What is Click Fraud? The Complete Guide

Click fraud is not just a technical nuisance. It quietly drains media budgets, distorts your reporting, and makes it harder to learn what a high quality customer actually looks like.

Whether you are running search, social, or display, you are already paying for some amount of invalid or malicious clicks. The real question is how much, where it is coming from, and what you can do about it without bringing your campaigns to a halt.

In this guide, we will walk through what click fraud is, how it works in modern ad platforms, what warning signs to watch for in your data, and the practical steps you can take to detect, block, and prevent it going forward.

What is click fraud?

Click fraud happens when someone – or something – clicks on your online ad or content with malicious or vindictive intent. It’s one of the most common forms of digital ad fraud, and it can impact everything from Google Ads campaigns to social media promotions and display advertising.

In simple terms, click fraud refers to invalid or fake clicks. These clicks can come from competitors, bots, click farms, or even paid-to-click (PTC) apps.

Fraudsters create fake engagement for a few main reasons:

• Waste advertisers’ marketing budget
• Damage the performance or reach of an ad
• Steal the cost of a click (ad fraud)

Click fraud doesn’t only happen in paid search or display ads. It can also affect organic traffic, like fake visits to your website or fraudulent engagement on your social posts. These fake interactions can distort analytics, reduce ad optimization accuracy, and impact decision-making if your data becomes unreliable.

With billions of ads served online every day, click fraud has evolved into a multibillion dollar industry. The rise of automated bots, malware, and click farms makes it easier than ever to generate fake activity – and much harder for advertisers to detect it.

Why Click Fraud Matters (And How Big the Problem Really Is)

With over 4 billion people connected to the internet daily and nearly 2 billion making online purchases each year, a well-targeted PPC campaign is the difference between sinking and swimming.

Add in 9 billion searches on Google every day and a projected $777 billion in digital ad spend by 2025, and it’s clear just how valuable this ecosystem has become.

But where there’s money, there’s fraud. This massive flow of traffic and ad spend has made digital advertising a prime target for scammers. Click fraud – the act of generating fake clicks on ads – has become one of the most costly forms of online crime, surpassing even credit card fraud in global losses. Businesses lose an estimated $100 billion each year to ad fraud, with click fraud accounting for a significant share.

Click fraud has become the most costly form of fraud committed each year. Businesses are losing $100 billion globally in online advertising.

The scope of the issue is staggering:

• Up to 30% of digital ad spend was affected by fraud in 2025
• Ad fraud losses are projected to reach $172 billion by 2028
• Click fraud rates in search campaigns can climb as high as 22%

Our own research shows that, on average, 14% of all ad clicks across the campaigns we protect are fraudulent. Some industries face even higher risks:

• Photography: 65%
• Pest Control: 62%
• Locksmith: 53%
• Plumbing: 46%
• Waste Removal: 44%

Other industries, like real estate, financial services, and legal, also face consistent exposure.

In truth, nearly 90% of Google Ads campaigns experience some level of click fraud, making it not just a marketing challenge, but a universal cost of doing business online.

How Click Fraud Works

Click fraud isn’t a single tactic, it’s an evolving ecosystem. As digital advertising becomes more sophisticated, so do the methods bad actors use to exploit it. What started as a few manual clicks from competitors has grown into a multibillion-dollar problem powered by bots, click farms, and organized fraud rings.

Some forms of click fraud are high-volume and automated, draining ad budgets in minutes. Others are smaller scale but no less damaging, such as a vindictive competitor or a single malicious user repeatedly clicking on your ads.

Understanding how these different types of fraud work is the first step to recognizing them and ultimately stopping them.

Below, we’ll look at the main sources of fraudulent clicks, from bot networks and click farms to accidental clicks and human error.

High-volume clicks

Bots and web crawlers

Bots are designed to crawl the web looking for information, usually for spam or data collection purposes. There can be ‘friendly’ bots that are just looking to scrape contact info. Conversely, they may be deliberately vindictive bots that have the sole purpose of clicking on your ads hundreds or thousands of times to deplete your ad budget.

