The measurement and eradication of click fraud—bogus clicks on pay-per-click ads from anything other than potential customers—shot to the top of the hot-topic agenda in search engine marketing when Google chief financial officer George Reyes told an analyst conference in December that such fraud was a threat to his company’s business model.
That got attention, even more than the lawsuit Google filed in November against an alleged perpetrator of click fraud. The search power is reportedly seeking both compensatory and punitive damages from Texas-based Auctions Expert International, which it says signed up for Google’s Adsense ad placement program and then began systematically clicking ads on its own Web site to earn payments from Google.
In that case, Google is not revealing the scope of the alleged loss. But solid figures for the costs of click fraud to the paid-search industry are no easier to come by. Some experts have placed it at between 5 percent and 20 percent of total industry sales, which are expected to reach $3.2 billion this year.
“The data are very unreliable,” says Dmitri Eroshenko, CEO of Clicklab, a Miami-based company that is now beta testing a service to run down click fraud offenders. “For one thing, there’s a large disconnect between search advertisers and Web analytics and auditing firms. Search networks are notoriously tight-lipped when it comes to negotiating refunds or discussing what is really going on.”
What seems to be going on involves three kinds of malefactors, Eroshenko says. First, there are the owners of Internet sites who are inflating their own click numbers to pump up payments from search engines, as is alleged in the Google suit. Second, since the pay-per-click model gets advertisers to pay the search engines for the clicks they get, companies may try to deplete rivals’ ad budgets by artificially bulking up traffic to their competitors’ Web ads.
Finally, third parties are reportedly offering to take over those ad-clicking duties for a fee, using either software bots or, in some cases, large armies of clickers-for-hire. In May 2004, the Times of India ran a business story about a burgeoning click-fraud industry in that country that recruited housewives, students and others to click paid Internet ads for about $200 a month. The paper reported that entering the phrase “earn rupees clicking ads” in Google brought up thousands of results.
Eroshenko admits that his company has a vested interest in magnifying the problem, since it sells one of a number of available solutions to fight click fraud. But he insists that the stories are more than scare tactics. “All I can say is that some of our clients in the most competitive business categories see inflation for some key words of up to 50 percent,” he says. The problem is especially acute for Clicklab’s business-to-business clients, where clicks cost more than in the B-to-C world because inventory is relatively limited, searches are fewer, and deals can be big. B-to-B key words can bring in several dollars per click, and that attracts scammers.
“The perpetrators, whether people trying to make a living in a Third World country or a competitor trying to make your life difficult at home, know that they’re being watched,” says Eroshenko. “They have a limited number of clicks they can do in a given time, so they go for the more expensive key words.”
While most of the large search engines have mechanisms in place to help detect fraudulent clicking, Eroshenko says that scammers have learned the importance of simulating legitimate browsing behavior. Human clickers are instructed to spend some time on the target Web site, click around a bit, read some text, and perhaps even sign up for a newsletter.
The first step advertisers can take to protect against click fraud, Eroshenko says, is to do a thorough analysis of the distribution of prices per key word in order to zero in on their return on key word investment. With that clear strategy in mind, Eroshenko then recommends cutting key word investment to a low daily limit and tracking where that money goes for as much as a few weeks to see patterns develop that suggest fraud: for example, if your $50 daily spend lasts a week but then suddenly gets consumed in a six-hour burst of click traffic.
Eroshenko also recommends asking pay-per-click networks whether they use frequency caps, and how big those caps are. Frequency caps prevent advertisers from paying for duplicate clicks from the same IP address—a probable indication of fraudulent clicks. So companies looking to limit their exposure to click fraud should also be checking their server logs regularly to see where their click traffic is coming from on the Internet.
But these measures won’t stop truly sophisticated click fraudsters, who know enough to use anonymous proxy servers that let them use different IP addresses. Hacker sites publish lists of these anonymous proxies which both scammers and their victims can access for a fee.
This is where Clicklab comes in. Eroshenko says the company has teams who chase down those lists, cross-referencing them, and “building a database of proxy servers which is, hopefully, better than those of the perpetrators,” he says. “We want to get to those proxies first so we can start analyzing sessions originating from them.”
Clicklab also applies statistical tools to generate a score that implies whether a user session is authentic or not. The system is similar to the scoring of positive and negative points that spam filters apply to e-mail messages; one minus isn’t enough to get you accused of click fraud, but a whole string of them sets up a strong probability. Possible criteria include visit depth (how many pages did a visitor view?); abnormally high number of visitors per IP address; and high paid clicks per IP address.
Page view frequency counts, too: If a session racks up numerous page views in a matter of seconds, that’s an indication that a software bot rather than a human is doing the surfing. And advertisers can customize metrics to fit their business circumstances. For example, a company that conducts 98% of its business during regular business hours may want to assign some negative points to visits outside those times.
Clicklab also recommends penalizing users who don’t accept cookies, on the basis that not using cookies is typical bot behavior. It’s rather common human behavior too, but Eroshenko says that shouldn’t matter. “If you don’t take cookies but are a legitimate, upstanding citizen in every other respect, you’ll only generate a few penalty points,” he says. “By itself, that won’t get you singled out for fraud; but together with other indices, it can suggest wrongdoing.”
Obviously, the more anxious the paid Internet advertising industry gets about click fraud—and it’s pretty anxious already– the better for companies like Clicklab and its ilk. “When Google made that announcement about click fraud being a threat, we at Clicklab were jumping up and down from joy,” Eroshenko says.
But the company also feels that it has a major market opportunity as one of the few, perhaps the only, outsourced, subscription-based click-fraud detection service. “We’re excited about empowering vendors to do something about this important problem,” he says. “Without us, their only option is to hire a $10,000 consultant who will use questionable tools and still won’t be able to do the kind of work our engineers do on a daily basis.”