Malware — or malicious code used during a cyberattack or intrusion — is meant to achieve something. In many cases, the most common form of it is designed to spy or report sensitive information back to its source. Maybe it’s collecting passwords and account info and reporting that data back to someone. Maybe it’s just logging keystrokes and keeping an eye on what you’re doing when you browse.
One thing you don’t hear often, however, is that these malicious tools are used to surreptitiously click on ads. Yep — all those banner and brand ads you see plastered over web pages and search engines. It sounds crazy, right? Why would a hacker go to all kinds of trouble to create a software tool that simply clicks on ads?
The answer is money.
What Is Click Fraud?
This is a particularly recent form of attack, thanks in part to the rise in PPC (pay-per-click) or performance-based ads. It’s called “click fraud” and, surprisingly, it’s an incredibly lucrative industry — not just in the shady world, in the real world, too. One in five paid clicks were fraudulent during the month of January 2017, according to paid advertising experts.
A competitor, for example, can intentionally click on ads or promotions to drive the marketing costs up for a rival. Before you know it, the competitor has ballooned the activity cost of an ad while generating little to no income for the associated business.
You see, pages and websites displaying performance-based ads make more money for higher click rates whether made by a human or something else. Associated costs also increase based on exposure for an ad, meaning the more people that are reached, the more expensive they are. Generally, high click counts are conducive to higher exposure ratings depending on the advertiser. As unethical as it may be, someone who has it out for your brand could definitely do significant damage simply by running an automated tool, referred to as a “bot.”
Why Are Bots a Problem?
Click fraud generally has one of two possible purposes:
- Sabotaging the competition by driving the costs of performance ads up and/or reaching budget caps early in the business day/week.
- Generating excess revenue by clicking on performance ads continuously.
For both scenarios, it requires constant interactions, engagements or “clicks” with various ads, promotions and media. Outside of someone sitting at their computer all day long clicking on the same ads over and over, it’s a process that’s better done in bulk, which means it’s tedious.
Developers have therefore created automated tools or systems to do the work for them. In some circles this is called a macro, where a unique extension or tool is designed to operate autonomously without interruptions. You could do something like send the same email hundreds of times to an endless stream of contacts. Or, in the case of click fraud, interact with the same ads and media over and over to boost the cost or revenue earned.
This is where bots come into play. Not all bots are used for nefarious ends. In fact, some are designed to make our lives easier and better — especially in marketing. They can automate or speed-up tedious and dull tasks that would otherwise take up most of our workday. For example, you can run a script with your ad campaign to pause spending when you’ve reached a certain threshold, or increase your bids when a specific keywords perform well. You can also use bots to detect when content has been plagiarized.
Unfortunately, they can also be manipulated and used for more devious motives. It is estimated that click fraud or bots cost advertisers over $11 billion per year. That’s a lot of money lost that benefits almost no one except the creators or source of these tools. We — the marketing and advertising industry — have a problem and need to stop spending money on bots.
If you had to guess, what industry do you think is affected most by bot traffic? The answer is finance, with nearly 22 % or more traffic registered as fake.
Two Types of Click Fraud
Click fraud is the act of intentionally interacting with or clicking on PPC and performance-based ads. Advertisers often warn you that clicking your own ads for the purpose of driving up performance is a bannable offense. What they don’t explain is that there are many parties who are able to circumvent this issue thanks to modern automation tools.
There are two very different forms of click fraud, however: automatic and manual.
Automatic vs. Manual Click Fraud
As the name implies, automatic is based on an automated system or tool like a bot. Manual click fraud is carried out by human hands working to actively click on an element or performance ad. A great example of this is when an affiliate or brand actively requests that users click ad links to “support their business or channel” and raise figures. This is bad for advertisers for obvious reasons — plus it’s deceptive.
Automatic click fraud is based on an automated system or tool like a bot. Manual click fraud is carried out by human hands working to actively click on an element.
Then, you have neutral parties — often referred to as click farms — which bridge the gap between the two types. As you might expect, click farms are nothing more than a huge labor force or team hired specifically to (you guessed it) click on links and boost figures. It’s considered both because the workers are “automated” insofar as they operate as a sort of assembly line system.
When the Competition Plays Dirty
As previously discussed, rival brands or firms can launch click fraud campaigns to harm your business, marketing techniques or bottom line.
This is done in one of two ways. First, clicking on your PPC or performance ads drives the cost of your campaign up, effectively creating budget problems. The hope is that it will eventually ruin or damage your brand enough to lower your potential standing in the market.
Second, the goal is to drive up the CPC, making it more difficult for you to afford the campaign and ruining your chances at progress and improvement. More importantly, it eliminates a marketing solution for you that would otherwise be beneficial — even in a small way.
How Can I Prevent Click Fraud?
Preventing click fraud is not as difficult as it seems. In fact, there are some things you can do, including metrics you can pay attention to, in order to quickly identify an attack on your business or campaign.
Keep calm and follow these actionable steps in order to decrease or completely negate fraudulent click activities on your campaign.
