As a digital marketer for lawyers, some of my clients ask me how they can stop their competitors from clicking on their Google Ads (otherwise known as click fraud). That is a question well worth asking! In fact, if you are a lawyer who is advertising through Google Ads, then chances are a portion of your daily ad budget is wasted by click fraud. In fact, studies show that between 2016 and 2018, over $7 billion dollars were wasted by advertisers on fraudulent clicks! For lawyers’ Google Ads campaigns, I have encountered substantial fraudulent activities that, if left unchecked, cause significant financial losses and poor campaign performance. In this article, I’ll explain what is click fraud, how to detect click fraud, and how to stop your competitors from click on your Google Ads.

What is Click Fraud?

Click fraud is a “black-hat” method of sabotaging a competitor’s PPC (pay-per-click) advertising, such as Google Ads. With Google Ads, one method of click fraud we see is competitors repetitively clicking on an ad to drive up the cost and to exhaust the client’s daily budget cap. Click fraud can also stem from bots clicking on your ads. Bots, or Internet robots, are also known as spiders, crawlers, and web bots. Bots comprise roughly 50% of all Internet traffic. Although bots may be utilized to perform repetitive jobs, such as indexing a search engine, some of them are malicious.  Indeed, it is estimated that as many as 20% of websites that serve ads are visited exclusively by fraudulent click bots. Lastly, click fraud can come from “click farms.” A click farm is a commercial enterprise that employs a large number of people to repeatedly click on items of online content in order to artificially inflate statistics of traffic or engagement.

In addition to causing financial losses, click fraud also impacts your campaign’s performance by driving up click-through rates (CTR’s) on ads without conversions. These inflated CTR’s not only may cost you per click, but they will also reduce your keyword quality scores which, in turn, means you may pay more per click than your competitors who have higher quality scores.

Real-World Example of How Click Fraud Can Harm Your Google Ads Campaigns

Here is an example of a Google Ads account for DUI defense and how click fraud, if left unchecked, can significantly increase costs. Recently, I took over the management of various Google Ads campaigns for DUI defense services in and around Phoenix, Arizona wherein the client is spending over $20,000 per month. After making hundreds of adjustments to improve the account’s performance, I turned my attention to the client’s server logs, their Google Analytics, and their Google Ads reports and I discovered that this account was being bombarded with click fraud activity. After two weeks and much effort to unroot and block the various sources of click fraud, the account’s performance increased dramatically:

  • Cost per conversion came down 35.06%
  • Conversion rate went up 97.07%
  • Invalid Click Rate came down 27.58% (from 22.84% to 16.54%)

Furthermore, assuming an average cost per click of $50.00, in preventing 222 fraudulent clicks I saved the client over $11,000! The takeaway here is that if you are running Google Ads campaigns, you must be diligent about monitoring and combating click fraud.

Does Google Block Invalid Clicks?

Google refers to click fraud as “invalid clicks.” According to Google, click fraud is an “illegitimate” action such as an unintentional click or a click resulting from malicious software. According to Google, here are examples of what it considers invalid clicks:

  • manual clicks intended to increase your advertising costs or to increase profits for website owners hosting your ads
  • clicks by automated clicking tools, robots, or other deceptive software
  • extraneous clicks that provide no value to the advertiser, such as the second click of a double-click

Unfortunately, Google does not actively block or prevent click fraud from happening. Instead, Google “examines” each click on an ad and touts “sophisticated systems to identify invalid clicks and impressions and remove them from your account data.” That means in most cases, Google detects and filters out invalid clicks in real-time before advertisers are charged. If Google misses that the invalid click in real-time, you may see a credit applied to your Google billing statement for “invalid activity.”

In my experience, Google does not do a perfect job of screening for invalid clicks. Therefore, Google provides that “[i]f we find that invalid clicks have escaped automatic detection, you may be eligible to receive a credit for those clicks.” Indeed, for some clients, I have been able to recover thousands of dollars each year by creating and submitting invalid activity reports to Google seeking a refund. These refunds are called “invalid activity” adjustments. Claims to Google for refunds may be made once every two months.

How Can You Tell if there is Click Fraud in Your Google Ads Account?

