When most of us think of internet scam, we think of stealing credit card details, swingling premium rate text message (SMS) subscriptions or e-mails from supposed heirs of African fortunes. But as it turns out, advertisers also fall for scams worth billions of dollars every year.

Ironically, most often the companies who fall prey to fraud are those who tend to use performance-based marketing and decide to allocate their budgets on the basis of metrics such as the number of visits, gathered leads or generated revenues.

False clicks in Google Ads

One of the most known types of online advertising fraud is most probably click fraud in Google Ads. Usually we accuse our competitors of such misbehaviour, but it can also be caused by bots which analyse search results, gather content and other data.

False clicks aren’t as dangerous as they seem.

Google successfully filters out this type of activity and does not charge the advertisers for those clicks (fig. 1).


Fig. 1. Typical Google Ads reports include up to twenty per cent of invalid clicks, filtered out by Google.

Google itself is genuinely interested in counteracting this phenomenon. Invalid clicks, if they were not eliminated, would lower the value of traffic generated by ads. In such case, advertisers wouldn’t want to increase CPC rates, because some of the traffic they pay for would be fake, and would never convert. Any tolerance or support for this type of practice would pose a great threat to Google’s reputation and the trust of advertisers and it could result in multi-million penalties. So, Google is an ally of advertisers.

What about those invalid clicks which Google does not recognise though? The advertiser who runs their Google campaigns, in the long run, shouldn’t worry about them too much. In the mid and long-term perspective, the higher the CTR, the lower the CPC. In a nutshell, Google converts the cost per click into effective cost per impression. If the ad gets more clicks than other ads, the Quality Score increases and the cost of a click decreases.

Indeed, false clicks lower the value of the incoming traffic but the advertiser who measures the cost of conversion is able to take it into account and adjust the CPC bids accordingly. And, although false clicks aren’t completely neutral in terms of ad efficiency, the mechanisms described above make them relatively harmless for performance-driven advertisers.

False conversions

False conversions are a little more advanced type of scam. They take place in many different ways:

  • leads include false data,
  • leads include data of real people but collected without their consent,
  • leads come from people who give consent for their data to be used as a part of various “making money online” programs or in exchange for some other benefit (e.g. access to particular content) – and these people are not really interested in the offered product,
  • the transactions are left unpaid or they are made with the intention of making future refund claims.

This type of scam happens mostly in affiliate networks, where advertisers pay for the traffic in the CPA model (Cost Per Action). In this type of networks, the barrier of entry for publishers is usually very low. Some publishers don’t mind their reputation and in case they are compromised, they just close down and reappear under a different name and domain.

We can also encounter this type of scam in CPC or CPM advertising, like a regular display network. In this case, the publisher is not directly paid for the conversions generated by ads, but if the given placement or publisher generates conversions, it will attract more ads and more budgets.

False conversions, regardless of how advanced the scam is, are quite simple to detect. Proper validation and monitoring of all transactions usually solve the problem.

In the end, we can always see if the money gets to our bank account and if the deadline for refund claims has passed. Nowadays, the tracking systems allow conversion import from other databases (offline conversion) and linking them to particular clicks and traffic sources. A simple analysis will make clear which sources generate real transactions and which ones deliver worthless leads. Alternatively, instead of importing offline conversions you can push ValueTrack parameters to your CRM (see the Google Ads help article here).

Attribution fraud

False clicks and conversions are a primitive type of fraud which is simple to detect. Advertisers who eliminated them, feel that they effectively protect themselves from fraud. Meanwhile, scammers make the most money in a completely different way.

Attribution fraud is much more sophisticated because it links to actual transactions that have been carried out and paid for by real users.

In this type of scam, the source of conversion is completely different than the one for which the advertiser actually pays, because the swindlers create an illusion to prove that they are the ones who actually brought the lead.

So you might ask: if the transaction actually took place, what’s the problem? 

The problem is that the advertiser probably paid to get this lead in a different way before, and the scammer demands a payment even though their contribution to this conversion was minimal, or none.

As a result, the advertiser pays twice for the conversion and the real sources of leads suffer in terms of future budgets.

Ad stacking

Ad stacking is a primitive type of attribution fraud which is rather easy to detect. The purpose of this fraud is to charge commissions multiple times for a single click. The commission may be paid by the same or by a number of different advertisers. The user clicks on a single ad but in reality, it generates many clicks with redirects to a number of different advertising/affiliate networks (fig. 2).

Those clicks are often invisible to the user. Websites often open in a pixel-sized window or they are visited for a fraction of a second in consecutive redirects before the user lands on the page they intended to visit. Technology does not matter, it’s all about planting a cookie file in your browser.