Marketers can also run bots to find new clients or to build an email list that they can sell. These simple bots may not be fraudulent, but with enough of them, you could be looking at losing quite a lot of money through non-purchasing site visitors.

Bots can be used in a variety of ways and are relatively simple pieces of programming, meaning that pretty much anyone with a decent level of coding knowledge can make their own bot. You can also buy bots from a variety of sources for everything from research to more nefarious purposes.

Take a look at our guide to bot traffic to understand this issue in more detail.

Click Farms

Click farms are automated setups or human-powered factories designed to click multiple times on specified links. These usually exist in developing countries where people can be paid as little as $5 for 100 clicks.

Click farms are used by all sorts of businesses, often to inflate their following or engagement, and they can be hired to do multiple actions, from liking social media accounts, watching videos, sharing links or information, leaving comments, and, of course, clicking on PPC adverts multiple times.

Although the bulk of click farms can be based in developing countries, there have been increasing instances of click farms based in Europe and the USA. By hooking up phones and tablets to a computer, you can automate the activity of hundreds of people.

We recently carried out our own research about this phenomenon, so read all about click farms here.

Fraud rings and bot networks

Criminal gangs establish a mixture of publisher websites and automated bots to defraud advertisers. One of the best known is Methbot, a highly sophisticated scam bot network with a complex setup that is designed to fraudulently collect the payout on video views using a network of computers. Thought to have originated in Russia, Methbot is estimated to make around $5-6 million each day in fraudulent clicks.

Ad fraud

Publishers create a website designed to host banner and text ads, then channel fake clicks through the website to collect a payout. Ad fraud often involves placing ads on websites with little chance of genuine traffic being able to find it but with the opportunity for the site owner to maximize their income.

As a complex issue with many threads, you can check out our ad fraud guide for more information.

Medium to low volume clicks

Competitors

Your direct competitor can try and siphon off your PPC budget so that their ad ranks higher for relevant searches. They might just click your ad every time they see it, or they might instruct everyone in the office to click your ad – which could be potentially quite damaging.

Although competitors can try to manually inflate your PPC spend, you might find that this is a temporary measure or occasional practice.

We actually looked recently at a case of competitor click fraud, where a business orchestrated a campaign against local competitors. You can read the case study here.

Human error

People searching for something may accidentally click on your site in the SERPs but then click out again. They may not even realize it’s a paid ad. Technically this wouldn’t be classed as click fraud but an invalid click. There is no strategic sabotage going on here; it’s simply a mistake, although repeated mistakes can cost advertisers a fair amount of money.

Vindictive parties

Your ex-employee, unhappy customer, or even your sociopathic ex might have a reason to click multiple times on your ad just to pee you off. You’d best go and apologize.

Who is affected by Click Fraud?

Every online business is at risk of click fraud to some degree or another. Automated click fraud doesn’t discriminate, with bots often just scouring the web for specific search terms. Even accidental clicks can really add up if your banner or sponsored result is in a competitive industry.

An industry with a huge amount of traffic and expensive keywords means more room for fraudsters to hide. It also means less risk of getting caught and a higher payout.

Here at ClickCease, we see that the most affected micro industries are locksmiths, lawyers, water damage repair, and dentists. It seems that local service providers are prone to a higher rate of click fraud due to the competition, high CPC, and knowledge of the market.

No matter how little or how much money gets spent on campaigns, one thing is for sure. Every company that’s using PPC networks like Google Ads or Bing Ads is either vulnerable to click fraud or has been a victim of click fraud.

High Profile Cases of Click Fraud

On occasion, some of the bigger cases of click fraud make it into the press, especially when there is some serious money at stake. These examples can be on the more extreme end of the click fraud spectrum, but they give a good insight into the lengths some people will go to.

