that which you can’t. You can always detect all but the most subtle & gentle (ergo harmless) click attacks by the fact that your ROI drops, or plummets in some cases. ROI peaks and troughs, but if you are consistently spending more and earning less, then you are probably a victim of fraud (or a bad agency 
)
Your ROI dropping is not going to be good enough evidence for a refund however. Fair enough really, why should the engines believe you, and even with more compelling evidence, you’ll still be lucky. Nope, you’re on your own here, you will need to attack this problem yourself.
Firstly, you need to detect it. There are tools available (which I have no experience of) that claim to offer this service. I am skeptical.
Automated bot attacks can be detected because they leave patterns in your logs. You can see by digging through your site analytics that things are out of place. Traffic peaked when you don’t normally see it do so, or you suddenly got a 10% more people visiting with the same kind of browser. Things like that give away the presence of a click fraudster, and things like this mean the kind of products I’ve just mentioned CAN work, but what if we have a clued up fraudster on our hands?
What if this person has done the research on their target, what if they have devised a program that copies browser usage patterns and fakes them in an accurate balance across all the clicks, IE being x percent of the traffic and Firefox being y, in an accurate figure based on widely available stats.
Indeed, what if this person is aware of when your vertical see’s traffic peaks, Holiday searches in January, around lunchtime for example. What if they copy this pattern, and what if they slowly amplify it over a period.
What if this person has a reliable way of generating all this from REAL sources. Not bot nets, not proxies, not click farms.
There’s nothing that can detect this kind of fraudster. The only way you could perhaps tell it’s happening is by a drop in ROI, but you still won’t know where it’s coming from, or who is doing it. Thankfully, most click fraudsters aren’t capable of this, so we can combat it.
So, the conclusion we (or at I) have cme to, is that click fraud is unstoppable! Does that means we should surrender to it? Absolutely not. Do all you can to fight these useless clicks, they are wasting YOUR money, but ultimately you have to accept that it can and does happen.
Treat fraudulent activity as part of account management. As long as your ROI is on target, does it really matter beyong being frustrating that x percent of your traffic is fraudulent? Probably not. If however you’re below target and know that click fraud is a substantial part of the reason, then as an account manager you should absolutely invest your time in detecting and stopping it, after all your targets are at stake if you don’t.