"Click fraud" is a dirty little secret that threatens to undermine the financial success of the paid text ads that appear alongside the ordinary, "editorial" links in many search engines. I wrote in this space on Aug. 3 and Aug. 10 that the Internet e-conomy was hot again and that search-engine advertising was growing as a result. But if the click-fraud problem keeps growing, too, pay-per-click (PPC) advertising will become ineffective or even disappear, as have many other paid-traffic schemes in the past.
Gaming the Advertising System
The scam is remarkably easy to set up but can be damnably difficult for an advertiser to detect:
• Paying For Keywords. Advertisers first give Google, Overture, and other search engines a list of the search terms that are to cause their ads to be displayed. The advertisers also specify that each click on an ad is worth so many dollars and cents. Overture displays the ads for each query in bid order, from the highest bid on down. Google sorts the ads by which ones will produce the highest revenue for the search engine. (To do this, the bid for each ad is multiplied by its click-through rate.)
• Low-Tech Thieves Weigh In. The average pay-per-click ad costs the advertiser about 45 U.S. cents per click, according to search-engine specialists. But in many highly competitive industries, ads command several dollars per click. These lines of business attract unsophisticated fraudsters, who click manually on competitors' ads several times in a row. These bogus clicks, though low-tech, can still drain thousands of dollars from the budget of a business that's in a high-bid sector.
• High-Tech Thieves Smell Dollars. More sophisticated schemes are motivated by greed rather than harming a competitor. To implement these con games, shady operators set up hundreds or thousands of "affiliate" Web sites. These sites contract with Google or Overture to display paid ads alongside other content. Fraudulent clicks are then generated. In one type of fraud, The Times of India reported that some companies are paying low-wage workers up to 9,000 rupees per month (up to U.S. $200) to manually click ads on affiliate pages. Hackers have developed even more efficient methods, using specially programmed computers to click their links.
These schemes may seem like minor annoyances. Unsolicited bulk e-mail, or spam, was once a minor annoyance, too. But it now comprises as much as 90 percent of all e-mail in the U.S., according to security firm MessageLabs.
Furthermore, most spam is no longer sent from massive servers controlled by spammers. Instead, up to 80 percent of spam now originates from millions of "zombies" — home computers that are running Trojan-horse software written by hackers, according to a study by Sandvine Inc., a broadband equipment manufacturer.
With the money to be made from PPC affiliate sites, what's to stop these same hackers from making their zombies execute pay-per-click links? A broadly distributed pattern of click-throughs would be hard to identify as bogus but could drive click fraud to more than 50 percent of all advertiser billings.
What a Great Business Model
Pay-per-click advertisers are finding that they have to take matters into their own hands to detect fraudulent clicks and request refunds from the search engines.
• Turning Consultants Into Detectives. Danielle Leitch, marketing manager for search-engine consulting firm MoreVisibility.com, says her company monitors its clients' statistics to detect click fraud. "With two different clients, it probably would be about 8 or 9 percent over one month that we experienced as click fraud," she says.
"The people who are doing this have gotten much more sophisticated," Leitch adds. High-tech fraudsters, as opposed to dishonest competitors clicking links by hand, now dominate click fraud "80-20 or 75-25," in Leitch's view.
• An Automated Defense is a Good Offense. The click-fraud problem has even spawned a small industry of third-party tools that try to detect bogus click-throughs for advertisers. One of the entrants, WhosClickingWho.com, has attracted more than 200 customers, according to president John Carreras.
His customers often experience far more than a 10 percent rate of fraud, he explains. "One says that click fraud is half of his click-throughs," Carreras says, "while another says that it's over 25 percent."
Carreras first learned the cost of click fraud in his other job, as president of Impact Displays, a trade-show supplier. The search term trade show displays is currently costing the top advertiser $14.10 per click at Overture, he says. That's a rate that attracted fraudsters to his ads until he developed WhosClickingWho in defense. Other terms are even pricier. The word mesothelioma, a kind of cancer that can fetch big settlements (and big fees for trial lawyers), currently has four bidders paying $100 per click, Overture's maximum.
WhosClickingWho doesn't detect merely the IP address of the clicking party, according to senior project manager Lisa Thompson. Instead, the software writes a "cookie" to the visiting PC to identify it. If that fails, Thompson says, the software writes a "session cookie," which lasts until the visitor's Web browser is closed. WhosClickingWho also tracks the "referrer URL" of each affiliate site that's sending visitors. Patterns of fraudulent click-throughs can sometimes be traced to individual affiliates in this way. In simple cases, warning messages can be displayed to offenders via the browser, which usually discourages casual thieves, Carreras says.
What Google and Overture Can Do
The search engines don't strike me as particularly eager to talk about the percentage of their revenues that are fraudulent. A Google spokesman told me that due to the "quiet period" related to the company's IPO, no one could be interviewed on this subject. He referred me instead to the firm's filing with the U.S. Securities & Exchange Commission. "We have regularly paid refunds related to fraudulent clicks and expect to do so in the future," the filing says. "If we are unable to stop this fraudulent activity, these refunds may increase."
An Overture spokeswoman gave me a written statement. "We believe our systems are the most sophisticated in the industry for identifying and filtering these types of clicks," the statement says. "Overture has a dedicated team consistently monitoring clicks, updating our systems and technologies and working directly with our advertisers to protect the integrity of our marketplace."
These search engines and others could stop click fraud in its tracks, however, by making a simple change in their business model. By using techniques similar to those of MoreVisibility and WhosClickingWho, search engines could uniquely identify their visitors, sessions, and affiliates. Instead of charging advertisers for every single click, the engines could bill for only one click from a single entity within, say, a 30-day period. This would eliminate the monetary incentive for affiliates to cheat. It would also improve the return on investment (ROI) for advertisers, who hardly need to pay over and over to acquire the same new visitor.
Many legitimate e-commerce programs that reward affiliates for delivering buyers to them already have similar policies. These are known as return days. Say an affiliate sends a visitor to an e-tailer on Day 1, but the visitor doesn't buy anything until Day 30. The affiliate can still receive a commission on the sale if the e-tailer has a policy offering 30 return days.
Google and Overture wouldn't suffer a significant drop in revenue by charging advertisers for only one click per entity. The bids on ads would certainly rise to reflect the improved ROI from genuine click-throughs, unencumbered by fraud.
Previous attempts to monetize pay-per-click schemes on the Internet died an agonizing death due to early forms of today's click fraud. One news aggregator, Moreover.com, for example, once represented numerous publishers who paid one-half a cent up to several cents per click for qualified traffic. That ended when hackers developed automated click-through techniques. Similarly, some e-commerce affiliate programs offered pay-per-click models at one time. But these have almost entirely been replaced by pay-per-action, in which a commission to affiliates is generated only after a product has been purchased, which is harder to fake.
If the pay-per-click model that finances Google, Overture, and other search engines is to survive, it won't be enough to simply follow Google's much-hyped motto, "Don't Be Evil." These search engines will have to take technical steps to eliminate click fraud entirely, following the admonition, "Thou Shalt Not Steal."