Like (almost) everything in life, the answer is: ‘It depends.”
PART 1: FRAUDULENT CLICKS IN GOOGLE ADS: A REAL THREAT TO YOUR INVESTMENT?
Given the complexity of the topic, we will address it in two separate parts. In this first part, we will analyze in which cases fraudulent clicks in Google Ads pose a threat to your investment, and later we will discuss effective strategies to protect your budget from this type of fraud.
In 2025, half of all internet traffic is non-human, and nearly 1 in every 4 euros invested in Google Ads is lost to fraudulent clicks. In this context, commercial anti-fraud protection software has emerged in recent years: ClickCease, ClickGUARD, Fraud Blocker, etc. However, many of these tools promise more than they deliver, exaggerate their impact, and can cause more harm than good by blocking potential customers. A free alternative is to monitor fraud yourself using the tools provided by Google, and, if detected, rely on open-source algorithms to mitigate it. In Part 2 of this post, we’ll explain how.
If you’re already dealing with fraudulent clicks (and leads) but don’t have the time or don’t want the hassle, contact us. At Fáktica, we’ve developed an alternative to commercial SaaS tools that is much more accurate and free from their side effects: an anti-bot software based on placement exclusion and powered by Machine Learning, which reduces fraudulent traffic for our clients by 87% in Display campaigns and 76% in Performance Max (PMAX) campaigns. This will directly lead to a significant increase in your qualified leads, and ultimately, in your sales.
Half of all web traffic (49.6%) is non-human (*). These are bots with no intention of hiring your services or buying anything from your website, even if they browse it, interact with your CTAs, or fill out your contact form.
Source: Imperva 2024 Bad Bot Report
The proportion of bot traffic continues to rise: in 2019 it accounted for 38% (*), and in just five years it has increased by 12 percentage points to the current 49.6% (*).
Note: Not all bots have malicious intentions. Actions carried out by search engines like Google or Bing, as well as by bots that crawl organic or paid results such as SEMrush, AHREFS, or Moz, are generally not harmful to your advertising campaigns. In the case of the latter, they usually only register impressions. Some do click, but most of these clicks are identified by Google and Microsoft, who automatically refund the costs.
However, “bad bots” keep growing, and now outnumber “good bots” in traffic volume. In 2015, 18% of total internet traffic came from bad bots. By 2023, they represented 32%, and although there are no recent figures, all signs indicate that in the last two years their growth has continued.
Evolution of Non-Human Traffic 2013–2023. Source: Imperva 2024 Bad Bot Report
There are not only malicious bots: malicious manual clicks are also common. Malicious manual clicks on your ads can come from competitors, either occasionally to investigate your creatives and landing pages or, more worryingly, systematically, with the aim of draining your budget through clicks that do not generate sales—trying to make your campaigns unprofitable so you drop out of the bidding. They can also come from click farms: networks of websites that generate revenue through fake clicks, often using VPNs and dynamic IPs to evade protections. These click farms typically employ large numbers of workers in third countries and/or use bots to repeatedly click on ads shown on their own websites, artificially inflating the stats of those URLs to attract more ads to those domains.
Manual clicks by competitors account for 17% of all fraudulent clicks, less than half compared to a few years ago (*), but not necessarily because these practices have decreased—rather, because other types of fraud are growing at a faster rate.
Another category worth highlighting is malicious apps, responsible for 19% of all fraudulent clicks (*), where many publishers resort to ad stacking and background ad execution to force accidental user clicks.
Source of Fraudulent Clicks. Source: Search Engine Journal / PPC Protect (*)
In 2020, 11% of clicks on search ads and 36% of clicks on display ads were fraudulent or invalid, according to a report by PPC Protect published in Search Engine Journal (*). But keep in mind that “invalid” can include accidental clicks, multiple clicks from the same user, legitimate clicks that are not registered as visits, and known bot clicks. You can find the full typology according to Google here.
Let’s focus on fraudulent clicks, based on the definition used by Juniper Research (*): The illegal action of intentionally and repeatedly clicking on PPC (pay-per-click) ads in order to artificially inflate traffic statistics and generate revenue for illegitimate sources, thus reducing the return on advertising investment for advertisers.
In 2023, the budget lost to fraudulent clicks amounted to 22%, according to a recent estimate by Juniper Research (*). This is two percentage points higher than what was reported by ClickCease a year earlier (*), and it is expected to continue rising in the coming years. Fraud is significantly higher on Mobile (30%) than on Desktop (17%) (*).
Projected Evolution of the Cost of Fraudulent Clicks, 2023–2028. Source: Juniper Research (*)
This is what Google says:
“Google continuously reviews new invalid traffic or traffic that may have previously gone undetected. Invalid traffic identified by Google will appear in different ways depending on when it is detected. If invalid traffic is identified before the invoice is generated for the month in which it occurred, the usage details will be adjusted accordingly and you won’t be charged for that traffic. If the invalid traffic is detected after the invoice has been issued, Google provides a credit for invalid traffic to customers when appropriate. This credit appears on subsequent invoices and in the account’s transaction history reports.
