What is Google doing against click fraud?

Do you believe that all clicks on your ads in the different Google channels are performed by real people who are really excited and interested in your product?

 

And do you also believe that Google, being THE dominant tech giant that it is, is doing enough to protect your ad spend from fraudulent clicks?

 

We hate to say it, but we have to disappoint you. But you are not alone in your assumptions. Google does a fantastic job of fooling you into thinking it’s safe.

 

It tells you on countless pages what measures it takes against click fraud in order to protect your money. All this while you think your ads are reaching hundreds of thousands of people who fit the exact profile of your target audience.

 

But with 11% of search ad clicks and 36% of display ad clicks being invalid or fraudulent, Google does not do as good a job as it would like to make you believe.

 

In the following article, we will take a closer look at the practices Google uses to protect advertisers from click fraud, why they are insufficient, and why it is not in Google’s interest at all to protect advertisers from click fraud.

 

In addition, we will highlight some of the biggest fraud cases related to Google products, as well as the most prominent lawsuits related to click fraud.

What is click fraud?

In a nutshell, click fraud occurs when you receive clicks on your advertisements when the clicker has no interest in buying your product or service. Click Fraud is often committed for malicious purposes, for example, by competitors trying to drain your advertising budget or by organized fraudsters making money from fake websites.

We have written in-depth about click fraud in our whitepaper “The Hitchhiker’s Guide to Digital Advertising Fraud”. Download it now, if you want to learn more about click fraud and other advertising fraud methods.

fraud0_invalid_Activity-01

Since Google offers multiple advertising options, there are several ways click fraud can occur on Google. The most common can be summarized into 3 categories:

 

1. Search ads click fraud

With the help of Google Ads (formerly Google AdWords) you bid on keywords to place your ad in search results for relevant search queries. Based on various factors (e.g. bid amount, landing page quality etc.) your ads will be displayed to searchers on different locations of the search results page. You then pay for search ads when your ad is clicked on.

Search ads click fraud occurs, when you get fake clicks on your Google Ads either from unintentional clicks, competitors trying to harm your ad spend or bots clicking your ad.

 

2. Display ads click fraud

The Google Display Network is the #1 global display ad network, reaching over 90% of internet users worldwide, with more than a trillion impressions served to over 1 billion users every month (Google). Publishers can sign up with Google AdSense to place display ads on their website and then get paid every time an ad is clicked.

 

Display ads click fraud occurs, when you get fake clicks on your display ads. Most often, this is done by fraudsters setting up fake websites where they place display ads and then send fake bot traffic to them that clicks on the ads.

 

3. Click fraud from apps

With over 2.8 billion active users and a global market share of 75% Google’s Android is the most popular operating system in the world. Google Play Store is also the largest app store and holds over 2.7 million apps. The large market share and the fact that Android smartphones are much cheaper than their biggest competitor, the iPhone, make them particularly interesting for fraudsters.

 

Malicious code in apps can also lead to click fraud originating from smartphones. These applications often open hidden browser windows in which they visit fraudsters’ websites and click on advertisements. All without the knowledge of the victim.

 

Now that we have roughly categorized click fraud on Google, let’s next look at what specific measures Google has implemented in the 3 areas to prevent click fraud.

 

How Google fights click fraud

First of all, Google does not use the term “click fraud” very often. Instead, it is speaking more about “invalid traffic” and “invalid clicks“.

Below are some types of clicks and impressions that Google considers to be invalid:

 

  • Accidental clicks that have no value, such as the second click of a double-click or when a mobile user reaches for a link and taps an ad instead.
  • Manual clicks meant to increase someone’s advertising costs.
  • Manual clicks meant to increase profits for website owners hosting your ads. This includes incentivized clicks by the publisher.
  • Clicks and impressions by automated tools, robots, or other deceptive software.
  • Impressions, meant to artificially lower an advertiser’s click-through rate (CTR).

