Click fraud protection. How to Discover and Analyze Malicious Fraudulent Clicks

Malicious Fraudulent Clicks - ClickMeter Blog


All digital marketers will attest that current click fraud protection is an art form and not a science. The only way to bridge the gap between art and science is through data. With the ability to record up to 34-data points this is how ClickMeter helps its users identify and analyze when they believe they’re a victim of click fraud. The signs of fraudulent or malicious clicks vary but all maintain a similar theme.

  • An unexpected spike in the volume of events
  • The high volume of non-unique events to unique clicks
  • The high volume of BOT events
  • Many clicks from countries not included in the target
  • The high volume of traffic from few IPs

Click fraud protection

starts with identifying the problem (science) and then using the data provided to identify the cause (art). With ClickMeter users have the data to identify the problem with their dashboard reporting and the tools to identify the cause. With our TOP reporting feature on link-by-link basis and the capability to download data to a CSV. Excel file users can machine their click-by-click data to identify sources of fraudulent traffic.

An unexpected spike in the volume of events

When reviewing your dashboard and you notice an unexpected spike in total events it should raise some questions. Why was there a spike in traffic? What caused this spike in traffic? Where is this traffic originating from and is this quality traffic?

Click Fraud report high volumes

High volume of non-unique events to unique clicks

A great sign of receiving malicious clicks is when you’re reporting a higher number of “non unique” clicks than unique clicks. A unique click is recorded on the first click by a visitor. When a visitor from the same IP address clicks a tracking link a second time within 30-minutes this will be recorded as a non-unique click. When a specific link receives a usually high volume of non-unique events, this is a flag for fraud and should be investigated.

The campaign shown below is comprised of tracking links all showing signs of malicious events. Notice the high ratio of non-unique clicks (orange) to unique clicks (green). The third link from the top “Link” is showing the highest level of potential malicious clicks with nearly 80% of their total clicks being non-unique.

Click Fraud Signs non unique

The high volume of BOT events

Bots stand for robots. They are software that runs automatically and sometimes they are used to simulate the activity of humans clicking. ClickMeter can recognize most of them.

From the image below you can see that a couple of links in my campaign receive traffic almost exclusively from robots/spiders. The first link, as an example, has 38,308 clicks from bots on  38,368 clicks received in total. In ClickMeter spiders/bots proportion is shown with the violet bar.

Fraudulent robot clicks

Many clicks from countries not included in the target

Often you target marketing campaigns for specific countries. So, as the following example, you may want your ad to be seen only in the US and you pay for that. In this specific case, you can see that most of the clicks are coming from the Philippines (darker blue), completely out of your target. In this case who’s selling you the traffic is not able (or does not want) to target your traffic properly.

Click fraud protection

The high volume of traffic from few IPs

An important sign of a suspect click fraud activity is represented by a great percentage of clicks coming from the same IPs. ClickMeter tracks the IP of every click and then aggregates results in reports like the “Top IPs”.  In the example, you can see that almost 50% of the traffic is generated only by 5 different IPs. This is one of the first things you need to check about your traffic and it’s why “click fraud experts” have some methods to avoid clicks from the same IPs, like using proxy servers.

suspect ips address

Detailed Click Analysis

Apart from these essential checks, another way to drill down in your reports and spot malicious patterns is to look at the list of events. With ClickMeter you can look at every single click on your links in the event stream or by downloading them in CSV format (that can be opened with Excel or Number). With these data, you can perform a deep analysis and find out what is happening with better detail.

What can I do if I discover click fraud activities?

Is often difficult to be sure about a click fraud activity and that is why we normally say “suspect click fraud”. But in case you are sure or have great suspects about a malicious behavior you can:

Report it and ask to be refunded

In this case, is used to export the list of events (CSV) from your campaigns / tracking links and send it to the traffic source (the company you pay for the traffic) with the evidence of the fraudulent clicks.

Don’t use that source again

For that, you do not really need to be sure about fraudulent activity. You just need to check if you are receiving good conversions (number and value) from this source and decide if you need to continue investing or not.

Block IPs

If you see clicks are coming from specific IPs you can block them using the “Exclude IP” feature available in your ClickMeter dashboard under the “Settings” menu. This is also sometimes used to exclude your own clicks so that you will not “pollute” the reports with your clicks.

tracking links

Get started with Clickmeter

Monitor, compare and optimize your links

SignUp Now


Related Reading:

This blog post is about:

  • Click fraud monitoring
  • Click monitoring
  • Protection against click monitoring

Originally Posted: November 24th, 2015.
Post Updated: Nov 2nd, 2021.

Customer Success Manager at ClickMeter from San Francisco office. He is responsible for accelerating the product adoption of ClickMeter's technology.