PPC fraud has become a major issue for small\medium businesses in the last 5-6 years. For such advertisers (eg; lawyers, locksmiths, plumbers etc.), as they rely on AdWords\Bing to acquire paying customers, click fraud can actually kill their business.

Fighting click fraud is not a simple task.

It demands a sophisticated way of thinking and the ability to implement some brilliant AI (Artificial Intelligence) anti click fraud methods. When you choose your click-fraud protection service you must choose the one that provides results and not the one that displays some cool (but ineffective or even damaging) features.

Here are 3 bad practices (read about 3 good practices, HERE) that you must never implement. You should actually stay away from providers that offer such practices:

  • Warn the attacker that he has been detected
  • Use cookies to detect devices.
  • Rely on conversion tracking

Let’s get to the bottom of things and understand why each method is bad for you.

Mistake #1: Warn the attacker that he has been detected

This sounds really cool: “Once the attacker is detected we will display a warning message on the screen or redirect the attacker to a different landing page” but in reality, this feature will get you into real trouble.

We have researched and tested such feature over the past year and found out that notifying fraudsters actually increases click fraud rates by encouraging the attacker to find other creative ways to dodge the redirect or warning message. Imagine you are an attacker and you click your competitor a few times and then a message is displayed just for you: “You have been detected”. The common fraudster will not give up. He will switch browsers, clear cookies and in the worst case will look for more creative ways to camouflage himself and will probably end up using VPNs (Virtual Private Networks) to click your ads. This is bad for you in many ways: The attacker will keep clicking your ads each time using a different set of tools and thank the warning message he will be able to tell how effective these tools are. This is what we call the raging bull effect. Show a bull a red flag makes him even angrier. Good thing bulls can’t click on ads.

In addition, it would be much more difficult for your click fraud protection vendor to say which clicks were performed by that specific attacker since the attacker used many tricks to avoid detection.

This is where brains beat being aggressive with your offender. The correct approach is to auto block the attacker without telling him he was detected. This way he will assume your ad went down since you went out of budget while in reality, your ads are still showing to real potential customers. The attacker will not try to use more sophisticated methods to click your ads so we will be able to produce a report pointing all the clicks made by this attacker and file a refund claim to AdWords.

If you’re not convinced yet, please remember 2 facts:

  1. Even if you use redirects or displaying a message to warn the attacker you will still be paying for each and every click. The attacker will be able to click your ad again and again and laugh his brains out each time he sees this useless warning message.
  2. Bots are responsible for over 30% of invalid clicks and do not read your warning messages, they couldn’t care less about warning messages. They will just click your PPC ads over and over again.

The conclusion is clear: Do not use redirects or warning popups to the attacker. Ever.

Mistake #2: Use cookies to detect devices

Cookies are small files that are stored on each browser on the attacker’s machine. These files hold a unique code so the next time the attacker clicks your ads you will be able to identify him even if he changed his IP address. This approach is so common since it is very simple to implement (technically wise).

Sounds awesome, right? No. This could be highly efficient if we were living in 2010.

Planting a cookie inside the attacker’s browsers will detect in best case no more than 10% of the attackers. Today’s click bots are programmed to clear the browser’s cookies between clicks and it has become a common knowledge in the click fraudster’s communities that cookies must be deleted between clicks. Clearing the browser’s cookies is simple as 3 clicks so even a person can dodge your click fraud protection if it uses cookies to detect attackers. Most anti click fraud services deal with a cookie approach, so make sure you don’t blindly sign up for any service just because their marketing pitch was cool.

Bad practice #3: Rely on conversion tracking

This sounds like an awesome idea! You must be thinking that if a certain IP converted then there is no reason to block this IP because it must be an honest paying customer. Well, guess again:

  1. In most countries IPs are dynamic. That means that the IP address that was used by your honest customer yesterday, may be in use by the attacker tomorrow. In that case, your attacker will be able to keep clicking your ads forever only because he has found an IP that converted once in the past.
  2. The more sophisticated attacker may purchase your product and then quickly cancel it before the trial period ends. This way you will treat his IP address as a converted IP address and he will be able to click your ads forever.


Do not fall for marketing tricks. Do not adopt every allegedly advanced feature. Some of them can really hurt your business and cost you a lot of money. Still, have some questions about fighting click fraud? We have the answers. Check out our complete guide to click fraud here.