A common question from publishers and AdSense users to our support is how you can prevent click fraud. In other words, a visitor clicks on the embedded AdSense ads excessively, thus risking that your account will be closed. 

If you have been around for a while, you probably feel that once an AdSense account is gone, you will never be able to get it back. Therefore, it is more than reasonable to protect it, especially against behavior you can’t control.

Since this question comes up regularly, I dug deeper into the topic of click fraud and click bombing. I will discuss the real danger behind it and point out solutions like click fraud protection.

I am writing from two perspectives. First, I was a publisher with millions of page impressions per month that I have monetized with ads from networks like AdSense. Second, I am the developer of Advanced Ads Pro. So this question is also of high interest to me.

What is click fraud?

Click fraud means that a user or machine clicks on an ad with the intention to harm the publisher or advertiser. First, click fraud is a problem for advertisers, the person paying for an ad. Second, it becomes a problem for the publisher when the advertiser or ad network stops paying for ads due to invalid clicks.

Click Fraud is also happening when you click on ads by yourself or ask someone else to click on AdSense ads on your website.

If your mother clicks multiple times on ads on your website to help you make a living, even though she means well, she is also involved in click fraud. It does not harm if she only clicks on ads that interest her.

No need to panic about real accidental clicks on your ads, though. A single click doesn’t make a difference. AdSense calls the mentioned behavior Invalid clicks and impressions and explains it in their program policies like the following:

Clicks on Google ads must result from genuine user interest. Any method that artificially generates clicks or impressions on your Google ads is strictly prohibited. These prohibited methods include, but are not limited to, repeated manual clicks or impressions, automated click and impression generating tools and the use of robots or deceptive software. Please note that clicking your own ads for any reason is prohibited.

Google AdSense Program Policies

With the same reasoning, AdSense prohibits encouraging users to click on ads by asking them directly or placing ads where they could be misunderstood for other elements.

What is click bombing?

You could see click bombing just as one form of click fraud. But I thought I’d use a different term to show another motivation behind the problem. This is the one most publishers fear.

If you know that AdSense doesn’t tolerate click fraud and might close your AdSense account without warning and block not only future AdSense revenue but also earnings not paid out yet, then your competitors know that too.

Let’s call it “click bombing” when a user clicks on AdSense ads on your site to get your account suspended and you in trouble.

What can you do about click fraud?

You can easily comply with the AdSense rules by not clicking on AdSense ads on your site. You don’t need to be obsessive about telling all your friends and family not to click either. I can say from my own experience that most people who wanted to help me with those clicks have told me at some point. Then I had a chance to thank and ask them only to click when the ad was appealing.

None of my friends made a lot of clicks, so I was never afraid that they endangered my business.

With people who use click bombing to harm you intentionally, you can, of course, not reason like that. 

Since you are not the only publisher who feels powerless about click fraud, many businesses and solutions have evolved over the last few years.

I have seen some of these companies advertise with a picture of someone with a mask and the headline to protect your AdSense revenue from potential thieves.

Let’s put the emotional fact aside and look at what these products could really do for you.

When a user clicks on AdSense ads on your site to get your account suspended and you in trouble.
Fraudulent user clicks on your ads can bring you into trouble

How Click Protection works

All the solutions I tested prevent click fraud and click bombing by merely hiding the ad. You can’t click on something you don’t see. They often allow a user to click once on the same ad and only then hide it.

There are two methods to do that.

The first is by hiding the ad using JavaScript in the user’s browser. Hiding means that the same user would not see the ad for some time as long as he uses the same browser.

The second method identifies the user based on her IP address and stores this address in a database table. The user could switch to another browser or maybe even another device and would still not see the same ad.

Both methods can be circumvented and come with drawbacks.

Risks of click fraud protection

Let’s remind us that we are not talking about people who only want your best. They will probably not try to circumvent your protection by all means. But if someone wants to hurt you, they might try harder to find a solution around your click fraud protection.