 

Google has numerous solutions in place and looks at different data points to combat click fraud. This includes over 200 automated filters in real-time (e.g. via specific user-agents, IP addresses, time of interaction) and also manual detection and review by its Ad Traffic Quality Team.

If Google detects invalid clicks on your ads through any of the above mechanisms, your account will be credited so that you do not have to pay for the malicious clicks.

 

Manual click fraud detection

The secretive Ad Traffic Quality Team is mysterious to many, even within Google, and rarely talks about its practices. In a 2015 interview with AdAge, they lifted the curtain a bit and gave the world a glimpse into their work.

 

The team is presented with chunks of potentially malicious raw code from a handful of resources, including VirusTotal and spider.io, both companies acquired by Google.

 

The team then must reverse-engineer the malicious code to learn the characteristics and so-called “signals” of a particular botnet. A signal is a type of behavior that does not exist under normal circumstances with human users, but is unintentionally generated by the fraudster while programming the bot. A signal can be a value in a specific cookie field, but also specific mouse-movements between two points on a web page.

The pattern found is then overlaid with the ad click data to find matching traffic blocks. Since a single signal is often not enough to identify traffic as fraudulent, the team needs a series of signals appearing at the same time to definitively say that the traffic belongs to a particular botnet and dispose of it.

 

Is Google doing enough?

At the time of the interview, Google’s Ad Traffic Quality Team numbered just over 100 people. Even if the team has certainly grown somewhat in recent years, it is only a tiny fraction of the total workforce of over 135,000.

 

In short, Google allocates only about 0.1% of its employees to click fraud detection, far too little according to many expert opinions.

 

 

Manual Google AdSense site verification

Another layer of security that Google has introduced to combat ad fraud is manual website verification when website owners want to embed Google AdSense on their website. Each website must adhere to the Google Publisher Policies in order to be approved to run ads.

 

Is Google doing enough?

Although Google manually checks the quality of the websites before approving them for displaying ads, it is not very difficult to submit a website to AdSense for a fraudster. The site just needs to look halfway decent, have good load times, and provide enough content for human use.

However, it is quite easy for a fraudster to create a website that meets all the requirements. They automatically scrape large publications, let a simple artificial intelligence rewrite the content, and have a finished website within minutes, ready to be monetized by different advertising networks, including Google AdSense.

In fact, a marketeer looking at over 48,000 AdSense sites estimated that around 90% of them are fake. He suggests to stop using automatic placements and instead use a tool like SEMrush to search websites by topic and then manually place ads on them.

But you have to give Google credit for the fact that their AdSense verification was one of the few ad networks to reject a fake website set up by a CNBC reporter. The main reason was probably that she had created an exact copy of CNBC’s main website, which is easily recognized as “scraped” or “duplicate content” by Google’s search index crawlers.

 

 

Automated app scans via Google Play Protect

In 2017 Google introduced Google Play Protect – Google’s comprehensive security services for Android that is built into every device with Google Play. Play Protect offers two types of protection levels in order to detect Potentially Harmful Applications (PHA):

 

1. Cloud-based security
Before an app is available in the Google Play Store, it must go through a review process that includes an automatic risk analysis of the application and, if necessary, also a manual review. It also uses machine learning algorithms, so Google’s systems learn which apps are harmful and which are safe by analyzing the entire app database.“The algorithms look at hundreds of signals and compare behavior across the Android ecosystem to see if any apps show suspicious behavior, such as interacting with other apps on the device in unexpected ways, accessing or sharing personal data without authorization, aggressively installing apps (including PHAs), accessing malicious websites, or bypassing built-in security features.” (Google)

 

2. On-device protection
In addition to cloud-based security mechanisms, Play Protect also offers a handful of on-device protections to keep devices malware-free. Every time a new app is downloaded from the Google Play Store, Play Protect performs an in-depth security scan and looks for malicious code with one of the following objectives:

  • Compromise the integrity of the user’s device.
  • Gain control over a user’s device.
  • Enable remote-controlled operations for an attacker to access, use, or otherwise exploit an infected device.
  • Transmit personal data or credentials off the device without adequate disclosure and consent.
  • Disseminate spam or commands from the infected device to affect other devices or networks.
  • Defraud the user.

