What is Facebook doing against click fraud?

With almost 3 billion monthly active users (MAU) worldwide and almost endless possibilities to target users, Facebook is highly interesting for companies to run ads. Despite the data privacy controversies that reveal new data leaks almost weekly, the social network accounts for around 24% of digital ad spend in the US alone.


In our last article, we took a look at the practices and measures Google has put in place to combat click fraud. This time we want to take a closer look at Facebook and how it protects its advertisers.


Spoiler alert: There is even more room for improvement than Google.

What is click fraud?

Before we dive in, we have to specify what click fraud exactly is. In a nutshell, click fraud occurs when you receive clicks on your advertisements when the clicker has no interest in buying your product or service. Click Fraud is often committed for malicious purposes, for example, by competitors trying to drain your advertising budget or by organized fraudsters making money from fake websites.

If you want to take a deep dive into the different advertising fraud methodologies, download our whitepaper “The Hitchhiker’s Guide to Digital Advertising Fraud”.

How does click fraud look like at Facebook?

Facebook offers multiple advertising options, so click fraud can occur in several ways. The most common cases can be summarized in 2 categories:


  1. Clicks on ads within facebook.com and its apps
  2. Clicks on ads within Facebook Audience Network (FAN)


Let’s next have a look at how click fraud can occur in both categories and what measures Facebook has implemented to prevent it.



Fake clicks on ads within facebook.com and its apps

Facebook has a big issue with fake accounts on its platform. In the third quarter of 2021 alone, over 1.8 billion fake accounts were removed from the platform. In the last 4 years, a total of over 20 billion fake accounts have been removed. To illustrate this: That is more than three times the human race!


Bad guys create fake accounts in seconds, so Facebook will always be in a reactive position to delete them or incorporate stricter sign-up criteria.


But as shocking as these numbers may look, these fake accounts are not primarily used to commit click fraud. Fraudsters commit all kinds of fraud with these fake accounts, such as selling likes for posts and pages or scamming victims through direct messages or fake ads, but that is not the topic of this post.


However, if you want to delve deeper into the topic of fake likes and know why your page is most likely affected by them as well, even if you have not paid for them, we recommend watching the following video from Veritasium:

Ads on facebook.com and its apps (including Facebook, Messenger, Instagram and Whatsapp) have far less click fraud than the parts in its Facebook Audience Network. This is simply because there is no mechanism for these fake accounts to get paid for viewing or clicking ads.


But can click fraud be ruled out on Facebook’s dedicated platforms completely? If you believe various sources that have run highly targeted Facebook ads in the past, the answer is: No.


The website CMO4Hire ran a one-day ad campaign for $80 in 2016 targeting individuals over the age of 18 living in Alberta, Canada. Investigating the reports and checking the Facebook profile of each person who clicked on the ad, several strange things came to light.


Only 36% of clicks actually came from Alberta, Canada. The rest of the clicks came from around the world, with a majority coming from Thailand, India, Mexico, and Brazil – all developing countries that are notorious for committing click fraud.


Image source


This statement coincides with the findings that Limited Run, a startup that makes a software platform for musicians and labels, also made on Facebook a few years earlier. After running a campaign in 2012, their analytics software reported only 15 to 20% of the clicks reported by Facebook. After trying different analytics tools that showed roughly the same statistics, they built their own tracking software into the server side of their app. Interestingly, the remaining 80% of users showed up as “non-standard” user-agents and also had JavaScript disabled – the main reason they did not show up in the analytics tools. Two signs that this traffic most likely came from bots and other crawlers and not by real humans.


Another user even goes so far as to accuse Facebook itself of click fraud. When he compared the Facebook report numbers to his Google Analytics and LeadFerry Analytics data, he saw a 90% discrepancy. Facebook reported 192 clicks, while the other analytics tools reported only 20 clicks. The author accuses Facebook of stating artificially low cost-per-click (CPC) rates and inflating actual click numbers, tempting advertisers to spend more money to get “cheaper” traffic.


Another possibility of click fraud on dedicated Facebook platforms is carried out by competitors. When competitors see your ad in their feed, they can click on it to harm your ad spend and drain your (daily) ad budget. Fraudulent or invalid clicks from competitors can also occur automatically via various software tools or through the use of click farms.


Reports of click fraud in the Facebook feed go back as far as 2009 and were even confirmed by Facebook:


So the bad guys just create thousands of fake Facebook accounts with a wide variety of demographic information. This sounds like a lot of work, but it’s highly automated. One advertiser told me how he paid $200 to an Indian operation for 2,000 Facebook accounts. (…) Once the accounts are created, they use software to fill out the varied demographic information, and that software also manages all these accounts.


The fraudster then logs in to Facebook via these accounts and views the ads that are displayed. The right competitive ads come up and Bingo, the software then clicks them.” (Techcrunch)


The following Youtube video shows an automated, headless Chrome browser visiting facebook.com and getting ads displayed in the news feed:

The cases of ad fraud described above may seem shocking, but they are only the tip of the iceberg. Most of the click fraud associated with Facebook occurs on third-party websites outside of Facebook’s own websites and apps via its FAN.


