With attention grabbing figures like “$25 billion lost to click fraud each year”, clearly click fraud is an illegal practice . In fact, the facts around whether click fraud is illegal are a little murky.
Yes, there have been arrests and court cases around the defrauding of online advertisers. And, yes the PPC platforms are doing their best to close those loopholes that continue to allow PPC fraud to proliferate. But, is click fraud actually illegal?
Ad fraud vs click fraud
Despite ad fraud and click fraud being part of the same family, they’re actually not mutually interchangeable. It helps to understand what these terms mean and how they relate to you the advertiser.
Click fraud is any form of ‘invalid click’ (as the PPC platforms refer to these clicks) which has a malicious intention. This can be from your rivals who are looking to deplete your advertising budget. Or it might be an automated traffic source clicking on your paid links.
Competitor click fraud is probably one of the best examples of click fraud and might be one example of where you might be considering pressing charges.
Ad fraud tends to be run by more sophisticated operations, running click fraud processes on a wholesale scale. This tends to include running huge ad clicker botnets, spreading malware and using complex programming software to spoof websites to divert your marketing budget to their own pocket.
Invalid traffic is what the PPC ad platforms refer to when talking about any non-genuine click on your paid ads. This includes everything from organised fraud down to genuine accidents such as a slip of the finger.
The legal side
As mentioned, the laws around the legality of click fraud (or otherwise) are a little murky. Generally, although most countries don’t have specific laws against click fraud, they do tend to have laws that cover cybersecurity or ‘information technology’.
In conjunction with existing fraud laws, most court cases against click fraud focus on aspects such as wire fraud, data theft, deception and money laundering.
China, for example, has the Anti-Unfair Competition Law which is supposed to tackle issues such as stealing trade secrets and bribery. However, the wording of the ‘unfair advantage’ can also include fake clicks on paid ads, i.e; click fraud or ad fraud.
The European Union is one of the planet’s most progressive territories when it comes to digital rights. The GDPR was one of the first pieces of legislation to give internet users rights over their data. So surely click fraud and ad fraud will have some laws against it here?
In fact, the European Union does have some of the strictest anti-fraud laws in the world. At a federal level, there is solid anti fraud protection from OLAF, the anti fraud office.
However, individual states also do make some aspects of click fraud illegal.
German Cybersecurity laws do cover owning or operating software with the intention of committing ‘computer fraud’. This covers a broad area such as hacking, phishing and data theft. There is no specific law against click fraud, but German fraud laws could be applied with their cybersecurity legislation.
In India, the Information Technology Act 2000 (IT act) does cover a lot of the facets of click fraud. However, the most relevant law would be the Indian Penal Code (Section 420) which covers most practices related to fraud. There is no specific law against click fraud or ad fraud.
The US has some of the strictest anti-click fraud laws. The Computer Fraud and Abuse was set up to cover mostly national security and personal data, but has been amended numerous times. Almost all successful click fraud lawsuits have been prosecuted on US soil.
Depending where you are, click fraud may not be illegal in and of itself. But you can likely find a way to prosecute if you can get the proof.
Click fraud lawsuits
There have been several high profile cases around the world. These are some of the best examples of click fraud and ad fraud lawsuits, with wildly differing results.
An Italian, national, Fabio Gasperini was extradited to the USA in June 2016 to face charges related to operating an ad fraud botnet. He was alleged to have made millions by using a network of more than 150,000 computers to defraud advertisers, among other practices.
The Fabio Gasperini click fraud case was the first brought before American courts. The defendant was eventually acquitted of all felony charges and charged only with a misdemeanour, for which he served a one year sentence and was fined $100,000.
TriMax vs WickFire
I have to be very careful with this one (I’ve already been told off by their lawyers once). WickFire and TriMax are rival digital marketing agencies in Texas, USA. Both have accused each other of carrying out click fraud on each others PPC campaigns. And as it stands, the case has been appealed, so is still outstanding.
Very simply, WickFire alleged that TriMax started a click fraud campaign against them after losing a client to their rivals. However, TriMax filed a counterclaim for the same thing.
It’s complicated. I’ll let you search for that one online.
Microsoft vs Lam
Back in 2008, Microsoft was made aware of suspicious activity on ads on its platform for auto insurance. Looking deeper into it, they also noticed that keywords for World of Warcraft were following a similar pattern.
A complex pattern emerged whereby the defendants, Eric, Gordon and Melanie Lam, were depleting the budgets of auto insurance companies to boost the click through rates on their own auto insurance ads. They then sold the details of leads on to low level insurance companies.
Microsoft sued the Lams of Vancouver, BC for $750,000.
Dubbed the ‘click fraud kingpin’, Tsastsin operated a group of publishing companies which ran digital advertising on behalf of many agencies. By using malware, Tsastsin and his gang made over $14 million by infecting more than 4 million computers and directing traffic to their own websites and adverts.
An Estonian national, Vladimir Tsastsin and six other men were charged in the US with wire fraud and computer intrusion over a ten year period.
Facebook vs LionMobi & JediMobi
In late 2019, Facebook sued two software developers based in Singapore and Hong Kong for click injection fraud. This practice used malware which was installed on Android devices to click on Facebook ads embedded in the apps.
LionMobi and JediMobi were both accused of running the fraud by Facebook, although the developers maintained that it was the software development kits (SDKs) distributed by them which was used for the fraud.
Pressing charges against click fraudsters
Although there is often a strong legal case against anyone committing fraud on your paid links, the difficulty lies in finding concrete proof.
Many of the cases listed above included investigations with the FBI or security companies to uncover what is often a very complex situation. Even the WickFire and TriMax case has layers of counter arguments which make it very difficult to apportion blame, even after a verdict has been passed.
We recently looked at a case of competitor click fraud on this blog which involved cooperation between business rivals to uncover one company’s fraud operation. Although this did put a pin in this particular case of click fraud, the actual proof to prosecute the guilty party would have been very hard to find.
White collar click fraud, that is small-medium businesses clicking each others ads with malice, is hard to prove even if it is illegal.
Protecting yourself against (and getting proof of) click fraud
So even if you can prove that there has been fraudulent activity on your pay per click ads, proving who did it is a whole other ball game.
The best thing to do is to make sure your PPC ads are protected. This way, you don’t have to worry about it.
ClickCease offers the industry leading click fraud protection software so you don’t need to worry about competitors, botnet operators or (potentially) giant robots* stealing your marketing budget.
And, perhaps best of all, you can use ClickCease’s free trial to find out if you’ve been click frauded.
Spoiler alert; you probably are as around 90% of all PPC ad campaigns are hit by fraudulent traffic.
(*not proven to protect against giant robots)