Fig. 2 Ad stacking. One click generates many clicks in different advertising/affiliate networks.

It sometimes happens that such multiple clicks are leading to the same website or app, but were published through different networks. If the user converts, then each of these networks will claim this transaction as their own conversion. If the advertiser does not use deduplication, they will pay several times for a single conversion – regardless of whether these ads are paid for in the CPA model or indirectly through CPC.

Ad stacking is relatively easy to discover, as the same user generates a series of clicks from different sources in a very short period of time (usually milliseconds). Such publisher can be quickly identified by the advertising network or by an advertiser who uses several networks simultaneously.

Cookie spam

Also known as click flooding or click spam. This technique is to make a very large number of random users to click the ad, hoping that at least some of them will convert.

The affiliate network tracking system does not see other interactions but their own. Therefore, even if there are interactions with other, legitimate ads on the conversion path, the CPA commission will be attributed to the click of the spammy ad. This way the scammer takes credit for conversions actually generated by other sources (fig. 3). 

One of the easiest victims of click flooding is direct traffic. In case of users who are loyal customers, who come from recommendations or from other offline sources, the click of a spammy ad (often unintentional) may appear as the only interaction on their conversion path. Regardless of the attribution model, the transaction is attributed to the spammy click, even though it had no contribution to the conversion.


Fig. 3. Click flooding. Clicks coming from spam are “injected” into conversion paths and appear in the reports as assist clicks or sometimes even as the last or the only click before the conversion.

For this reason, scammers usually target large and popular brands, with lots of organic and direct traffic who use numerous online and offline advertising channels. It’s all based on the scale: if an advertiser has a significant market share, you can expect with some degree of probability that a random internet user who has been planted a cookie file by a spammer may soon make a purchase. By using ad stacking, the spammer can distribute advertising cookies of many competing companies, which increases the chance that one of these ads will convert (fig. 4).


Fig. 4. Scammers spam with cookie files from many competing companies, which increases the chance that a given user will convert with one of them. If those companies have a significant market share, the probability of earning a commission is high enough to make a profit, even if some users decide to buy somewhere else.

The above graph is just an example. Names of the brands have been randomly selected and there is no relation between this graph and an actual real-life occurrence.

This operation may be profitable if clicks are acquired at a very low cost. And for that to be possible, those clicks are usually forced, and very often invisible to the user. And of course, they have absolutely no influence on the user’s purchasing decisions. Examples of such activities:

  • clicks made without user’s action, by adware or through launching pop-up or pop-under windows or frames, also with the use of ad stacking,
  • clicks from ads which cover some actual content, faulty “close” buttons or other forms of deception,
  • using ads that mimic navigation buttons or appear unexpectedly in the places where users often click, especially in mobile games and apps,
  • spam and clickbait in social media,
  • e-mail spam, e.g. offering a free smartphone, or any other “irresistible” deal, made only to attract clicks,
  • WWW server breaches redirecting traffic to the ads,
  • domains being typos of frequently-visited website addresses or popular brands, redirecting visitors to the ad. (fig. 5).

Fig. 5. A typo domain can be a source of cheap clicks. In order to cover up the actual source of traffic, scammers use a doorway page which looks completely normal. But if you visit the page with a particular parameter injected into the URL, you will be redirected to the advertiser’s website.

Even if the advertiser deduplicates transactions and analyses multichannel paths, it may happen that the spammy click will be simply lucky to be the last or even the only interaction on the conversion path.

Click spam is much more difficult to discover. The symptoms include:

  • high CTR of your ads,
  • low conversion rate,
  • the time interval between a click and conversion is evenly spread throughout the conversion window,
  • the conversion rate of paths including and not including the spammy source is virtually the same.

Conversion hijacking

This is one of the most sophisticated performance marketing scams. These interactions are artificially “injected” into the conversion path right before a purchase is made. Here are a few examples:

  • Brand bidding. A user who wants to visit a given shop types its name into the search engine. The search results include a sponsored link with the name of the shop, which redirects the user to this website via an affiliate network. From the user’s perspective, everything works as it should (they reach the intended site), but the shop will pay commission for its own customers. In order to mask this scam, some fraudsters use utm tags (e.g. utm_medium=display) in their links or execute several redirects to hide the actual referral page.
  • Adware (a particular type of malware) on a mobile phone (installed without user’s consent or as part of another mobile application, e.g. a free game) monitors the user’s behaviour. If it detects that the user intends to download an app, it generates invisible ad clicks right before the app is installed (fig. 6).