Facebook Audience Network is very similar to Google AdSense. Website and app owners can sign up and after successful validation they can embed ads in their website and app and get paid for each click. Do you already see the problem?


Augustine Fou, a leading researcher in the field of click fraud, regularly reports stories where click fraud accounts for up to 90% of total ad spend in FAN. The stories are consistent with the reports mentioned above, in which the reported clicks in Facebook’s reporting system do not match other analytics tools.


This is insofar understandable in that these websites have an interest in inflating their numbers with fake traffic and bots that simulate engagement by clicking on ads, moving the mouse, and scrolling the page, since the website owners get paid by Facebook for every click on every ad.


But it’s not just website owners who have an incentive to use bots to increase ad clicks. Facebook itself also receives a share from the advertiser when an ad is clicked. Fake traffic and fake clicks are therefore a win-win situation for both Facebook and the fraudsters.


Augustine Fou recommends turning of FAN when running an ad campaign on Facebook. Advertisers may forgo this “scale”, but focusing on advertising on dedicated Facebook platforms will improve the results of the campaigns, as the possibility of displaying ads to real humans are far greater on its websites and apps than via FAN.

Is Facebook doing enough?

After reading the horror stories about Facebook-related click fraud, you may think that Facebook has implemented various measures and techniques to combat invalid or fraudulent clicks and protect its advertisers. While it’s true that there are many systems in place, we should ask ourselves if Facebook is doing enough to prevent click fraud. The short answer is: Absolutely not.


Apart from its fight against fake profiles, Facebook is very secretive about its actions against click fraud. In fact, the specific page about invalid clicks counts only 141 words. There are however some vague hints in its Business Help Center about the mechanisms used to combat click fraud:


  • Identification of non-human activity Facebook uses the IAB spiders/robots black list and TAG Data Center IP list to exclude non-human and invalid activities from reporting. However, since the IAB and TAG lists are reviewed quarterly, Facebook will always be in a reactive position. As we have seen above, fraudsters can create fake accounts in seconds, and over the course of three months, these fake accounts add up to billions. The same goes for botnet or click farm operators.
  • Machine learning Processes In addition to black lists Facebook also uses machine learning techniques to predict invalid traffic. Models use over a hundred features to score advertising activities and then an invalid traffic decision is made based on score thresholds. “Data sources used for machine learning include logs of account characteristics, account behavior and advertising interactions. Our machine learning incorporates hundreds of data sources of varying sizes with record counts that can range into the trillions.” (Facebook Business Help Center)


Of course, you cannot expect Facebook to be completely transparent about its practices, as this would make it easier for fraudsters to circumvent the measures. However, a rare interview with a Facebook engineer from 2012 shows that nothing groundbreaking seems to have happened in its practices since then. Mark Rabkin already talked about monitoring click activity, using statistical models and historical information, and identifying clicks from bots that do not use JavaScript more than 9 years ago.


In a more recent interview from 2019, Rob Leathern, Facebook’s Director of Product Management, made similar comments:


“We look at things like whether the click has happened within a certain time limit after the ad request was made. We also validate that clicks are associated with specific impressions.”


Leathern also stated that Facebook’s biggest challenge is the sheer number of fraud attempts combined with the various forms it can take.


“You have to defend a variety of different channels, whereas [attackers] can always focus their efforts into one particular area.”


While this may be true, Facebook would have all the necessary resources to establish dedicated teams to deal with one specific fraud case at a time. But instead of allocating resources to fight fraud, Facebook shut down various services such as LiveRail and the Audience Network’s Connected TV service. In both cases, there were reportedly major problems with ad fraud and viewability issues.

It is simply not in its biggest interest to prevent ad or click fraud, since Facebook makes money for every ad click.

Conclusion: As long as the money is flowing, Facebook does not care

In this article, we have hopefully shown you that Facebook is not doing nearly enough to fight click fraud and protect its advertisers.


Even more, Facebook intentionally deceived advertisers by pretending that fake accounts represented real people so that advertisers would spend more and more money on the platform. Documents revealed that Facebook COO Sheryl Sandberg directly oversaw the alleged fraud for years. Former employees even noted that the corporation did not care about the accuracy of numbers as long as the ad money was coming in.


This leaves a very bad taste, as Facebook does not even shy away from fraud against its own advertising partners. But how could it be any different when over 97.4% of total revenues come from advertising? Similar to Google, Facebook has no interest at all to stop click fraud once and for all, since every click on an ad is hard cash for the company – valid or fraudulent.


According to our own research, 16% of all ad clicks are invalid and come from automated, non-human traffic.


Get an independent opinion on the quality of your ad traffic and sign-up for a free trial with us.

More Articles

How much of your marketing is wasted on fake traffic?

1%, 4%, 36%?

Full access. No credit card required

Stay on top of things and subscribe to our newsletter.

fraud0 will launch soon

Sign up for launch notification

By signing up, you accept our Terms of Service and Privacy Policy.