 

In late 2018, Google announced that it was proactively analyzing every app it could find on the internet by decomposing each app’s APK and using deep analysis to extract PHA signals.

 

“Static analysis examines the different resources inside an APK file, while dynamic analysis checks the behavior of the app when it’s actually running. These two approaches complement each other. For example, dynamic analysis requires the execution of the app regardless of how obfuscated its code is (obfuscation hinders static analysis), and static analysis can help detect cloaking attempts in the code that may in practice bypass dynamic analysis-based detection. In the end, this analysis produces information about the app’s characteristics, which serve as a fundamental data source for machine learning algorithms.”

 

Furthermore, Google collaborates with security companies ESET, Lookout, and Zimperium under the App Defense Alliance to ensure the safety of the Google Play Store.

 

Google’s machine-learning detection capabilities and enhanced app review processes prevented over 962,000 policy-violating app submissions from getting published to Google Play in 2020 alone. In addition, more than 119,000 malicious or spammy developer accounts were banned.

 

Is Google doing enough?

The short answer is: absolutely not. Although Google has taken numerous security measures to keep its app store free of malicious apps, there are still too many news about malicious Android apps with millions of downloads popping up every month.

A 2020 study conducted in collaboration with NortonLifelock Research Group and IMDEA Software Institute found that the Google Play Store is a major source of malicious apps. 87 percent of all app installs emanated from the Play Store, but 67 percent of malicious app installs also originated from Google’s official app store.

“[…] although Android defenses pose some barrier to unwanted apps, a significant percentage of such apps can circumvent it, highlighting the need for additional security layers. The constantly evolving Android threat ecosystem is catching up in size and complexity with that of Windows.” (NortonLifelock)

Capture

Image source

 

Another study by the independent IT security institute AV-Test found that Google Play Protect is one of the least accurate methods for detecting malware. In fact, it was the worst of all 17 security applications tested, detecting only about 37% of malicious applications.

 

“The current test indicates, however, that Android users should not rely solely on Play Protect. Google’s scan tool only identifies just over one-third of the nearly 6,700 malware samples in the test. Over 4,000 simply sneak through. For comparison: the poorest test result of the AVG security app has a detection rate of 98.9 percent.” (AV-Test)

csm_0220_Android_Gesamt_tab_EN_75f81570ed

Image source

Blocking nearly 1 million app submissions in 2020 and over 1.9 billion malware installs from non-Google Play sources in 2019 may sound like a lot, but it’s only a fraction of the malware found in Android apps today.

Biggest click frauds at Google

To give you some insight into the extent of click fraud, let’s take a look at some of the biggest scams of the last few years. For many more ad and click fraud cases, have a look at our post “Biggest ad fraud cases of the past 5 years”.

 

Pareto

In early 2021, a massive botnet called Pareto was discovered disguising Android smartphones as connected TVs. The malware infected over 1 million Android smartphones and was responsible for over 650 million ad requests per day. The infected devices looked like TVs to advertisers and prompted to show an ad every 30 seconds. However, instead of showing the ads to real people, the apps simply called the specified API and indicated that the video was being watched.

The malicious code came bundled with inconspicuous looking apps via Google Play Store.

 

Cheetah Mobile

At the beginning of 2020 Google removed over 600 apps from Chinese developers Cheetah Mobile and Kika Tech from the Play Store for practicing click flooding and click injection. With the click injection, the apps listened for when a user downloaded a new app via the Google Play Store. As soon as a new download was detected, the apps looked for active install bounties available for the app in question and sent off clicks that contained the relevant app attribution information to ensure Cheetah and Kika won the bounty — even though they had nothing to do with the app being downloaded.

While these apps were not necessarily practicing classic click fraud, they were downloaded over 2 billion times from the Google Play Store and committed a more advanced type of click fraud.