I checked two solutions built for WordPress for this purpose: click fraud monitoring and invalid click protectors.

Let’s start with the most obvious question. You are trying to protect your AdSense account with a click fraud monitor of any kind. But is that protection itself compliant with the AdSense terms?

Click tracking on AdSense ads

I was starting to look at click fraud monitors to learn how they track those clicks. There are two problems here:

  1. AdSense does not allow to alter the code and make click tracking easier
  2. Tracking the click before the user leaves your site

The first issue is the most serious here. If AdSense does not allow most kinds of manipulation of their ad code and ad code behavior, developers need to implement some tricks to do it.

This brings us to the second issue. Depending on the method selected, the click might not be tracked in time. Especially when AJAX is used to send the event to the database, the user will be long gone to the advertiser’s page before the information is stored.

In my tests, most clicks that I made like this were not counted. And I was still able to click multiple times – on a dummy ad, of course.

Hiding AdSense with CSS

Invalid click protectors are hiding ads using CSS. Don’t worry if you don’t know what CSS is. But if you know the AdSense terms a bit, then this should raise a red flag.

It is forbidden to hide AdSense ads using CSS because that does not prevent them from being loaded, and that still counts as an impression. Since AdSense no longer pays per click only, but sometimes also for impressions. You might understand now why this is a violation of their policies and on the same level as click fraud.

Hiding AdSense ads is prohibited by AdSense
Ad implementation policies (Google AdSense)

Ignoring the problem mentioned above, hiding ads with CSS is easy to circumvent by anyone who wants it. They could define custom CSS rules that override hiding the ads in their browser and go on with whatever they intend.

I only tested WordPress plugins like Ad Invalid Click Protector (AICP) here, but I expect external services to work similarly.

My results influenced the development of our Click Fraud feature in Advanced Ads Pro, which removes the ad codes completely after the click limit is reached and so is fully compatible with the AdSense terms.

Issues with PHP-based tracking

I mentioned the use of IP addresses as another method from click protection software. If they store that information locally and use the server-side language PHP to hide the ad code entirely from your site, a small CSS hack is not enough to harm you anymore.

If attackers are serious about harming you, they could probably use a bot network that runs different browsers in very different locations (and IP addresses). I don’t know if that is a thing, though. You would need a lot of skill to build that.

There are a few fundamental issues, though, which I only know after experiencing them myself.

Click Fraud and caching

The first issue is caching. If you are using a caching solution, the chances are high that the page is cached for visitors who should not see ads. The next visitors will see the same, ad-less pages and not be able to click. It could also happen the other way, and a user who should not see ads anymore still does. Make sure your system uses some kind of cache-busting like Advanced Ads Pro does for its Click Fraud Protection.

Multiple IP addresses

Another issue is the usage of the same IP for sometimes a substantial number of people. I bet most of you are not aware of this. We learned this the hard way on our own content platforms when we started to block some IP addresses after making a more significant number of page impressions in a short time.

A lot of visitors complained that they were not able to visit our website anymore. We found out that they lived in an area or worked in a building that shared the same IP address for many users. So when multiple users from the same area visited our site, we detected a thread and blocked them.

In the case of click fraud, this could prevent more users from seeing ads than those who already clicked them.

If you want to protect yourself from bot networks, then ask your hosting company about their firewall or choose a dedicated firewall provider like Cloudflare or Sucuri.

Privacy

Do you care about Privacy? Maybe you don’t, but in many countries, you are not allowed to track IP addresses from your visitors. At least, you need to make them aware of this in your privacy policy or ask for permission in advance. This is why Advanced Ads Pro does not store IP addresses.

Performance

Server-side techniques to store and evaluate whether a single visitor is a potential threat or not will drain your server’s performance. With a lot of clicks, a table used for that can grow quite large and needs not only performance but also storage.

The Advanced Ads click fraud protection

Advanced Ads provides lightweight and cache-compatible click fraud protection.

