NEW New feature: Verify and block fake emailsLearn more
NEW New feature: Verify & block fake emails
Learn more
fraud blocker click fraud prevention logo
Sign in
Start Free Trial
  • Home
  • Articles
  • 7 Critical Lessons About Click Fraud After Analyzing 200M Ad Clicks

7 Critical Lessons About Click Fraud After Analyzing 200M Ad Clicks

  • May 21, 2026
7 click fraud lessons
  • Click fraud has evolved into a sophisticated, industrial-scale operation that now accounts for roughly 22% of all digital ad spend, costing advertisers billions annually and polluting the AI training models used for bidding.
  • Fraudsters are successfully bypassing geographical filters through “location hopping,” using residential proxy networks to make a single device appear in dozens of different countries within hours.
  • Technical “fingerprint spoofing” is rampant, where automated scripts and headless browsers intentionally misreport their operating systems to mimic legitimate human desktop users.
  • The discovery of “click recycling”, where a single unique Google Click ID is reused across hundreds of devices, proves that bot operators are programmatically harvesting and reapplying legitimate identifiers to manufacture fake conversions and drain ad budgets.

At Fraud Blocker, we’ve spent the last 7 years analyzing hundreds of millions of IP addresses and devices and, more recently, researching a massive dataset of 200 million ad clicks.

And after reviewing all of that data, it’s clear that click fraud is no longer just a minor nuisance; it has become a sophisticated industry draining billions from marketing budgets, and it’s only growing.

Based on the patterns we found in the data, we’ve compiled a list of seven critical lessons to watch out for before launching your next ad campaign.

fraud blocker 200 million ad clicks

1) Human randomness is difficult for bots to fake

One of the clearest findings is that human behavior is chaotic and erratic. It is a series of non-linear randomness that is nearly impossible for a bot to replicate over a period of time.

We analyze over 50 data points for every visitor arriving via an ad click. This isn’t just about an IP address; it’s about the unique “DNA” of the interaction. These points include:

  • Device Fingerprinting: Analyzing hardware configurations, browser versions, and even battery levels.
  • Geographic Integrity: Detecting if a user’s “location” matches their ISP routing.
  • Sub-perceptual Signals: This is where the fraud is caught. We look at mouse velocity data and scroll patterns.

Human movement is “noisy.” We hesitate, we overshoot a button and correct and we pause to read a sentence that catches our eye. Bots, even sophisticated ones, often move with a terrifyingly efficient “spline” or linear path. Additionally, we analyze conversion paths. A human might visit a site, leave, search for a review, and come back three days later. A bot follows a predefined script, from a landing page to form-fill, in a timeframe that is “too perfect” to be real.

The bottom line: Bots are flawlessly efficient. Humans are beautifully chaotic. Our filters know the difference.

2) Bot patterns can be obvious

In our recent in-depth study, we analyzed 200 million ad clicks across more than 20,000 domains and uncovered clear evidence that click fraud has evolved into a sophisticated global industry.

We found that roughly 22% of digital ad spend is likely wasted on invalid traffic, with fraudsters now using advanced tactics like residential proxy networks, fingerprint spoofing, and automated click recycling to bypass traditional detection systems.

Here’s a couple examples from the research:

Bot example 1: “Location hopping”

One of the alarming patterns we identified was “location hopping,” where a single device appeared in over 80 of countries within just a few days, making it obvious that bots were rotating through proxy networks to imitate legitimate users.

Here’s an example of the location hopping we detected looks like:

click fraud lessons example 1

Bot example 2: “Fingerprint spoofing”

In another example, we detected widespread “fingerprint spoofing,” where bots disguised Linux or Android systems as standard Windows desktop users to avoid detection.

click fraud lessons example 2

More bot examples 

Our research also revealed large-scale automated bot activity, including one device generating nearly five million visits in only 72 hours. Perhaps most concerning, we discovered “click recycling,” where valid Google Click IDs were reused across hundreds of devices and IP addresses to fabricate fake conversions and drain advertising budgets.

Overall, our findings show that ad fraud is no longer isolated spam activity but an industrial-scale operation actively distorting marketing performance and AI-driven ad optimization systems. Read our full report here.

Real-world issues 

In addition to our own research, other companies have been very vocal about how bots are over-running the web:

Digg.com shut down due to an “unprecedented bot problem: Once a titan of the web, Digg was forced to shut down in early 2026 and pivot to an entirely different business model due to what its leadership called an “unprecedented bot problem.”

When a platform’s infrastructure is overwhelmed by AI-generated spam and automated traffic, the human signal is lost entirely. If it can happen to a legacy platform like Digg, it is happening on the niche blogs and “junk” sites where your programmatic ads are currently appearing.

dig ceoWe knew bots were part of the landscape, but we didn’t appreciate the scale, sophistication, or speed at which they’d find us. We banned tens of thousands of accounts. We deployed internal tooling and industry-standard external vendors. None of it was enough.” – Digg CEO Justin Mezzell.

Bot created “Slop” sites are soaring: We are also witnessing a 717% increase in the creation of AI-generated template “MFA” (Made For Advertising) slop sites. These are low-quality websites often created by automated bots for the sole purpose of hosting programmatic ads. They don’t provide value; they provide a destination for bots to click on ads, generating revenue for the site owner while burning the advertiser’s budget.

Read our in-depth article on MFA sites and how to exclude them from your marketing campaigns.

3) Click farms are real

A massive portion of the fraud we detect comes from click farms, physical locations where humans (or automated racks of phones) manually click on ads.

Recent investigative work by Jack Latham in Vietnam, has pulled back the curtain on these operations. These aren’t just dark rooms with a few laptops; they are industrial-scale “farms” where thousands of smartphones are mounted on racks, controlled by centralized software to simulate “real” human engagement.