 

VidMate

In May 2019, it was discovered that the VidMate app, an Android app that allowed users to download videos from video streaming services such as YouTube or Vimeo, was displaying hidden ads and generating fake clicks. Moreover, the app downloaded and installed other suspicious apps in the background without the user’s consent.

The app has been downloaded over 500 million times due to its popularity in developing countries such as India and Brazil.

 

Bonus: Malicious Chrome extensions

blog7

One topic we have not talked about in this blog post is Google’s Chrome browser. With a market share of over 65% across desktop and mobile platforms, it is the sole leader in the browser market. With this top position, it also becomes interesting for fraudsters who find ways to exploit it.

 

At the beginning of 2018, four malicious Chrome extensions ran a click fraud scam. The extensions contained malicious code, not only allowing the fraudsters of proxy browsing through the victim’s browser, but also earned them monthly revenue of about $350,000. The apps could be downloaded from Google’s official Chrome Web Store.

There are hundreds of other cases of ad and click fraud related to Google and its various products. If you want to learn more, have a look at our post “Biggest ad fraud cases of the past 5 years”.

Why is Google not doing more against click fraud?

Most of what Google does seems to be reactive rather than proactive. But it is also not in Google’s interest to lead the fight against click fraud.

 

Advertising has always been Google’s top priority, accounting for nearly 81% of its profits. Of the $181.69 billion in profits in 2020, $146.9 billion came from advertising, and $53.1 billion of the $65.1 billion (81.5%) in revenue in the third quarter of 2021.

 

As an advertiser, Google makes money whether clicks are legitimate or not. As long as it is profitable for them, they see no need to change anything.

 

On the other hand, it is also questionable whether the entire advertising industry has an interest in completely reducing advertising fraud. Of course, no small business wants to spend money unnecessarily, especially not on non-human visitors who can’t convert at all. But for large advertisers, the numbers of ads delivered would plummet overnight, and the astonishment would be great at first.

 

Leading fraud researcher Dr. Augustine Fou wrote about how ad fraud is so normal these days that everybody knows of it, but no one wants to really see it:

 

The fraudulent digital ads look good enough that the buyers (media agencies and advertisers alike) can “show off” to their bosses the large quantities they bought and the “great deals” they got too. (…) Now that ad fraud has been going on for so long, across all types of digital ads (display, video, mobile, app, connected TV, etc.) it’s so normalized that people don’t even see it, even though they are staring right at it. The excel spreadsheets and dashboards clearly show the ad fraud — but they are so used to seeing the large quantities of impressions and clicks, it looks normal to them. In fact, they want even more – more ads, lower prices, and more clicks — the insatiable demand that fuels more ad fraud and bot activity.” (Dr. Augustine Fou)

 

A recent study found that:

  • 11% of search ad clicks are fraudulent or invalid
  • 36% of display ad clicks are fraudulent or invalid
  • 17% of CTV impressions are fraudulent or invalid

 

When you consider the one trillion ad impressions for Google AdSense, an average click-through rate of 0.46% across all industries, and the 36% of clicks on display ads that are fraudulent, you come up with a staggering 1.65 billion clicks on display ads per month that are fraudulent or invalid. Taking the average cost per click of $0.63 for Google’s display network, this translates into a loss of around $1 billion per month from display ad click fraud alone. Looking at these numbers makes you nauseous.

fraud0_click_fraud-01

If you think you have fraudulent behavior on your Google Ads campaigns, you should file a refund request. Before requesting a refund from Google, it’s important to make sure you have the correct data and evidence (e.g. from server logs, tracking tools etc.) available, since you can only submit a request once every 60 days.

 

You need to take the time and effort to sift through your campaigns to determine what is click fraud and what is not. Google will not do the work for you.

 

After you have all your data and evidence collected, you can submit your refund request via the official Google form. Don’t get your hopes up too high in this step, as only 20-25% of claims are actually refunded.