The principle behind this click fraud protection is to hide all ads from a visitor who is suspected of clicking on them too often.

The click fraud protection allows you to define a click limit for each user for a specified period. If this limit is exceeded, all ads for this user will be removed. Really all.

Check out the click fraud protection manual.

Video: 1:20min
Click on the preview image to load and start the video from YouTube. By clicking, you agree that your information will be sent to and processed by YouTube, LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA. Read more

Is Click Fraud a real threat?

If you asked me if click fraud is a problem in general, my answer is definitely YES. Industry reports show that a lot of money is lost by paid clicks that were fraudulent and without any interest in the ad content.

In the case of AdSense, this is a problem for advertisers and ad networks. It is not YOUR problem.

You read it correctly. The reason I am saying that it is not your problem is that AdSense does take care of this for you.

Did you already notice the “Invalid Traffic” reduced from your payments? If your account has more than a few clicks, there is no chance that this value is zero anymore.

Invalid clicks – made for whatever reason – are reduced from your earnings. Well, not cut from the valid AdSense revenue, of course, but neutralized as if never happened.

Invalid clicks are not the only kind of invalid Traffic. The wrong implementation of AdSense ads, e.g., in a PopUp, would also count here. So it is worth revising your setup if this amount is significant.

PS: while PopUps that cover the content are normally not allowed, a sticky AdSense ad could be permitted.

What are Click Fraud Monitoring and solutions worth?

If my websites were targeted by click bombing attacks and my AdSense account would be in real danger, then AdSense-approved click protection would be worth multiple times what the most expensive solution on the market costs now.

With my experience and the knowledge I have about how these solutions work, the risks they bring with them, and that ad networks take measures to solve the issue on their end. I don’t see a real threat here.

In my years as a publisher, ad consultant, and with our Advanced Ads plugin running on over 100,000 sites right now, I never saw an AdSense account being banned by invalid clicks made by a third person. Maybe that made me naive and ignorant.

What about ads not coming from AdSense?

This article focuses on the pro and cons of using a click fraud monitor with AdSense. But of course, this is not the only ad network.

In September 2015, I visited dmexco in Cologne, the colossal gathering of online marketing and advertising professionals (+55.000 of them). All major ad networks and tech providers were there. I was surprised to find many companies that offer ad security and click fraud protection for ad networks and larger publishers. A lot is happening before ads are reaching out.

I reached out to three ad networks we are currently working with to ask about their measures against click bombing and publishers’ risk. They all confirmed that they looked into those cases manually but did not have an account that was banned yet.

As Sulvo confirmed, Their more considerable concern is invalid clicks made without an interest in the ad but by accidental clicks caused by wrong implementations. They are also looking into these cases and work with the publishers on fixing them.

Click Bombing Bots

How much can an automatic bot harm your AdSense account? The answer is simple: it is improbable that this could be a problem. Most bots can not even load AdSense ads since they typically don’t execute JavaScript. Hence, there is no risk from them.

Still, bots could be a problem if you are hosting static ad content (like images) on your site and have a non-JavaScript-based impression and click tracking. Even simple bots that crawl your site for search engines or other services can produce impressions and even clicks. You could think about disabling ads from bots, but I normally don’t recommend that.

Our Tracking add-on does not track activity from bots. You can also use the cache-busting feature in Advanced Ads Pro to make sure that some ads only show to users in a real browser that accepts JavaScript.

Conclusions

I have no reason to doubt that there are valid cases of blocked AdSense account due to click fraud caused by others. Still, I believe that in most cases, it is more complex than just a competitor visiting your site and click-bombing your AdSense ads. 

A basic click fraud protection can help prevent real accidental clicks before AdSense gets wind of it. Still, there is no solution that could guarantee you one hundred percent safety, especially if you have a very big competitor with endless resources.

If you want to use an extra layer of protection, then please go ahead using Click Fraud Protection as implemented in Advanced Ads Pro.