For those of you who are skilled (and brave) enough to manage your own Google Ads account and to track click fraud, you will need your internal reporting for your webserver, Google Analytics, and Google Ads to examine the following few pieces of information:

  • IP address
  • Click timestamp (the time when someone arrives on your site after clicking an ad)
  • Action timestamp (the time when that person completed an action on your site)
  • User-agent (shows type of computer or device, internet browser, software, and more).

By examining this data, you are looking for suspicious behaviors and patterns such as:

Multiple clicks from the same IP address or User-Agent in a short time period – For example, if a user clicks your ad 3 times within 10 minutes, chances are this is malicious activity.

Multiple clicks made by different IPs from the same range of IP addresses – For example, if you received back-to-back clicks from 172.165.11.10, 172.165.11.20, and 172.165.11.30, chances are this is malicious activity.

Multiple clicks from the same User-Agent – For example, if you receive multiple clicks from someone using the same mobile phone device ID, regardless of whether there are different IP addresses associated with those clicks, then it may be malicious activity. Additionally, user agent data is useful when the malicious activity may involve a VPN (a virtual private network) that obscures/changes the user’s IP address.

Little to no time spent on your landing page – For example, if, after clicking, the user spends no time or mere seconds on your landing page and then bounces out of your site, chances are this may be malicious activity. Similarly, if you see an IP address with multiple click timestamps but no action timestamps, then that is probably click fraud.

How Many Clicks are Too Many Clicks on Your Ads?

Before you begin panicking about the same user clicking your ad multiple times, it is important to understand that some consumers may click on an ad more than once as they conduct online research and make their hiring decisions. Therefore, it is also important to consider the practice areas you are running ads for and the stages a potential client may go through before making his or her hiring decision.

On the one hand, if you are running ads for drafting wills, it is more likely that most consumers are mulling over their options before they come to the decision to hire an attorney. Thus, the consumer may click on your ad, and perhaps your competitors’ ads, more than once during a day, a week, or a month. On the other hand, if you are running ads for DUI defense, chances are the consumer who is conducting an online search has an immediate need to get out of jail or seek next-day representation at a bond hearing. In this scenario, a legitimate consumer is not likely to repeatedly click on your ad minutes apart.

Please note that it is not uncommon for multiple clicks to come from the same IP address when there is a proxy server involved. A proxy server acts as a gateway between you and the Internet. If you’re using a proxy server, Internet traffic flows through the proxy server on its way to the address you requested. By checking the geolocation of the IP address using sites such as whatismyipaddress.comwhatismyip.com, www.ip2location.com, or iplocation.net, you may discover a concerning IP address belongs to a proxy server at a public place such as a university or coffee shop.

If you’re still unsure whether the activity is malicious, then look at the search queries from that IP. If the searches are very different, it’s likely a proxy server. If the search queries are similar and are occurring over a short period of time, then chances are the clicks are fraudulent.

How Do You Stop Your Competitors from Clicking on Your Google Ads?

IP Exclusion

After you have come up with a list of malicious IP addresses, it is time to block them from ever seeing your ads again as follows:

  1. Log in to your Google Ads account at ads.google.com
  2. Select the campaign you wish to block IP addresses in
  3. Select “Settings” on the inner menu on the left
  4. Click on “Additional settings”
  5. Under “IP Exclusions,” paste the IP addresses you are wanting to exclude
  6. Press “Save,” and the IP is now blocked

Geotargeting

Another way to block your ads from showing to competitors and others who may be maliciously clicking your ads is geotargeting. In Google Ads, in addition to choosing where your ads display, you can exclude your ads from displaying in various geographic regions by country, region, city, or postal code as follows:

  1. Log in to your Google Ads account at ads.google.com
  2. Select the campaign you wish to geotarget
  3. Select “Locations” on the inner menu on the left
  4. Select “Excluded” from the horizontal menu over the map
  5. Click the round, blue pencil icon to add excluded locations
  6. After adding your excluded locations, click save.

As a standard practice, when I set up Google Ads campaigns for lawyers, I exclude many foreign countries (unless the law firm provides overseas services) and territories. Countries that are impoverished or have lower labor rates are usually at the top of the list when it comes to fraudulent click sources. That being said, despite blocking foreign countries, I still see foreign IP addresses sneaking through. So, even if you block other parts of the country or foreign countries, it is still a good idea to go back and look over the logs of IP addresses clicking on your ads and to block suspicious IP addresses from future clicks.