 

Simon Young, CEO of a digital media agency, discovered fraudulent clicks on his client’s ads in 2018. What followed was a scavenger hunt for technical details of the alleged visitors and a communication with Google that stretched over several rounds. The result: despite solid evidence that hundreds of clicks on ads came from just 7 devices (7 different MAC addresses), Google did not refund any money. The clicks in question most likely came from autoclicker software used by the customer’s main competitor.

 

But what can you do if you do not get a refund from Google? You could try to take them to court.

Famous lawsuits against Google for click fraud

Since not many people can afford to sue a tech giant like Google, there are not many public lawsuits. Below are some of the rare lawsuits against Google for click fraud.

 

 

Lane’s Gifts and Collectibles

In 2006, 70 plaintiffs alleged that Google misled advertisers about the actions it would take against click fraud and that the tech giant did not do enough to combat fraud. The class action lawsuit filed by Lane’s Gifts and Collectibles also alleged that Google charged advertisers for invalid clicks on their ads, which hurt their businesses and led to large losses.

The outcome: Google settled the case for $90 million. $30 million dollars went to attorneys, and the rest was provided as advertising credits to plaintiffs. The credits represented a refund of $4.50 for every $1,000 spent on Google’s ad network over the past four years.

 

Gurminder Singh

In 2016, a business owner named Gurminder Singh filed a class action lawsuit against Google. He claimed that the company’s assurances that it was effectively fighting click fraud on its display network were exaggerated.

He conducted a series of tests to verify his suspicion of fraudulent clicks in his campaign by creating a real ad and a gibberish ad twice and comparing the number of clicks received. The real one got 68 clicks and the fake one 64 – a fraudulent click-through rate of 48 percent in Singh’s opinion.

After being rejected multiple times, the lawsuit is now sent back to a lower court and awaits trial.

 

AdTrader

In 2017, Google granted refunds to some advertisers whose ads were served on websites with confirmed fraudulent or invalid traffic. When the fraud was uncovered, Google was ready to pay back its “platform fee”, which represents between 7% to 10% of the total value of the ad spend.

AdTrader has filed the class action lawsuit against Google in California federal court, alleging that Google “unlawfully appropriated” promised refunds to advertisers. The lawsuit alleges that Google never actually issued refunds after recovering money from publishers accused of having inflated or fraudulent traffic.

AdTrader notes that even Google’s own support team “admitted that they never had a system in place for such refunds”.

 

Australian SMEs

Beginning of 2021 Australian SMEs suspicious of click fraud are pursuing a legal battle with Google, saying that Google is not doing enough to stop fake clicks. It is estimated that Australian marketers lost $756 million to invalid clicks on their paid search campaigns last year.

The lawsuit has not yet been filed, but Mark Stanarevic, a lawyer and consultant with Matrix Legal in Melbourne, says he has been contacted by a number of small businesses.

Google prefers a settlement out of court for all lawsuits in order not to have to disclose details about its practices regarding fighting click fraud. If the cases were to go to trial, Google would have to present and explain its algorithms and methods publicly. This in turn would be a big win for all fraudsters, as they would know exactly how Google blocks them.

Conclusion: Much room for improvement at Google

In this article, we’ve shown you all the evidence of what Google is doing to combat click fraud, what measures it is proactively taking, and where these practices fall short.

 

Everything leads to the assumption that Google should be doing much more to protect its advertisers and their money. However, since advertising is its main revenue channel and it makes money from every click – valid or fraudulent – its primary intention is not to stop click fraud once and for all.

 

According to our own research, 16% of all ad clicks are invalid and come from automated, non-human traffic.

 

Get an independent opinion on the quality of your ad traffic and sign-up for a free trial with us.

More Articles

How much of your marketing is wasted on fake traffic?

1%, 4%, 36%?

Full access. No credit card required

_Newsletter
Stay on top of things and subscribe to our newsletter.

fraud0 will launch soon

Sign up for launch notification

By signing up, you accept our Terms of Service and Privacy Policy.