The botnet hacker

Italian citizen Fabio Gasperini was sentenced in 2017 to one year in jail in the USA, as well as a $100,000 fine as a result of his involvement in a botnet hacking scam. Gasperini targeted servers that are used by companies for large-scale data storage and transfer, gaining control of these servers to use as simulated web browsers.

Gasperini was able to use the servers to set up a network of around 100,000 computers around the world and use them to send automated clicks on ads that were embedded on websites that he owned. He also defrauded big businesses that were paying for these ads, including Nike and Walt Disney.

When you consider that one man was able to do such extensive damage, it just goes to show what can happen when you have a seriously organized criminal network.

We also looked at this case on the ClickCease blog back in 2017…

Search engine clampdown

Microsoft and their Bing search engine are the second biggest player in the PPC world (excluding social media sites), and they have been known to take click fraud very seriously. Back in 2009, Microsoft sued a family team based in Vancouver, BC, for their part in a click fraud scam designed to drive traffic to their World of Warcraft and auto insurance-based websites.

Microsoft was awarded $750,000 in damages, although they also stated that they lost out on $1.5 million in refunds as a result of fake clicks by the scammers.

Criminal bot networks

We mentioned Methbot earlier, but this huge criminal scam is a long-running and hugely profitable bot network that is designed to make money off video advertising. The network makes around $3-5 million a day by using fake websites to stream videos, racking up views, and huge payouts.

It is alleged that the gang has set up around 250,000 URLs that host video adverts which rack up around 300 million video ad views each day!

The sophistication of the Methbot set-up is staggering, with domain names made to look like they belong to well-known brands like ESPN and Vogue, around 570,000 bots, and the software making the interaction with the videos look like genuine human behavior.

Another sophisticated bot setup that was uncovered in 2017 is Hyphbot. With around a million URLs registered, Hyphbot was a prime example of ad spoofing, a practice where fake websites are made to look like big-name publishers like The Economist or The Financial Times. Advertisers then place their ads on these spoofed sites, which then receive a high volume of bot traffic, inflating the PPC payout.

Although there has been a decline in Hyphbot-related activity, it is still thought to be active and making around $500,000 a day.

The click farm

One of the most notorious click farms discovered was in Thailand in 2017. With around 500 smartphones linked up to 350,000 SIM cards and nine computers, the click farm was connected to Chinese fraudsters who used the click farm to boost likes and engagement on the Chinese social media site WeChat.

The owners of the click farm were allegedly paid $4,400 a month to run the set-up.
Bangladesh and India are also regularly listed as some of the top places to set up click farms, thanks to the low wages paid to workers. One report suggests that workers paid $120 a year work in shifts to click on multiple smartphones, liking posts, and following profiles on sites like
Facebook, Instagram, and Twitter.

The next time you see an Instagram account that seems to have an unfathomably large following, it might be thanks to click farms. In fact, many popular influencers and business accounts, and even some celebrities, have used click farms to inflate their popularity online.

When it comes to Google Ads fake clicks, companies who want to waste their competitors’ advertising budget can easily hire a click farm to click on ads. A simple search online will net plenty of places where you can buy fake clicks for a low price, for whatever purpose you want. Click farms are a very real and growing business.

DCCBoost attack

The bad cyber actor DCCBoost, also known as the Grinch, resurfaced back in late 2020. Hiding beneath layers of fingerprinting, client-server communication, and intricate client-side traps, its goal was to redirect victims to gift card and lottery scam pages.

The scammers used a chain of JavaScript codes to encode and decrypt the initial payload inside the source attribute of the displayed ad banner.

It was discovered that over 25 million fake ad impressions with some variation of this payload have been registered over the internet spread across just about 40 distinct malicious domains hosting the server-side infrastructure.

Dealing with Invalid Clicks in PPC Campaigns

There are several steps you can take to minimize and mitigate your exposure to click fraud. Major search engines, like Google and Bing, have some strategies in place to combat click fraud and PPC ad fraud.

However, many feel that their efforts fall short and that there is a whole world of invalid traffic, or click fraud, that isn’t picked up.

