What is click fraud? | How click bots work

Click fraud is when fake clicks target pay-per-click ads, boost the search rankings of a webpage, or artificially inflate the popularity of a post on social media. Click bots are often responsible for click fraud.

Learning Objectives

After reading this article you will be able to:

  • Understand what click fraud is and why it occurs
  • Learn how a click bot works
  • Learn about the negative effects of click fraud

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is click fraud?

Click fraud is when a person or a bot pretends to be a legitimate visitor on a webpage and clicks on an ad, a button, or some other type of hyperlink. The goal of click fraud is to trick a platform or service into thinking real users are interacting with a webpage, ad, or app.

Click bot committing click fraud

Click fraud usually occurs on a large scale – each link is clicked many times, not just once, and usually multiple links are targeted. To automate this process, click fraudsters often use bots that "click" over and over. Bots comprise roughly 50% of all Internet traffic.* As much as 20% of websites that serve ads are visited exclusively by fraudulent click bots.**

Click fraud can have a variety of motivations. Most often, especially with ad fraud, the fraudsters are after financial gain. Sometimes, companies use click fraud to hurt their competitors' ad budgets by targeting their PPC (or "pay per click") ads with fraudulent clicks. Click fraud could have ideological motivations as well – artificial likes or upvotes to a post to make certain sentiments seem more popular than they really are, for instance. Cyber criminals can also use click fraud to make a malicious webpage show up higher in search rankings so that it appears legitimate.

Common types of click fraud

One example of click fraud is ad fraud: when a website operator drives fraudulent clicks on PPC display ads on their own website. Click fraud perpetrators can set up webpages that display PPC ads, and then use click bots to "click" on those ads. With each click, the ad network has to pay the website operator (the scammer). The more fraudulent clicks there are, the more the ad network has to pay the website if the fraud goes undetected.

Ad fraud can also be a financial attack on the company paying for the ads. In such a scenario, scammers target PPC ads on a web property they don't own. The scammer isn't looking to make money from the clicks, but the targeted company has to pay the ad network for each click, costing them money.

Another use case for click fraud is when someone tries to game search engine rankings by artificially boosting the click through rate. "Click through rate" refers to how many users out of all the total visitors to a page click on a certain link. Click through rate is a ranking factor that search engines like Google take into account, although it's not known how much of a factor it is. The goal of click fraud in this scenario is to increase the click through rate of a webpage, thereby increasing the search engine ranking and causing more real users to visit the page.

What is a click bot?

A click bot is a bot that is programmed to carry out click fraud. The simplest click bots will just access a webpage and click the desired link. Well-designed click bots will also be programmed to take actions that a real user would also take – mouse movements, random pauses before taking an action, mixing up the timing between each click, and so on. In this way, the scammer who wrote the bot hopes to disguise the bot clicks as being from legitimate users.

Because hundreds or thousands of clicks from a single device would immediately look suspicious, a click fraud campaign will typically use bots installed on many devices. Each of these devices has a different IP address, and therefore it looks like each click comes from a different user. Such a network of devices, with each device running a copy of a bot, is known as a botnet.

Botnets involve thousands or even millions of user devices that have bots installed on them. The vast majority of the time, these botnet click bots are running on the devices without the users' knowledge as a result of a malware infection. Several large, well-known botnets have been used for click fraud – for instance, "Clickbot.A" was a click fraud botnet that infected over 100,000 user machines.

Botnets aren't required for click fraud; a single bot can also propagate illegitimate clicks. However, bot traffic coming from just one machine is easier to detect and block. The web server could simply stop serving that IP address.

Does click fraud always come from bots?

While bots are commonly used to carry out click fraud, it can also be carried out by low-paid human workers. A group of such workers is called a "click farm," and click farms are often run out of areas where wages are relatively cheap, such as in developing countries.

Click farm workers will be assigned to go to certain webpages and click on designated links to artificially inflate click through rates or traffic totals for those pages. They can also be active on social media networks and "like" certain posts or pages to boost their visibility.

The advantage of a click farm, from a scammer's perspective, is that the behavior of the human click farm workers is more likely than a bot's behavior to convincingly imitate a legitimate user. The disadvantage is that using a click farm is much less efficient for fraudsters, and much more resource intensive.

Most click fraud artists don't have access to dozens or hundreds of human workers, and it's much easier for them to write a few lines of code and create click bots. This is why bot management is so important for companies looking to prevent click fraud.

How much money does click fraud cost companies?

Click fraud costs ad networks billions – advertisers were estimated to lose $19 billion due to fraud in 2018 alone. If scammers are in possession of a botnet or have hijacked IP addresses, they can carry out click fraud on a large scale: in a long-term scam that was discovered in late 2018, a single criminal organization earned over $29 million via ad fraud.

Similarly, the companies running the PPC ad campaigns can also find themselves paying for fraudulent clicks coming from bots. One source reported that in 2016, marketers lost $7.2 billion to ad fraud.

How does click fraud affect website analytics?

Click fraud can wreak havoc with website analytics. If bots are interacting with a web property, then their activities are included in the data. As a result, the people running the website can't measure the actual effectiveness of a display ad or judge the real behavior of legitimate users. This is a problem for companies that want to measure how well their content is engaging an audience, or that want accurate information about traffic and user behavior on their site.

A strategy for managing bot activity is extremely important for any website, application, or API available over the Internet. Without the ability to mitigate malicious bot traffic like click fraud, bots can negatively impact customer experiences and cost companies money.

How does click fraud prevention work?

Some advertisers have automated detection programs in place to block clicks that are probably from bots – Google, for instance, uses machine learning to filter out ads-related activity from bots, along with a manual review process. Cloudflare Bot Management also uses machine learning to detect and mitigate click fraud. In such machine learning programs, if a user's activity differs too greatly from typical user activity – for example, if all a user does is click on ads – then that user is marked as a likely bot.

Enterprise organizations are not the only ones who need to defend against click fraud. Smaller sites can use Super Bot Fight Mode, now available on Cloudflare Pro and Business plans, to analyze their bot traffic and defend against bot-driven attacks.

*https://www.theatlantic.com/technology/archive/2017/01/bots-bots-bots/515043/

** https://www.theverge.com/2017/5/24/15681080/ad-fraud-websites-traffic-bots-white-ops-report