Click spam is a deception used by unscrupulous webmasters and black-hat online publishers to artificially increase the number of clicks on advertisements and traffic to a website. It is a form of marketing fraud that hurts the business's reputation and the bottom line. Click spam can be difficult to detect, as it is often dissolved within a decent amount of legitimate traffic. At the very beginning of my marketing career, I made a fortune on click spam… just kidding :-) I worked for a CPA network that struggled with click spam and spent a little fortune to improve click spam detection and prevention. In this article, I’ll cover the following:

What is click spam?

Click spam, or click fraud, is a type of digital advertising fraud where a malicious actor attempts to generate revenue for clicks on ads without any real intention from an actual user. It artificially inflates the price of digital ad campaigns, costing advertisers billions of dollars annually.

Click spammers often target ads that offer pay-per-click (PPC/CPC) and cost per 1 thousand impressions (CPM) compensation, where the advertiser pays a certain amount of money for each click and ad view, respectively. The fraudsters can create a large number of these impressions and clicks, generating a profit for themselves while reducing the advertiser’s return on their investment.

Who suffers from click spam the most?

Advertisers. Click spam leads to ad budget burn and revenue decrease. By artificially inflating the click-through rate, businesses are tricked into thinking their ads are more successful than they actually are. It leads to companies wasting money on ads that are not generating sales. Moreover, misleading analytics data will drive wrong marketing decisions.

End users. Click spam leads to degraded performance of personal computers or mobile devices as malicious software consumes hardware resources non-stop. The infected device can become slow and unresponsive. Moreover, clicking on an ad without any intention can result in the consumer being exposed to malicious content. It could lead to viruses and malware being installed. Additionally, clicking on too many ads in a short period of time can cause internet browsers to become sluggish or unresponsive.

Who could benefit from click spam?

Publishers. While click spam brings immediate extra revenue, once exposed, it leads to earnings freeze, charge-backs, and ban from the ad agency. At the end of the day, advertisers won’t pay for just clicks and ad views without any positive impact on their bottom lines. Moreover, it harms publishers’ reputations. For savvy publishers, it can mean the end of the business.

Ad networks and agencies. Click spam can increase their commission, but in the long run, it results in disputes with advertisers, refunds, customers churn, and reputation damage. Customers may choose to go elsewhere if they doubt the agency’s trustworthiness. Сlick spam can lead to legal repercussions. Ad agencies have sometimes even been taken to court and fined for engaging in click spam.

How does click spam work?

At its basic level, click spam works by sending automated or manual requests to click on an advertisement. It can be executed in several ways: via automated scripts, manual incentivized clicks purchased from a third-party service, and automated bots that mimic human behavior.

When automated scripts commit click fraud, they target specific ads, sites, or keywords and then click on them repeatedly. It allows the malicious actor to inflate the cost of the ads artificially.

Click spam can also be executed by purchasing clicks from a third-party service. It is less common but is still a severe problem. It is done by people who are paid to click on ads or links. Malicious actors hire these individuals to generate website traffic or boost ad costs. Manual click spam can be difficult to detect, as it may appear to be legitimate clicks.

Click spam can also be perpetrated using bots that mimic human behavior. These bots are designed to imitate human online behavior and are programmed to click on specific ads or keywords.

Types of click spam

Organics poaching. It is the most user-friendly version of click spam for end customers. The malicious software acts when the user attempts to visit the advertiser’s site (e.g., Amazon). Instead of landing directly on the site (amazon.com), the user is redirected via layer sites that imitate a click on the advertiser’s ad. The user successfully ends up on the destination site with a barely noticeable delay and can make a purchase. Although, now the advertiser’s analytics system will attribute this visit and order to the malicious actor’s account and ads on his site.

Impression-as-click spam. The malicious software sends signals to the ad platform that the user clicked on the ad, while the user was only exposed to it and just scrolled down. This type of click fraud is difficult to detect because all the users are real people who saw the ad, and it is nearly impossible to distinguish which clicks are genuine.

Click flooding. The malicious software sends a massive number of clicks on a single ad from the same device to ensure the last click before the purchase, site visit, or installation. As only the last publisher gets a commission, this method is effective. Despite the noise it creates in the advertiser’s analytics system, click flooding is relatively easy to detect and eliminate.

Background clicks spam. It is the most widespread type of click fraud that costs the most damage to advertisers. The malicious software is invisible and indetectable to an ordinary user. All the activity is happening in the background — it displays an ad and clicks on it, imitating natural user behavior. The malware is usually wrapped under the cover of a helpful app that is active as long as the device is on—for example, battery savers, speed boosters, performance optimizers, memory cleaners, etc.

Click injection. The malicious mobile app listens to early signals from new apps being installed and sends fake ad clicks to take credit for the installation. This click spam technique is available on Android devices only. The malicious app is invisible or camouflaged as a system app or custom launcher.