For example, Google blocks things like high bounce rate visits (often the sign of an accidental click or obvious web scraper) or multiple visits from the same IP address. But more often than not, you’ll need to flag up suspicious activity yourself and request a refund.

In the cases where Google takes a deeper look at the issue, you’ll normally find it can take anything up to a month for the issue to be inspected and for your refund to come through. When you’re looking at batches of ten clicks on $10 keywords, this can run into the hundreds or even thousands.

With software able to imitate human behavior, switch IP addresses using VPNs and proxies, or even those click farms pulling the wool over the search engines’ virtual eyes, additional measures are often needed to minimize exposure to click fraud.

Using dedicated click fraud prevention software is the most effective way to make sure that you’re tackling those invalid clicks.

How can you identify click fraud?

There are several manual checks you can do yourself to see if there has been any fraudulent activity on your ad campaigns. These don’t always give a 100% accurate reflection of what has been happening but can serve as a useful outline and possibly flag up some of the more obvious violations.

Checking IP addresses

You can use tracking tools, including WordPress plugins, for IP address logging to track IP addresses that have visited your site. You can also check your website visitor logs to see how many times the same IP address pops up over a specified time. If you notice that the same obscure location or IP address has been visiting your site regularly, then this might be a red flag for you to try and block this IP address or location.
Google does offer some protection against multiple visits from a single IP address or device. Although it isn’t perfect, and the parameters might not necessarily be what you would set yourself, it is a form of damage limitation.

Checking publishers

If you’ve been subject to one of the most popular forms of ad fraud, which is channeling your ad onto a dodgy website, then checking your publisher list will help you keep an eye on it. Look in the ‘placements’ section of your Google Ads and check the high-traffic sites for any suspect activity. If you think any of them might be fraudulent, you can block them from your publishers’ list.

A few giveaways that a site is fraudulent include pages that appear to be covered in ads, no content (or very little content of any substance), and recently registered domains.

Monitor campaign activity

Suspicious timings or spikes in engagement might be a sign that someone is targeting your ads. Especially if you seem to be getting lots of clicks and little in the way of engagement.
You might also spot a high click rate from a country that might have little to do with your market.

For example, if you’re a US-based company and you appear to be getting lots of clicks from the Philippines but no conversions/sales, that could be a marker that you’ve been the target of a click fraud campaign.

Click fraud protection strategies

Aside from locations, devices, IP addresses, and dodgy publishers, it can be hard to spot other types of fraudulent traffic. Forms of fraud that mimic human behavior or hide behind proxy servers are going to be hard for you to spot yourself.

And as the processes and techniques are becoming more sophisticated, keeping track of developments and fraud can be a Herculean task. This is where using click fraud protection software comes into play and can really make a big difference.

How to manually block click fraud

Of course, you’ll want to do everything you can to limit the number of fraudulent clicks coming through on your ad campaign. It can be tricky and a little labor-intensive to get everything battened down, but it is definitely worth doing these manual fixes.

Set up IP and ISP exclusions

If you’ve identified a pesky IP address that seems to be doing something strange, and you’re pretty sure they’re messing up your PPC campaign, you can set up some exclusions. As an IP address normally refers to a specific device or location, this can cut out fraudulent PPC activity from specific users.

Check out our guide to setting up IP address exclusions.

Remarketing campaigns

If you’re not looking to boost your reach at the moment, then remarketing could be a useful campaign strategy. It looks at visitors who have visited your site before and pops up on partner websites, ensuring your brand stays in their minds and possibly even encouraging repeat custom.

Of course, one of the main benefits of remarketing campaigns is that you’ll only be showing up for people who have shown an interest in your business before. It should also limit your exposure to bots or click farms, especially if you’re not in their target area.
You can find out more about running remarketing campaigns on Google’s support pages.

