Somewhere around 10 percent of the billings charged to pay-per-click
advertisers by Google.com and Overture (a subsidiary of Yahoo.com) are based
on fraudulent activity, according to some advertising experts — and the
cost to many advertisers may be much higher.
“Click fraud” is a dirty little secret that threatens to undermine the
financial success of the paid text ads that appear alongside the ordinary,
“editorial” links in many search engines. I wrote in this space on
Aug. 3 and
Aug. 10 that the Internet e-conomy was hot again and that
search-engine advertising was growing as a result. But if the click-fraud
problem keeps growing, too, pay-per-click (PPC) advertising will become
ineffective or even disappear, as have many other paid-traffic schemes in
the past.
Gaming the Advertising System
The scam is remarkably easy to set up but can be damnably difficult for an
advertiser to detect:
• Paying For Keywords. Advertisers first give Google, Overture,
and other search engines a list of the search terms that are to cause their
ads to be displayed. The advertisers also specify that each click on an ad
is worth so many dollars and cents. Overture displays the ads for each query
in bid order, from the highest bid on down. Google sorts the ads by which
ones will produce the highest revenue for the search engine. (To do this, the
bid for each ad is multiplied by its click-through rate.)
• Low-Tech Thieves Weigh In.
The average pay-per-click ad costs the advertiser about 45 U.S. cents per
click, according to search-engine specialists. But in many highly competitive
industries, ads command several dollars per click. These lines of business
attract unsophisticated fraudsters, who click manually on competitors’ ads
several times in a row. These bogus clicks, though low-tech, can still drain
thousands of dollars from the budget of a business that’s in a high-bid sector.
• High-Tech Thieves Smell Dollars. More sophisticated schemes are
motivated by greed rather than harming a competitor. To implement these con
games, shady operators set up hundreds or thousands of “affiliate” Web sites.
These sites contract with Google or Overture to display paid ads alongside
other content. Fraudulent clicks are then generated. In one type of fraud, The
Times of India reported that some companies are paying low-wage workers up to
9,000 rupees per month (up to U.S. $200) to manually click
ads on affiliate pages. Hackers have developed even more efficient methods,
using specially programmed computers to click their links.
These schemes may seem like minor annoyances. Unsolicited bulk e-mail, or
spam, was once a minor annoyance, too. But it now comprises as much as
90 percent of all e-mail in the U.S., according to
security firm MessageLabs.
Furthermore, most spam is no longer sent from massive servers controlled by
spammers. Instead, up to
80 percent of spam now originates from millions of
“zombies” — home computers that are running Trojan-horse software written
by hackers, according to a study by Sandvine Inc., a broadband equipment
manufacturer.
With the money to be made from PPC affiliate sites, what’s to stop these same
hackers from making their zombies execute pay-per-click links? A broadly
distributed pattern of click-throughs would be hard to identify as bogus but
could drive click fraud to more than 50 percent of all advertiser billings.
What a Great Business Model
Pay-per-click advertisers are finding that they have to take matters into
their own hands to detect fraudulent clicks and request refunds from the
search engines.
• Turning Consultants Into Detectives.
Danielle Leitch, marketing manager for search-engine consulting firm
MoreVisibility.com,
says her company monitors its clients’ statistics to detect click
fraud. “With two
different clients, it probably would be about 8 or 9 percent over one month
that we experienced as click fraud,” she says.
“The people who are doing this have gotten much more sophisticated,” Leitch
adds. High-tech fraudsters, as opposed to dishonest competitors clicking
links by hand, now dominate click fraud “80-20 or 75-25,” in Leitch’s view.
• An Automated Defense is a Good Offense.
The click-fraud problem has even spawned a small industry of third-party
tools that try to detect bogus click-throughs for advertisers. One of the
entrants, WhosClickingWho.com, has attracted more than 200 customers,
according to president John Carreras.
His customers often experience far more than a 10 percent rate of fraud, he
explains. “One says that click fraud is half of his click-throughs,” Carreras
says, “while another says that it’s over 25 percent.”
Carreras first learned the cost of click fraud in his other job, as president
of Impact Displays, a trade-show supplier. The search term trade show
displays is currently costing the top advertiser $14.10 per click at
Overture, he says. That’s a rate that attracted fraudsters to his ads until
he developed WhosClickingWho in defense. Other terms are even pricier. The word
mesothelioma, a kind of cancer that can fetch big settlements (and
big fees for trial lawyers), currently has four bidders paying $100 per click,
Overture’s maximum.
WhosClickingWho doesn’t detect merely the IP address of the clicking party,
according to senior project manager Lisa Thompson. Instead, the software
writes a “cookie” to the visiting PC to identify it. If that fails, Thompson
says, the software writes a “session cookie,” which lasts until the visitor’s
Web browser is closed. WhosClickingWho also tracks the “referrer URL” of
each affiliate site that’s sending visitors. Patterns of fraudulent
click-throughs can sometimes be traced to individual affiliates in this way.
In simple cases, warning messages can be displayed to offenders via the
browser, which usually discourages casual thieves, Carreras says.
What Google and Overture Can Do
The search engines don’t strike me as particularly eager to talk about the
percentage of their revenues that are fraudulent. A Google spokesman told
me that due to the “quiet period” related to the company’s IPO, no one could
be interviewed on this subject. He referred me instead to the firm’s
filing with the U.S. Securities & Exchange Commission.
“We have regularly paid refunds related to fraudulent clicks and expect to do
so in the future,” the filing says. “If we are unable to stop this fraudulent
activity, these refunds may increase.”
An Overture spokeswoman gave me a written statement. “We believe our systems
are the most sophisticated in the industry for identifying and filtering these
types of clicks,” the statement says. “Overture has a dedicated team
consistently monitoring clicks, updating our systems and technologies and
working directly with our advertisers to protect the integrity of our
marketplace.”
These search engines and others could stop click fraud in its tracks, however,
by making a simple change in their business model. By using techniques similar
to those of MoreVisibility and WhosClickingWho, search engines could uniquely
identify their visitors, sessions, and affiliates. Instead of charging
advertisers for every single click, the engines could bill for only one
click from a single entity within, say, a 30-day period. This would eliminate
the monetary incentive for affiliates to cheat. It would also
improve the return on investment (ROI) for advertisers, who hardly need to
pay over and over to acquire the same new visitor.
Many legitimate e-commerce programs that reward affiliates for delivering
buyers to them already have similar policies. These are known as
return days. Say an affiliate sends a visitor to an
e-tailer on Day 1, but the visitor doesn’t buy anything until Day 30. The
affiliate can still receive a commission on the sale if the e-tailer has a
policy offering 30 return days.
Google and Overture wouldn’t suffer a significant drop in revenue by charging
advertisers for only one click per entity. The bids on ads would certainly rise
to reflect the improved ROI from genuine click-throughs, unencumbered by fraud.
Conclusion
Previous attempts to monetize pay-per-click schemes on the Internet died an
agonizing death due to early forms of today’s click fraud. One news aggregator,
Moreover.com, for example,
once represented numerous publishers who paid one-half a cent up to several
cents per click for qualified traffic. That ended when hackers developed
automated click-through techniques. Similarly, some e-commerce affiliate
programs offered pay-per-click models at one time. But these have almost
entirely been replaced by pay-per-action, in which a commission to affiliates
is generated only after a product has been purchased, which is harder to fake.
If the pay-per-click model that finances Google, Overture, and other search
engines is to survive, it won’t be enough to simply follow Google’s much-hyped
motto, “Don’t Be Evil.” These search engines will have to take technical steps
to eliminate click fraud entirely, following the admonition, “Thou Shalt Not
Steal.”