Google considers various data from each interaction, such as the IP address, interaction time, and duplicate interactions. After reviewing different types of interaction patterns, Google tries to filter out potentially invalid interactions even before they appear in your account. […] If our systems detect invalid traffic on ads, we automatically exclude it from reports. You won’t be charged for that traffic and you still have the option to view the corresponding data.”
You can find more details in this other entry. Honestly, this sounds very similar to what most paid specialized services like ClickCease, ClickGUARD, etc., do.
Is what Google does enogh? Given that Google has unmatched financial muscle, more user data than any of these companies, and the most cutting-edge technology, one would expect its anti-fraud system to be much better than third-party tools. But it could also be the case that Google intentionally allows a good portion of fraudulent clicks to slip through, since they still profit from them. Or perhaps they see fraud as a problem but only want to invest a minimal amount in combating it—just enough for their various channels (Search, GDN, YouTube, Discover…) to remain profitable for most Google Ads users.
Our feeling (note, this is just an opinion) is that the third scenario is the most likely: that Google is doing “just enough” to keep everything running more or less smoothly. After all, Google’s anti-fraud system is a free service that only generates costs for them.
Certainly, Google regularly detects invalid clicks and refunds the cost, whether from bots crawling organic or paid search results, clicks from locations outside your target area via VPN, or duplicate clicks from competitors.
However, if you’re not using placement whitelists in the GDN, a quick look at the URLs where your Display ads are shown reveals that Google’s anti-fraud protection leaves much to be desired. You run a campaign promoting solar panels in Spain, and suddenly your ads appear on Malaysian gaming websites, written in Malay, racking up dozens of clicks. Have the entire Malaysian gaming community living in Spain suddenly decided to install solar panels? And not just them: thousands of random websites from around the world, where the visitors are wildly clicking on your ads written in Spanish, for Spain, with CTRs 50 times higher than Spanish placements… Something definitely smells off. And it doesn’t seem like Google is making a great effort to prevent it.
Furthermore, when there’s a clear attack, Google is not transparent with fraud details: in cases of malicious clicks on search campaigns, even if they show the number of invalid clicks at the campaign level, they don’t disclose which keywords and search terms were affected, nor the devices, IPs, or locations from which the attack occurred, making it very difficult for you to take your own actions.
They also don’t tell you, when detecting suspicious clicks from a given IP, whether all clicks are considered invalid, or only from the second, or tenth click onwards, so you can’t be sure they are truly refunding all costs. Moreover, if a competitor uses a group of people (or bots) to generate these clicks, it might be harder for Google to detect, and you are more likely to end up paying the price.
Conclusion: Trust Google, but only just enough. And do your homework.
Click fraud protection software such as ClickCease, ClickGUARD, Fraud Blocker, or Lunio (formerly PPC Protect), to name a few of the most used, employ similar methods to detect and prevent invalid clicks. These SaaS platforms typically detect multiple clicks from the same IP, bot visits, clicks from users with VPNs, and visits from undesired IP ranges (*)(**).
Plans start at approximately €65/month, with higher pricing to protect more clicks and enable additional features. These tools are very affordable for large advertisers, but could significantly increase operating costs if your ad spend is relatively small. Additionally, someone must set up and maintain the system, which is not free. While you can set it up and let it run, it is recommended to review reports, monitor significant changes, and adjust settings periodically.
Excerpt from the ClickCease settings panel.
Commercial Click Fraud Protection Software Requires Technical Knowledge and Regular Reviews
The detection of multiple clicks from the same IP (and its subsequent blocking) is the core service of these SaaS platforms. They store the IP addresses of each click and compare them with new clicks. If many clicks come from the same IP, the service blocks it by adding it to the campaign’s IP exclusion list and/or at the account level. Additionally, these extra clicks are logged so you can submit them to the platform and request a refund.
In reality, Google already detects many of these clicks and either filters or refunds them automatically, so the impact of these tools in this regard is often small or negligible. Moreover, Google allows blocking only up to 500 IPs per campaign and another 500 at the account level, which is enough to stop a small competitor, but insufficient to stop a click farm. For this reason, commercial fraud protection software rotates old IPs and replaces them with new ones—not an ideal solution, but the best available.
Google Ads also knows most common bots by their IPs and automatically filters those clicks. Fraud protection SaaS platforms boast that they can detect some additional bot visits by identifying browser activity without JavaScript or through on-page behavior analysis. Bots usually follow patterns quite different from real people. As before, these IPs are logged and blocked. Apparently, these SaaS tools can also proactively identify and block entire IP ranges known to belong to malicious actors by analyzing patterns across a broad client base.