Adjust your targeting

By  tweaking your targeting for your ad campaign, you can hugely reduce the exposure of your PPC campaign to fraudulent activity. Excluding certain geographic locations, languages, demographics, and devices can make a big difference to the success of your advertising. If you see suspicious activity coming from one particular demographic, exclude it and see what happens. You can always change it again later…

How To Automatically Block Click Fraud

The best way to make sure you’re keeping all of your ad spend on target and not losing any to fraud is by using click fraud protection software.

ClickCease is a market-leading click fraud protection software service that is used in over 2 million online ad campaigns. By using a sophisticated and constantly updated series of algorithms, you’ll be able to minimize your exposure to click fraud and ad fraud activity.

If you’re running Google or Bing ad campaigns, then you’ll be able to prevent bot traffic and click farm activity and minimize invalid clicks on your PPC ads. ClickCease works on all of the most popular web hosting platforms, including WordPress, Wix, Shopify, Squarespace, and Drupal.

Although ClickCease blocks the majority of fraudulent activity, if any activity is detected after it has happened, then ClickCease can provide the details for you to apply for a refund. Unfortunately, Google no longer allows third parties to apply for refunds on their customers’ behalf.

What else does ClickCease do?

In 2022, we launched our new Bot Zapping tool. Currently available for WordPress websites, Bot Zapping allows website owners to block bot fraud such as:

• Content scraping
• SEO spam injection and spam bots
• Account takeover
• Payment card fraud or carding

Blocking fraudulent activity is one thing, but ClickCease also offers some great insight tools which are incredibly useful for your marketing. You can also get new competitor notifications whenever someone starts to bid on your keywords.

As ClickCease tracks all activity on your website from PPC advertising, you can also get an insight into customer behavior. See mouse movements and where visitors to your site have clicked on your site to understand how customers interact with your business.

So as well as minimising fraud on your ad campaigns, you’ll also be able to get crucial marketing insight that could help you get the most out of your PPC advertising. When you look at the modern click-through rate as under 2% for search ads and around 0.35% for display ads, understanding how to maximize your results is essential.

We’ve come a long way since the days of 44% click rates on that very first online banner ad! Today you need as much help as you can get to win over potential customers.

Sign up for the best click fraud detection and prevention. ClickCease blocks fraud on Google, Bing, and Facebook Ads; run a diagnostic on your campaigns to see how much invalid traffic you’re seeing.

Click Fraud: FAQs

What is the difference between click fraud and ad fraud?

Ad fraud is an umbrella term that covers all deceptive practices used to manipulate digital ads for profit. It includes any scheme designed to inflate metrics or steal ad spend from advertisers. Common examples of ad fraud include:

• Impression fraud
• Domain spoofing
• Ad injection
• Click hijacking

Click fraud is a specific type of ad fraud that focuses on fake or invalid clicks on ads. The aim is to make engagement look higher than it really is or to drain a competitor’s budget.

Examples of click fraud include:

• Bots
• Click farms
• Competitor clicks
• Click spamming

Is click fraud illegal?

The act of defrauding advertisers is generally considered illegal in most countries, but the problem is policing it.

There are some cyber crime authorities to whom you can report activity if you believe there is a serious and organized threat occurring. These include Europol, the UK’s National Crime Agency, the FBI, and Interpol.

However, most of these agencies are set up to tackle more obvious cyber crime threats such as identity theft, people smuggling, drug dealing, terrorism, pornography, and other more tangible problems.

How does click fraud protection software work?

Fraud protection software constantly learns about new threats and adapts its algorithms. When a suspect IP address, device, or VPN is identified, it’s then added to the list of blocked sources. So if you’re running a PPC campaign and you’re protected by software such as ClickCease, you’ll be able to benefit from the ongoing process of identifying suspect sources.

Final Thoughts

Click fraud can drain your budget, but it’s preventable. Manual monitoring helps plug small leaks, while dedicated fraud prevention software provides a scalable safeguard.
By combining proactive targeting, data vigilance, and automated protection, you can keep your PPC spend focused where it belongs: on real customers, not fake clicks.

Get started with ClickCease and see how automated click fraud protection can block fake traffic, recover wasted budget, and maximize your ROI.