  • Malicious software replaces the default search engine (e.g. Google, Bing) in your device to a strange search engine you probably never heard of before. This new search engine works similarly to the original one, but redirects users to websites via affiliate links. Alternatively, you may install a browser add-on that injects these affiliate links directly to SERP (Search Engine Result Pages) of popular browsers. Again, this software or add-on may be a part of a free game or a useful tool, that is completely harmless to the user. 
  • Discount codes. Many users who see a “discount code” field on the checkout page, decide to search for the coupon. They use a search engine, where they find an organic or sponsored link to a website where the code is provided, and from there, they go back to the advertiser’s site. It doesn’t matter if the actual discount exists or not – the users are redirected from a staged ad, which will be their last interaction before they make a purchase.

Advice

If you decide to use discount codes in your marketing campaigns as an incentive, don’t place a “discount code” field on the checkout page, because it will encourage your customers to abandon their transaction and look for the coupon, even if they never thought about it before. This way you reward the customer and the code distributor for nothing. Moreover, while looking for the coupon, the user may come across some more attractive offers and you can lose customers just one step before they finalised their purchase.

Discount coupons should be activated through dedicated landing pages, which automatically add discounts to the basket. This way is also better from the UX perspective, rather than if the users have to remember the code and use it at the checkout then. A discount code should also have an expiry date, which should be visible to the user so that they are more motivated to make a quick purchase.

Symptoms of hijacking include:

  • a high conversion rate, often close or even higher than direct traffic or branded search;
  • the clicks appear mainly as the last interaction;
  • a short amount of time passing between the click and the conversion.
Fig 6. App installs hijacking. Adware detects the user’s intent to download an app (e.g. opening of Google Play) and, in the background, generates clicks on an app install ad.

How to protect yourself from scammers?

First and foremost, don’t get lured by fast profits. If money comes too easy, you should be suspicious. The advertising industry is very competitive and largely effective, which means that what you pay for the traffic is actually close to its value. You can only occasionally get a better deal, and usually to a small scale.

Validating and deduplicating conversion is the first step. How many publishers “claim” the given conversion? Are the achieved effects real, or only apparent? 

Make sure that your leads are real and that they convert to transactions. Take into account all returns and complaints. If you have a complete system of conversion tracking, you can easily detect any kind of false conversion and by following the trace you can eliminate fraudulent ads.

And even if your conversions are real and paid in full, you should not put your guard down. Attribution fraud is often committed to a much larger scale than a primitive scam based on fabricating leads. Here, you have to analyse your entire conversion path, including the time stamps and try to detect suspicious activity.

Consider what you pay for. Wayfair.com, a major online home store for furniture and decor, has introduced an interesting and relatively simple solution that prevents conversion hijacking, particularly by coupon websites. Wayfair.com has altered the method of how they attribute conversion to affiliates in its program.

Instead of rewarding the last affiliate that a visitor clicks on before making a purchase, they attribute the conversion to the last source that a visitor clicks on before adding something to the cart. Thanks to this, they compensate a content affiliate who was earlier in the funnel rather than all of the coupon sites that jumped in at the last minute. For more details, see this Acceleration Partners blog post.

Curious whether it matters in your case? In your Google Analytics, for the “converters” segment, compare the traffic sources effectiveness for “purchase” vs. “add to cart” goal – and see how the attribution changes.

Keep in mind that scammers can use camouflage. They may mix traffic coming from different sources, which will make some metrics look completely normal. Most probably you will only be able to detect a small share of fraud attempts. Each activity should be assigned to a responsible publisher and used to evaluate their credibility.

Fraud is not a mistake or coincidence. It is a planned and deliberate activity. You should immediately terminate your partnership with any publisher whom you catch red-handed. No excuses. 

A large share of responsibility for detecting and fighting scams falls on advertising/affiliate networks. They usually have access to more data about the traffic coming from publishers, which allows them to detect suspicious activity more quickly and cut scammers off from the possibility to extort money from advertisers. 

It seems as if renowned networks such as Facebook or Google, actually effectively take action against fraudsters.

Unfortunately, in many other networks, partner validation procedures and monitoring of their activity are often insufficient. Sometimes it looks like they turn a blind eye on some unfair practices because they do increase their revenues.

For this reason, when choosing sources of traffic, you should rather verify and accept publishers on your own, and monitor how they deliver traffic.

Terms and conditions of your affiliate programs should clearly define forbidden practices and allow for blocking payment of the entire due commission in case you discover even a single case of manipulation.

You should approach anonymous publishers with much scrutiny. Why do they not disclose their identity? Remember that some sources of traffic can be staged (doorway pages). Is it possible that an unknown website with average content generates so much traffic and conversion?

When it comes to monitoring and validation, don’t rely solely on the advertising/affiliate network. Unless you don’t mind becoming an easy target for the scammers of this world.