Blocking VPN users is perhaps one of the most useful features of click fraud protection services. VPNs are often used by users or bots located outside the campaign’s geographic target area, and this is one of the areas where Google Ads seems to let through many invalid clicks.
Honestly, none of them impressed us.
First, their marketing and reports are highly exaggerated in terms of their impact and the “trillions” they claim to save or have already saved you. Their estimates are based on wishful thinking, in three ways: [1] They apply your account’s average CPC to all blocked clicks, when in fact they should estimate Display and Search separately, as most blocked clicks occur in Display, where traffic is cheaper; [2] They include in your “savings” invalid clicks that have already occurred, most of which Google has already refunded, or will not refund even if you claim them; [3] Many of the clicks reported as fraud are in fact legitimate. A classic example is existing customers searching for your brand, clicking on the ad, and logging in. If you want, you can easily avoid these clicks by excluding your existing customers through audience exclusions—no need to pay for commercial software.
Second, many of these tools do not work at the campaign level: if you connect them to your account, they operate across the entire account, and that’s a problem. In your brand campaigns or for products/services with a multi-touch sales funnel, you don’t want any software blocking a potential customer when they are at the bottom of the funnel after several previous visits.
Third, and perhaps most disappointing: it doesn’t seem that (all of them) do what they claim. With one of the most well-known tools, we ran a test by logging and analyzing user IPs and comparing our data with what the software did over two weeks. The program ran daily and excluded about 500 IPs (Google’s limit), but most of the excluded IPs were the same. There didn’t seem to be much new detection. When we cross-referenced the excluded IPs with our IP logs, we found:
Lastly, and for us, the deal-breaker: they use a sledgehammer to crack a nut, and can do more harm than good. The widespread use of dynamic IPs and CG-NAT means that by blocking suspicious IPs, you may end up excluding thousands of potential customers, leading to more losses than gains.
⇒ Instead of blocking IPs, it is often more effective to work on placement exclusions, which almost none of these tools offer — of those we know, ClickGUARD is the exception (*). In any case, there are various manual actions you can implement to prevent, monitor, and mitigate fraud without needing to pay a third party.
In this first article, we’ve explored the alarming reality of fraudulent clicks in Google Ads and how they affect your advertising campaigns. From the impact of non-human traffic to the strategies used by malicious competitors, it’s clear that ad fraud is a growing issue that cannot be ignored. We’ve also examined how Google and other tools manage this problem and the limitations of their approach.
But what options do you have to protect your investment? In our next post, we’ll show you how to monitor and combat fraud yourself, for free, using the tools provided by Google and open-source scripts. And if you don’t want to deal with JavaScript code, we’ll also introduce you to the solution developed by Fáktica: an alternative to commercial SaaS tools, more accurate and without their side effects—an anti-bot software, based on placement exclusion and powered by Machine Learning, which has reduced fraudulent traffic for our clients by 87% in Display campaigns and 76% in Performance Max (PMAX) campaigns.
If you’re already facing issues with fraudulent clicks (and leads) but don’t have the time to deal with it, or simply don’t want the hassle, contact us. We’d be happy to help.
MOST RECENT ARTICLES
How to Exclude Placements in PMax: A Google Ads Hack
If you’re working with PMAX campaigns and want to exclude placements, you probably already know that the current options are quite limited. However, there’s a trick to exclude placements only in PMax…
Protecting Your Budget (Part 2): Effective Strategies Against Fraudulent Clicks
We take a detailed look at how you can implement strategies yourself to protect your advertising budget, and we present our solution
Click Fraud in Google Ads (Part 1): Should You Be Worried? Do You Need Anti-Fraud Software?
In 2025, half of all internet traffic is non-human, and nearly 1 in every 4 euros invested in Google Ads is lost to fraudulent clicks.
Can We Help You?
Can We Help You?
Contact us at info@faktica.com or by filling out the following form.
Email: info@faktica.com
Calle Núñez de Balboa, 35A
28001 Madrid
Email: info@faktica.com
DATALYTICS
4 Portland Ct
St. Louis, MO 63108
USA
Selected by Google in the Top 3% of Spanish PPC agencies (2025)
Subsidized by the CDTI in 2022-2024.
Project title: Lead Management Technology based on
mathematical models and predictive algorithms
Selected by Google in the Top 3% of Spanish PPC agencies (2025)
Subsidized by the CDTI in 2022-2024. Project title: Lead Management Technology based on mathematical models and predictive algorithms
Can We Help You?
FÁKTICA ANALYTICS
Calle Núñez de Balboa, 35A
28001 Madrid
Spain
DATALYTICS
4 Portland Ct
St. Louis, MO 63108
USA
Ask Us for a No-Obligation Quote
Request a Traffic, Cost, and Potential Conversions Estimate
Ask About Our Pay-for-Performance Pricing
Get a Free Opportunities Analysis
Can We Help You?
Don’t hesitate to reach out to us