Click Fraud: What IT Should Know

As fraud grows, more marketing execs are asking IT to ascertain who's really clicking online ads

Tim Wilson, Editor in Chief, Dark Reading, Contributor

August 22, 2006

5 Min Read

If your company advertises on the Web, chances are that it's spending thousands, even millions, each month on pay-per-click advertising. But how many of those clicks represent customers, or even potential customers? With click fraud on the increase, many enterprises are beginning to wonder.

Click fraud, which can be perpetrated by humans or bots, refers to the artificial creation of clicks on an advertisement or Web page in order to inflate the number of page views recorded for that page. A publisher or search engine, for example, may attempt to "manufacture" clicks on an ad in an effort to pad its bill. In other cases, a competitor may look for ways to click on its rivals' ads in an effort to exhaust its advertising budget.

There's no way to know for sure how much of Internet advertising traffic is fraudulent, because there's no way to know what's in a user's mind when they click on a specific URL. However, Click Forensics, which offers a click fraud monitoring service that helps identify bot-generated clicks and those emanating from a single IP address, estimates that about 14 percent of "page views" are generated by fraudsters.

"It's a real threat," says Tom Cuthbert, president and CEO of Click Forensics. "It's becoming more and more complex to identify this sort of fraud, and advertisers are paying for it."

Increasingly, so are publishers and search engines. Back in March, Google agreed to pay $90 million to settle a class action lawsuit filed by advertisers who claimed that the search giant padded its numbers via click fraud. Yahoo!, which was also named in the suit, vowed to fight the allegations in court; some of the advertisers filed a countersuit over the settlement, claiming that Google was getting off too cheaply.

Google, Yahoo!, and other search engines are supposed to filter out fraudulent clicks before they bill their customers, but some critics say they aren't doing enough. Click fraud monitoring service Click Defense filed a $5 million suit against Google in May over some disputed ad refunds, and lawyer/publisher Samuel Lassoff filed a click fraud suit against Google just last week.

"And even with the settlements, which will be appealed, it still isn't clear how much fraud there was," notes Jeff Rohrs, CEO of Optiem, a marketing consultancy that specializes in online advertising. "Google says they don't want to reveal some of their data because they don't want the black hats to find new fraud techniques, but the side effect is that the advertisers are in the dark as well."

As they hunt for ways to stop click fraud from eating up their advertising budgets, many marketing executives are asking for help from IT. In some cases, IT departments analyze Web log files to look for trends and help identify likely fraud. But such analysis can be time-consuming, and the refunds it might generate usually aren't large enough to justify the effort.

More frequently, IT departments are turning to third-party monitoring services, such as Click Defense and Click Forensics, to analyze the click data provided by publishers and search engines and help generate refunds on page views that don't come from legitimate prospects.

Click Forensics, for example, analyzes each click in three ways. First, it checks the source IP address and tracks how long the "visitor" was on the site, and which pages were visited, just as most publishers and search engines do. Second, it monitors the behavior of each visitor to identify questionable behavior, such as very short page views that might indicate the presence of a bot. Third, it monitors activity by the value of a click, seeking out activity by competitors who might be trying to drive up a client's ad spending.

"That's one of the ways we know that this sort of fraud is going on," says Cuthbert. "When the price per click goes above $2, the threat of fraud goes up from 14 percent to more than 20 percent."

Prices charged by Web publishers and search engines can run as low as a few cents apiece to as much $80 per click, which lawyers targeting high-end clients might pay, for example.

Should every enterprise subscribe to a click fraud monitoring service? Probably not, says Kevin Lee, executive chairman of, a search marketing company. "If you're a small company, like a local lawyer or a dentist who spends $1,000 a month on advertising, the click fraud is most likely going to come from a competitor, not a search engine." On the other hand, large Web marketers like Travelocity don't get much fraud from competitors, because it would take an incredible amount of traffic to affect their Web advertising budgets, he says.

Cuthbert says Click Forensics is watching a new trend in which publishing affiliates agree to click on each other's sites in order to drive up traffic in a fashion that can be difficult to identify. "I'm a publisher, and I agree to click on your site's and Karl's in order to drive traffic," he explains. "You and Karl agree to click on mine, and we all get better traffic, but we're all human and coming from different IP addresses, so it's harder to detect."

Until recently, search giants such as Google have been mum about click fraud, but they are beginning to do more about it, Rohrs observes. "If I'm MSN or Yahoo!, and I find a better way to detect and filter out click fraud, I might gain a competitive advantage over Google," he says. "That's a pretty good incentive."

Search engines and publishers are also beginning to band together to work on the problem. This week, the Internet Architecture Board, which includes representatives from Google and other search engines, is meeting in New York to discuss methods for standardizing their methods of measurement, including a standard definition of what constitutes a "click," experts say.

"The IAB is a good forum for this to happen," says Cuthbert. "If there are some standards, it will be easier to separate the legitimate traffic from the fraudulent clicks."

— Tim Wilson, Site Editor, Dark Reading

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights