The Secret Life of Click Fraud Bots
Imagine all of your regular website visitors sitting in a room together. Did you see any robots? Although we’d like to think most website visitors are real people, in some cases up to 56% of a site’s traffic can come from robots (AKA bots). Some bots are friendly and helpful; Google uses bots to scan the web for content in order to inform their search engine. That said, there are certainly lots of bad ones out there too and it’s the big, bad, click fraud bots that are making the headlines lately. In fact, click bots are expected to cost the industry $6.3 billion in 2015…
Why are click bots suddenly making headlines and what can we do about them?
A bot is simply an automatic computer program that performs specific, prescribed tasks. In the case of click fraud bots, cyber-criminals program them to repeatedly click on ads in order to draw out click revenue for websites. The bots’ first task is to search the web for vulnerable computers, which they can find via websites, servers, and even Wi-Fi networks.
Once a bot finds a vulnerable computer, it installs its malware and the computer effectively becomes part of the “bot network”. At this stage, the cyber-criminal can instruct all of their bots in the network to click on any ad that is served to them while using your computer. The frightening part is that all of these tasks occur in hidden windows, meaning you will never see the bot in action…
Cyber-criminals use bots to make money by selling the traffic to publishers, or selling ad space on their own websites with heavy bot traffic. Every time a bot clicks on your ad, you are charged for that click. If many bots click on the same ad, the cost of that ad space will also increase. In this most unfavourable circumstance, you end up paying a higher amount on your media for completely fraudulent clicks! This is how bots are ‘generating’ $6.3 billion in ad revenue in a year.
Unfortunately, malicious bots are not a new problem. In the past when many online advertising cost models were based on impressions, cyber-criminals created bots to spike impressions. The industry reacted by moving to pay-per-click models, making impression bots unprofitable. Of course, the cyber criminals’ next move was to program bots to click on ads instead of just viewing them. At first, advertisers could flag suspicious activity by looking for:
- Click-through rates above 100% This means the bot clicked the ad, then went back and clicked the ad again.
- Large spikes in bounce rate, as bots would simply click the ad and exit the page.
However, now bots can be programmed to mimic real people by using a computer’s IP address and browsing history to mimic human browsing behaviour. Not only can they click on your ads, they can also click on links on your landing page. Goodbye, bounce rate flag! They can even cheat simple security measures that many e-commerce sites use. With all of these complexities added to bot behaviour, it is becoming very difficult for advertisers to separate humans from bots. This is the industry’s single greatest challenge and Google has their best people trying to find a way to identify and defeat these these bots.
Great… So What Now?
Although there is no hard and fast way to identify click fraud bots (yet), here are a few techniques to narrow down potentially fraudulent traffic in Google Analytics:
- Use a segment to show sessions less than one second – It is impossible for a human to click on anything before the page loads, but bots sure can! If you have a low bounce rate for sessions less than one second, you are likely dealing with some bots. Warning: Do not use “Session Duration” in the Behaviour Tab. At first glance, “Session Duration” sounds like the perfect rule to use, but this metric actually shows the AVERAGE session duration per user or per session, not single sessions less that are less than one second. Our best practice is to use a Condition of “Session Duration <= 1”. Try it out!
- Monitor activity closely – Checking your Google Analytics account often will allow you to recognize suspicious activity as it is happening. Monitor activity throughout your campaign week by week and flag any large spikes in ad clicks or sessions to your site.
What about future campaigns?
Prevention is currently the best way to mitigate the risk of click fraud bots. Working closely with your vendor is a great way to avoid ads getting served to bots and if you notice any suspicious traffic, definitely contact your vendor right away to initiate an investigation:
- Pick the right ad vendor – Check your ad vendor’s policies on click fraud and look for vendors that will refund you if there is fraudulent activity. Many vendors also partner with companies that specialize in filtering out bot traffic (like Intergral AdScience).
- Day parting – One study showed that bots were more likely to be active at night. Unless you need to target night owls, delivering ads only during the day can help prevent bot traffic.
- Hyper targeted audiences – The more narrow your audience is, the lower the chance of bot traffic.
In our rapidly changing industry, keeping up to date with the latest trends, challenges, and technologies allows us to stay on top of issues such as click fraud bots. Don’t just lay down and accept fraudulent bot traffic. Let’s work together to fight those bad bots!