I've recently had the opportunity to speak with several people in the underground who, quite understandably, do not want to be mentioned. Some of what they told me, as well, I won't mention. However, I can let some information come out.
I'll mention some of my favorite quotes from the discussions below and then dissect what they mean (these guys can be cagey sometimes):
What is click fraud?
Ahh yes, you want me to say it's illegal don't you? I'll admit that it's against the terms of service of most companies but you'd be surprised at the number of them that turn a blind eye to it even when they know about it.
The basic definition that most would agree on is clicks without an actual human visitor who is interested in that particular topic.
To be honest, however, this definition really doesn't cut it because some people would define blind links as click fraud.
Analysis
While it might be splitting hairs, most of these guys do not believe (or have convinced themselves otherwise) that what they're doing is not fraud but is simply something that's against the TOS of the PPC companies.
When I questioned them in depth about the "when they know about it" comment, I found that while the majority of companies do have some type of click fraud prevention in place, how they handle it varies. After doing a bit of research, I came up with the most common types of click fraud that the PPC companies are checking for. Note: Many companies will not tell you exactly how they do these checks although, in some cases, it's obvious.CTR - This should be one of those no-brainer ones. If your clicks are too high compared to your impressions something might be wrong. What's the trigger value for fraud? It varies but my guess is this is used in conjunction with other methods.
Invalid Referrer - Yeah, this one is actually counted. The only thing I can think of what they might be checking here is to see if the referrer url is valid or not.
Open Proxy - Some folks will use open proxies to send bazillions of clicks on to the PPC engines. This particular method is rather "old skool" from what I've been told so it's not used as much anymore. Nevertheless, once you've started checking for a certain method, you can never go back!
Blocked IP - All of the PPC companies have a long list of IPs that are known to be bad. In some cases, they're entire subnets or countries.
Expired Clicks - Bet you thought you were gonna get paid on all of your clicks weren't you? This is where you would be wrong. The PPC company might send you a result and you have a valid user who clicks on the link. Unfortunately, before the user is able to click on the link the advertiser's account is suspended, banned or (more likely) out of money. Since the PPC company isn't going to get paid they don't want to pay you.
Double Clicks - Doesn't it annoy you to watch your dad use the computer and see him double click on the links on the web pages? I know it annoys the hell outta me. Well, these types of double clicks are not counted.
Bot Clicks - You've heard about em but never have been able to find much detail. There's a whole subculture out there who is using scripts to click on your links. These scripts are pretty advanced too. Everything from clicking on javascript links to varying the links they click on, using multiple proxies, etc. Amazingly, the guys I spoke to don't use this software. They create their own.
Bad Clicks - Anything that doesn't fit into the categories above.
So what happens when any of these methods are detected? That varies from company to company. In some cases, the company will ask you to fix the problem and still give you credit for the clicks!
In other cases, they'll flat out ban your account with no recourse for you to get your money.
The scariest thing is that, in many cases, it's not too hard to figure out what PPC company you're using and get you banned - whether you're cheating the system or not.
The final thing that's interesting about this particular question is the mention of blind links. There is at least one (and may be more) companies out there who don't care where your links come from. They'll pay you a flat 2 cents or more per click. You can put a link on images, text designed to get people to click, etc. They're called "blind links" because the user has no idea where they will be going when they click on them - even if they think they do.
Coming Soon...
- Why cheat the system?
- Where doees the traffic come from?
- How big is the problem?
- How can you protect yourself?
- and more...
As someone doing both Adsense and Adwords, I find the lack of transparency extremely frustrating.
Adsense: who clicked where, when, how often? If I'm the publisher, why do I have to put my head on the line when someone else is mutli-clicking my ads?
Adwords: I just started to take apart my Adwords logs. People clicking on the same ad 6x and more (right after another) are not that uncommon -- in fact over 50% of my total Adwords visitors (according to my server logs: unique visitors, not clicks) were "people" clicking on the same ad several times within an hour (I had a "maximum clicker" doing the same ad 20x within 5 minutes). After contacting Adwords about it, I got a refund for $11 (out of >$1500/monthly since about 5 months now). Wow, I'm happy now :(
Adwords claim to block / recognize mutliclicks but want us to report any "they miss" (which is impossible, not knowing who they recognize or miss). The interesting part was that the total clicks as shown in my log files matched the total clicks in my Adwords statistics pretty good - so it looks like they did not discount ANY clicks (or counted the clicks but did not charge for them?). And just as well -- which clicks are "fraudulent"? Dad's doubleclicks? Dad's going back to the "other page" through 3 sites / layers of Adsense?
As an Adwords user I don't mind webspam showing my ads. In fact: I LOVE THEM FOR DOING SO. They usually target the ads much better than Google does in their search results, why should I care if a user comes through a made-for-adsense site as long as he buys my products? Personally, I find Googles cruisade against webspam/adsense sites a bit useless: why remove potential traffic sources? Just because they target better than the search engines? I have nothing against webspam, but I have something against people hijacking my ads without giving me something as well (customers).
OOps, long rant :)
Did none of the guys you speak with use a clicking sweatshop? All bots?
None of them use a clicking sweatshop although I am certainly aware that they exist. Writing their own scripts is far more effective return for them.
Interesting. Are we talking wormed botnets, or just deployed scripts?
...can't wait for part 2 :)
Thanks for covering this. I think it's a subject that stays in the dark far too often.
As for companies ignoring click fraud they know about - I've certainly worked with more than a few. The issue here is ROI - what do they have to invest to stop it (or lessen its impact) vs. what does it actually cost them.
Some even have very good estimates as to the percentage of click fraud, but take no action because the cost of fighting it outweighs the benefits. They just put it right into the ROI equation.