1. Identify Bots
Step one is and always will be to identify the bots or offending parties. As with a data breach, the sooner you find the problem, plug the hole and protect yourself, the sooner you can reduce or eliminate further damage. Some things to watch out for include:
- Abnormally high CTR or click-through-rates for your campaigns
- Underwhelming engagement metrics compared to traffic, such as low time on site, short average session times and extremely high bounce rates
- Sudden spikes in traffic, especially during certain hours or periods of the day you wouldn’t normally see them
- High traffic rates on pages with PPC media compared to the rest of your site
- No correlation between incoming traffic and higher advertising costs, as in you’re paying ridiculous fees for little to no return
Of course, these patterns are not always obvious or easy to detect — especially when you’re dealing with hundreds, or maybe even thousands, of data quality points. That’s where modern detection tools come into play. There are a variety of malware, bot, botnet and sniffer detection tools which can accurately identify or flag suspicious activities.
Lotame recently partnered with Are You a Human to improve our award-winning Data Management Platform (DMP) to allow our users the ability to filter out bots from their advertising campaigns.
2. Use Filters, Scripts and Honeypots to Disable Targeting Bots
A captcha, as annoying as they may be, was designed solely to thwart bots and automated systems. The problem is, they can cause significant frustration for your users and hinder an otherwise pleasant experience. That’s why it’s a great idea to use another similar, yet hidden, technique called a honeypot field.
Using CSS and JavaScript, you create an invisible field which normal human users cannot see. Spambots and targeting bots, on the other hand, will mistakenly fill in this field and tell you immediately what they’re up to.
You can also use filters and scripts to block various sites, domains or users who are interfering with your traffic, referral data and revenue. Find identifying or associate information and then use a combination of web searches, WHOIS data and more to find domains or portals you should exclude from your analytics.
3. Perform Metric Audits of Your Own
As is true of most management strategies, you’ll want to spend some time checking up on analytics and metrics using your own intuition. Are there any abnormal spikes or patterns sticking out to you? Can you see one or two trends that just don’t make sense? Are costs suddenly ballooning beyond what they’ve ever been while revenue remains steady or declines?
The beauty of your position and having a supportive team is that you can get involved and really learn the ins and outs of these systems. The more familiar you become with what’s happening regularly and why, the sooner you can identify a traffic or performance problem.
This is also one instance where choosing the appropriate DMP is important. Lotame, for example, offers a ton of additional support other platforms do not, including custom-appointed representatives to review your traffic and referral data and go over the particulars with you.
4. Target Niche Sites and Demographics
As enticing as it may seem, try to avoid targeting broad or sweeping demographics that have the potential to walk away often. In other words, avoid targeting broad groups of people. Instead, stick with the audience and customers you know best and who you know will remain loyal and interested in what you have to offer. Of course, knowing this information is the key to running a successful marketing campaign, which, again, is where having an appropriate DMP in place will benefit you.
You can utilize major data providers, like Lotame, who are determined and focused to generate quality metrics, which means eliminating or blocking bots as quickly and frequently as possible.
5. Be More Careful About Ad Placements
It seems redundant, because you likely already spent a lot of time perfecting and choosing an appropriate ad placement on your site. The goal was likely to maximize performance and revenue, as it should be. But also important is its exposure to potential bots or automated tools that float across your site.
According to White Ops, an online fraud detection company, the “reputation” of a partner, brand or company is no longer a sufficient “benchmark to predict bot traffic.” Instead, the use of “technology to validate all assumptions” is required. It means that no matter how long you’ve been in this business, you probably don’t know the ideal placement for your ads. Technology, modern metrics and customer data is the only way to figure that out.
Reducing Ad Spend on Bots in the Real World
All of this, in theory, is easier said than done. The ultimate goal is to reduce the expenditure and costs associated with bots and automated systems, while improving or preserving the performance of real clicks and engagements. The question then becomes: is something like this possible in the practical world?
Actually, yes. Procter and Gamble recently announced a move to reduce their ad spending budget, trimming over $100 million in marketing expenses. They originally intended to steer clear of potential “bot” traffic and questionable content, but discovered that the change had little to no impact on their business. This proved that their digital ad campaign — at least the ones in question — were largely ineffective anyway. It also reduced ad spend on bots, indirectly.
If you aren’t familiar with P&G, the company is comprised of major brands like Crest, Tide, Bounty, Pampers and more. Again, this company decided to do it on their own, taking on the full risk themselves. Luckily, it paid off.
That’s where having a DMP provider or partner like Lotame is most beneficial. They work closely with Are You a Human to remove bots entirely from the Lotame Data Exchange (LDX) and just so happens to be the only provider to do such a thing. Since most of the interactions come from said exchange, it nearly eliminates the risk of dealing with a bot or automated system.
To End Fraud, We Must Evolve
It’s no secret that sometimes-widespread practices, techniques or policies can be harmful to a particular industry or group despite being used often in various circles. Bots and automated tools are one such example of this, which have been used to wreak havoc and chaos in the advertising world. More importantly, a swarm of effective and aggressive bots can entirely destroy months and months of metrics or customer data in one fell swoop.
If not for the protection of your revenue streams and advertising budgets, you should be concerned with how bots are being used to corrupt your valuable data. With egregious problems such as this, the only solution that makes any sense is to spread awareness, knowledge and experience. That means coming to grips with what these malicious tools are, how they are used and how you can identify them sooner rather than later.
More importantly, we need to come up with better ways — as a community — to circumvent and prevent them. Until that happens, it’s more about the technologies and tools you do use.