Why click farms bypass basic detection:

  1. Genuine Hardware: They use real iPhones and Android devices, not emulators.
  2. Residential IPs: They are often routed through local SIM cards or proxy networks, making them look like a local neighbor clicking your ad.
  3. Human Interaction: Sometimes, actual humans are paid pennies to perform the clicks, bypassing any “bot” detection that looks for automated movement.

Here’s examples of some real click farms in Vietnam:

click fraud lessons - click farm 5
click fraud lessons - click farm 1
click fraud lessons - click farm 7
click fraud lessons - click farm 4
click fraud lessons - click farm 6
click fraud lessons - click farm 3
click fraud lessons - click farm 2

(click to view larger images)

Click farms don’t just mimic human traffic. They hijack your ad budget without your knowledge because they blend genuine hardware with localized proxies, standard automated filters are completely blind to them.

They look domestic, they look human, and they act just normal enough to slip through the gates. Without in-depth bot analysis (covered above) or tracking micro-signals like mouse hesitation and non-linear conversion paths, you aren’t just exposed to these industrial fraud factories, you are actively funding them.

4) Average click fraud rates on Google are 11.4%

In our latest study at Fraud Blocker, we analyzed the state of Google Ads and found that the average invalid click rate (IVR) has climbed to 11.4% as of early 2026. This represents a significant upward trend since 2010, fueled by the rise of sophisticated AI bots and click farms.

click fraud lessons - average invalid click rate year
Our research highlights a major disparity between campaign types. We discovered that Display and Video campaigns are the most susceptible to fraud, with rates reaching as high as 35.5%. Conversely, App campaigns proved to be the most resilient, maintaining a low IVR of 3.3%. We also noted that high-competition industries, such as legal and real estate, are disproportionately targeted by malicious activity.
click fraud lessons - average invalid click rate type

While we recognize that Google offers some automated protection, our benchmarks suggest these efforts are often insufficient and they miss many modern bot threats. To safeguard your budget, we recommend a proactive approach: implementing specialized detection software, excluding high-risk IP addresses, and carefully vetting “Made-for-Advertising” (MFA) sites. 

5) Google Ads refunds don't work

One of the most dangerous myths in digital marketing is that “Google catches the fraud and refunds me automatically.”

While Google does have an automated system to filter general invalid traffic (IVT), like basic scrapers or double-clicks, it is notoriously poor at catching Sophisticated Invalid Traffic (SIVT).

While Google does provide a way to submit records in an attempt to get a refund for invalid traffic, the refund process shows a frustrating reality:

  • The Burden of Proof: Google places the burden of proof entirely on the advertiser. You must provide logs, timestamps, and IP addresses to prove fraud.
  • The “Black Box” Response: Most refund requests are met with a generic “We have already filtered invalid traffic” response.
  • Delayed Detection: By the time you notice a spike in suspicious traffic, the 60-day window for disputing charges has often closed.

Here’s a sample of a rejection letter from Google:

google refund email response

As a result, many advertisers on Google with increasingly poor performance due to click fraud and invalid traffic will be frustrated at the difficulty and lack of success in getting a refund for lost ad spend.

6) Ad Fraud is increasing due to agentic AI and broken supplier incentives

Two trends we’re seeing causing an increase in ad fraud are the explosion of AI activity and the inherent conflicts-of-interest within ad networks.

The rise of AI “click bots”

Older bots were static. They clicked, they refreshed, they moved on. Agentic AI bots are different. They use Large Language Models (LLMs) to simulate human intent.

  • Reading Copy: These agents “read” the text on your landing page to ensure their actions align with the content.
  • Simulated Interest: They hover over images a human would find interesting.
  • Contextual Lead Gen: They fill out your lead forms with plausible, unique text that passes a “sniff test” but never converts into a sale.

The clear “conflict-of-interest”

The second driver of increased fraud is a fundamental conflict of interest. Platforms like Google and Meta are effectively grading their own homework.

Because these platforms are paid per click or per impression, they have a massive financial disincentive to be “too good” at fraud detection. If Google increased its IVT detection sensitivity by just 3%, it could represent a multi-billion dollar hit to their annual revenue. This creates a “hygiene vs. profit” conflict. They catch the “noisiest,” most obvious fraud to maintain a semblance of quality, but they leave the sophisticated 15%+ for the advertiser to pay for.

Due to these trends, advertisers should certainly proceed with caution when testing new ad networks or programmatic platforms.

7) Click fraud is preventable

The final, and most important, lesson from our analysis of 200 million clicks is that you do not have to be a victim. While the platforms have a conflict of interest, you have a fiduciary responsibility to your business.

Click fraud is preventable through independent, third-party monitoring. By using a solution that sits outside the “Judge and Jury” ecosystem, you gain an unbiased view of your traffic quality.

How Fraud Blocker protects you:

  • Real-time Blocking: We don’t just tell you that you were defrauded; we automatically update your Google Ads “Exclusion List” to prevent those IPs from ever seeing your ads again.
  • Fraud Scores: Every click is assigned a score based on those 50+ data points, allowing you to see exactly where your “slop” traffic is coming from.
  • Improved ROAS: By cutting out the 11.4% of waste, your budget is automatically redirected to real, human users who have the potential to convert.

Fraud Blocker has helped thousands of businesses, from legal firms to home services brands, reclaim their ad spend and significantly improve their ROI. The data is clear: the bots are coming, but they don’t have to win.

Protect your budget today. Try our 7-day free trial and see exactly how much of your traffic is human.

[This post was authored by Fraud Blocker’s Founder and CEO, Mike Schrobo]

Facebook
X
LinkedIn

More from Fraud Blocker