In brief
If you suspect a competitor is behind a bot attack on your ads, do not start with accusations. Start with evidence, containment, and prevention. Competitor-driven click activity is difficult to prove directly, especially when bots, VPNs, proxies, rotating IPs, or automated scripts are involved. But you can still identify suspicious patterns, reduce wasted spend, and block harmful traffic before it damages the campaign further.
The goal is not only to find who is responsible. The more urgent goal is to stop paying for traffic that has no real buying intent.
A competitor attack may show up as repeated clicks, sudden budget drain, strange location patterns, weak sessions, no real conversions, or fake leads. Sometimes it looks like one person clicking again and again. In more advanced cases, it may look distributed, with different IPs, locations, and devices that hide the pattern.
That is why the response should be calm and structured: document the behavior, tighten campaign exposure, review traffic quality, and block suspicious sources without hurting real users.
First, separate suspicion from evidence
It is easy to blame competitors when performance suddenly drops. In competitive industries, that instinct is understandable. But not every bad click is competitor fraud. Low-quality traffic can also come from poor targeting, broad match keywords, search partners, bots, click farms, spam lead forms, or automated scraping tools.
Before deciding that a competitor is behind the issue, look for repeatable evidence. Check whether clicks increased suddenly from a specific area, whether they happen during certain hours, whether sessions are extremely short, and whether the same behavior appears across similar devices or IP ranges.
You are not looking for one strange click. You are looking for a pattern that does not match normal buyer behavior.
If the clicks are expensive, repeated, and useless, the account needs protection even if you cannot prove the exact source. You do not need a legal-level conclusion before acting to protect the budget.
Tighten the campaign first
A bot attack becomes more damaging when the campaign is too exposed. Start by reducing the surface area that bad traffic can exploit.
Review location targeting. Make sure the campaign is reaching people in your intended areas, not just people who show interest in those areas. Add location exclusions where needed. If the attack appears to come from irrelevant cities, regions, or countries, clean those up first.
Then review keywords. Broad match terms can open the door to low-quality searches. If the account is under pressure, shift more budget toward tighter intent until the traffic stabilizes.
Also check networks and campaign types. Search Partners, Display expansion, and automated campaign types can sometimes bring less transparent traffic. If the suspicious activity is concentrated in one campaign type or network, isolate it instead of changing the entire account at once.
This is not about panicking. It is about reducing avoidable exposure while you investigate.
Look for behavior, not just IPs
Many advertisers focus only on duplicate IPs, but that is not enough. A competitor or bot system can use rotating IPs, mobile networks, VPNs, proxies, or different devices. If you only look for one IP clicking many times, you may miss the bigger pattern.
Look at behavior after the click. Do the users scroll? Do they visit key pages? Do they interact with forms? Do they trigger meaningful events? Do they come back like normal prospects? Or do they land, bounce, and repeat?
Also review timing. A sudden wave of short sessions can be more important than a single repeated IP. If the clicks arrive in bursts and produce no business value, that may point to automated or coordinated activity.
The best evidence usually comes from combining several signals: click frequency, session quality, location, device, timing, IP behavior, and conversion quality. This is also where dedicated bot mitigation becomes important for advertisers dealing with automated or masked traffic.
Example from a competitive PPC campaign
A company running ads in a high-cost service category notices that its budget is being spent much faster than usual. The number of clicks rises, but qualified calls do not increase. Several clicks come from areas near competitors, and many sessions last only a few seconds.
At first, the team assumes one competitor is manually clicking the ads. After reviewing the data, the picture becomes more complex. Some clicks appear normal. Some come from broad keyword matches. But one pattern stands out: repeated short sessions from similar locations and devices, mostly during business hours, with no meaningful engagement.
The team does not exclude every location or pause the campaign completely. Instead, it tightens keyword intent, reduces exposure to weaker traffic sources, adds relevant exclusions, and blocks suspicious repeat activity. Over the next few days, wasted clicks decline and more of the budget reaches users who actually behave like prospects.
The important part is that the team protected the campaign before trying to prove the attacker’s identity.
What not to do
Do not publicly accuse a competitor based only on a feeling. That can create legal and business problems without solving the campaign issue.
Do not block too broadly. If you exclude a whole city, device type, or audience segment too quickly, you may also block real prospects.
Do not assume Google or any ad platform will catch everything. Platform filters can remove some invalid clicks, but advertisers still need visibility into suspicious behavior that affects lead quality, conversion data, and budget efficiency. The broader issue is not only attribution, but understanding how click fraud works across paid campaigns.
Do not wait until the campaign is fully damaged. If the signs are strong, act early with targeted controls.
Bottom line
If a competitor may be behind a bot attack on your ads, focus on evidence and protection. Review the traffic pattern, tighten campaign settings, monitor behavior after the click, and block suspicious sources as precisely as possible.
You may never prove the exact person or company behind the attack. But you can still stop the waste, protect conversion data, and keep the campaign focused on real prospects.