Ever noticed how you search for something on Google, and then you watch YouTube and see ads related to it? Or how, for some reason, your Facebook feed fills up with videos related to the last post you opened? That’s how advertising works these days.

Today’s advertisers scan your search history to get an idea of what products or services you may be looking for. And that’s made possible by technologies that include IP geolocation. The sad part is that not all advertisers are worth trusting. Some may just be in it for the money and use an age-old tactic we now know as click fraud.

What Is Click Fraud?

Most advertisers employ the pay-per-click (PPC) model. That means the more clicks an ad gets, the more money the website owner earns from the ad owner. Unfortunately, some site owners think they can beat the system to profit more and resort to click fraud. The less scrupulous use bots or malicious scripts to get more (yet fake) clicks on the ads on their websites, hence the term “click fraud.”

There are at least two possible motivations for engaging in click fraud. We already mentioned the first—to increase website revenue by gaining as many ad clicks as possible. The second reason is more sinister. Competitors can use click fraud to deplete a competitor’s advertising budget. How?

PPC users have a daily ad budget. Once it is exceeded, their ads no longer get displayed. And because the ad clicks are fake, they don’t convert to actual sales. After a while, the company suffers financially.

What Are the Various Types of Click Fraud?

Like phishing and most other threats, click fraud comes in different forms aided by varying tactics. We identified three common click fraud types below.

Click Fraud via Crowdsourcing

Click fraud via crowdsourcing is probably the simplest click fraud type. The site owner explicitly asks visitors to click on the ad, most often before they can access a page, to support the site. Each click, of course, benefits the publisher from Google’s Adsense program, for instance. While some visitors may actually be interested in the products or services the ads promote, most are usually not. That’s why Google frowns upon this “crowdsourcing” behavior—it does not provide any real value to advertisers who pay for clicks.

Click Fraud Aided by Click Farms

Using click farms to generate clicks is a more extreme tactic. Some site owners pay people in dire need of work tiny sums to click ads all day. While the practice does incur labor costs, fraudsters are better able to evade detection. All they need to do is tell workers to click on ads naturally—as if they’re really interested in the products or services.

Click Fraud via Botnets

Click fraud via botnets is very similar to click farms. Instead of hiring actual human beings, though, site publishers avail the services of cybercriminals to infect large computer networks with malware. Unknown to the infected systems’ owners, their computers visit specific sites to click on particular ads. This type is hard to detect because the ad clicks look unrelated since they come from many different IP addresses.

Regardless of the click fraud type used, one thing is clear—advertisers are at the losing end. A 2019 report that analyzed the 27 billion ad impressions of 50 digital ad marketers estimated the total ad fraud cost at $5.8 billion.

What Can Advertisers Do to Prevent Click Fraud? Can an IP Geolocation Database Help?

Given the click fraud tactics available to practically any website owner, it’s only natural for advertisers or ad networks to analyze ad clicks for fraudulent patterns, and one way to do so is by checking clickers’ IP addresses. We listed below three methods to prevent click fraud by using an IP geolocation database below.

Check for Multiple IP Address Clicks

Whatever click fraud type a site owner uses, the presence of multiple clicks from a single IP address within a short period in network logs should be treated as a red flag. It is highly likely that the clicks come from bots, click farms, or abusive human clickers. Advertisers need to remember that regular site visitors are more likely to avoid clicking on ads than do so. In 2019, a survey showed that only 49% of people clicked on text ads, 31% clicked on shopping ads, and 16% clicked on video ads. If your ads are getting a lot more clicks than these figures, check for signs of click fraud.

Let us say that one of your car ads gets clicked on 50 times in one day by a user with the IP address 157[.]245[.]176[.]143. An IP geolocation database would tell you that it is a U.S.-based IP address that’s connected to three domains:

• corjesufd[.]com
• corjesufd[.]org
• Vzvh2wjpm7v[.]c[.]updraftclone[.]com

None of the domains are mainly related to car sales or even insurance services. A check on AbuseIPDB (a publicly accessible malicious IP address repository) also reveals that 157[.]245[.]176[.]143 has been cited 94 times for various offenses, including bot activity. That said, it’s probably not worth paying the site owner for these ad clicks.

Scrutinize Clicks from the Same Country

A possible telltale sign of clicks coming from click farms is that they originate from one country. Click farm workers typically use multiple devices to click ads from. While the systems may have different IP addresses, an IP geolocation database can still detect that they are based in a single country. Correlating that finding with timestamps in network logs that confirm the clicks were made within the same timeframe may indicate click farming.

On the same day, for instance, your system logs revealed 1,000 clicks on the same ad from the following IP addresses:

• 115[.]76[.]165[.]44
• 103[.]125[.]191[.]32
• 103[.]232[.]120[.]109

An IP geolocation database would tell you that all three IP addresses are Vietnam-based. AbuseIPDB checks would also reveal their malicious nature. 115[.]76[.]165[.]44 has been cited for malicious activity 92 times; 103[.]125[.]191[.]32, 66 times; and 103[.]232[.]120[.]109, a whopping 5,190 times. Such IP addresses could belong to a click farm operating in the country.

Prohibit Clicks from Proxy or VPN Users

One way for cybercriminals to bend the rules is by hiding their identity through IP spoofing. For that, they may use proxy servers or virtual private network (VPN) services. While some proxy or VPN users have good reasons for keeping their locations and identity confidential, not all can be trusted. In fact, a good percentage have ill intentions (e.g., access censored websites or content, get online purchasing deals or discounts, etc.). Given this scenario, it may be wise to prohibit site owners from including proxy or VPN users as sources of PPC revenue.

Filtering proxy or VPN service users from ad clickers is doable with an IP geolocation database. The feed can tell users if an IP address uses a proxy, VPN service, or even Tor. Using an IP geolocation database, for example, can tell you that the IP address 191[.]103[.]219[.]225 employs a proxy service. On the API, you’ll see this result:

While some legitimate users use proxies and VPNs, blocking them from clicking on ads may be more effective than not for advertisers.

The Lowdown

While IP geolocation database use may not filter out 100% of fraudulent clicks, it can significantly reduce them and prevent click fraud and unwanted repercussions.