Click farms. This type of click spam involves humans manually clicking on specific ads, keywords, and sites. They switch a large number of fake accounts, VPNs, and virtual machines to imitate the behavior of hundreds or even thousands of real people. As search engines and app stores primarily rely on user behavior, click farms can impact organic search results and app store rankings.

Botnets. They perform similarly to click farms, but the execution is automated via a computer program or artificial intelligence. The bots are programmed to send a large number of clicks to a website or advertisement to generate traffic. They usually click on ads, get to the website and behave randomly there—spend some time on landing pages, scroll up and down, and click on links, ads, buttons, and invisible elements, without any regard to the content. When malicious software stumbles upon CAPTCHA or other bot verification, it assigns an actual human to pass it through.

How to detect click spam?

There are a few ways to detect click spam on your website and advertising campaigns.

The easiest way to detect click spam is to analyze the traffic and its anomalies deeply. Notice a suddenly high number of visits coming from a single location, non-popular device, unusual operating system, browser, source, or referrer. It could be a sign of click fraud. You should also pay attention to the behavior on your website and its conversion rate deviation. If they leave quickly or navigate away after clicking on the link, this could indicate click fraud. Although, be careful, as it could also represent that you’re reaching out to a low-intent audience, at an inappropriate moment, or just misleading them.

Another way to detect click spam is to research the server logs. If you notice that most users are coming from a similar or the same IP address, User Agents, or target the same landing page, this could be a sign of click fraud.

Finally, there is an anti-click fraud software tool to detect and prevent click spam. These tools take a particular share of traffic, pass it through a sophisticated verification process and compare results and deviations with the natural user behavior. It can include:

  • CAPTCHA verification
  • Comparison of declared and actual screen resolution
  • Tracking time to action
  • Verification of browser’s permissions and settings
  • Comparison of detected and declared User Agent
  • Tracking the mouse movements trajectory and speed, etc.

Using anti-fraud software can be both invisible and intrusive for the end user. Still, it is effective and justified in identifying suspicious clicks and blocking suspicious traffic and malicious sources.

Click fraud is a severe problem, and technology development makes it more difficult to distinguish genuine users from bots. However, following these steps, you can detect and filter out click spam from your traffic.

Should advertisers avoid click spam?

As click fraud can cause significant losses, conventional wisdom nudges us that it should be stopped at all costs. Some companies spend more money detecting and preventing click spam than they could earn from those clicks if they were real. At the extreme, click spam prevention can cost a fortune and make an effective ad campaign unprofitable.

Moreover, savvy bad actors learned to dissolve fraudulent clicks with the real ones, so the advertisers are unlikely to switch off the suspicious traffic source even if caught. Although, some companies are very aggressive with click spam detection and cut off even ROI profitable publishers suspected of fraud.

In my view, click spam is definitely evil. As any harm in our life, it can’t be completely defeated. Moreover, we need a minimal amount of evil (click spam) in our world to improve the evil-detection and -prevention mechanisms. Lastly, with some marketing channels and traffic sources, it is difficult and expensive to white-list only good and genuine traffic. So, it’s better and more profitable to leave everything as is and monitor if the click spam didn’t destroy your ROAS.

How to prevent click spam?

The ordinary best practices for click spam prevention include using the following:

  • secure hosting and CDN
  • reliable and up-to-date content management system
  • verified solutions to protect the site from spam and malware
  • CAPTCHA software.

While these recommendations are helpful, it will be not enough for big sites with a considerable volume of traffic.

The most effective way to avoid car robbery is not leaving valuable items in it. The same is relevant for preventing click spam. Avoid CPC and CPM models and adjust your advertising terms to CPA or revenue share, so your publishers won’t be motivated to inflate the number of views and clicks. It will safeguard you from automated, manual, and background click spam, but not organic poaching. Moreover, some prominent publishers suspected of click spam are big enough to impose their terms and usually work on CPM or CPC only.

Avoid Run-of-Network (RON) traffic. Basically, RON means you’ll never find out the actual traffic source. Scrappy ad agencies might claim that they just don’t disclose their publisher, so you didn’t go and buy directly from them. Although, in most cases, there is no real publisher, and the clicks are generated either by botnets or click farms. So, purchase ad placement directly from prominent and trustworthy publishers or their exclusive representatives instead.

Detect and research every anomaly of your traffic, channel, and website. It is a time- and resource-consuming process, yet the most effective measure you can take against click spam.

Perform regular traffic checks and verification of new channels using anti-click spam software. There is no need to send all the traffic to your click verification vendor. A statistically significant sample on a timely basis will be enough. Recurrent traffic checks will help you establish and track normal benchmarks for your site. New channels checkups will illustrate the deviation of new channels’ performance against your standard metrics.

Finally, it is essential to be aware of the different types of click spam and be proactive in protecting your website and marketing spending. Be aware of the latest trends in click fraud and take steps to prevent it.