It's not a Halloween story, but I have a sad and somewhat scary tale to share:
I was consulting for a small Texas company that made the mistake of building their business around Google Ads. Now, they are almost out of business because of the click fraud they experienced on that advertising platform.
Click fraud is when a competitor clicks on a company’s ads with malicious intent; that is, without any intention of purchasing from that company. Those invalid clicks, as Google calls them, not only use up the ad budget, they also rotate their victim to the bottom position in the search results. That competitor can then move up and take the coveted top spot for themselves.
The fact is, when you do a product or service-oriented search on Google, the first few results you see are usually ads. Every time you click on one of those ads, you cost the people running them anywhere from a few cents to a few hundred dollars. The company I was consulting with helped people in water damage emergencies. That is one of the most expensive businesses to advertise on Google Ads. Just one click could cost them much as $300.
If you do a Google search, you won’t find much on the topic of click fraud, just a bunch of security companies trying to sell you their services. (For the record, we used a couple of those services. They didn’t really help.) That huge advertising machine hidden in your searches brings in over a hundred billion dollars a year for Google, so maybe it’s no surprise that doing a Google search on click fraud isn’t very helpful.
Click Fraud is as easy and tempting as merely clicking on a competitor’s ad. Google and other companies keep track of users by their IP addresses, which are similar to a home’s physical address, but identify where someone is on the Internet. If the attacker is serious, they can use a VPN, Virtual Private Network, to hide their IP address, or they can purchase a burner phone and only turn it on every couple hours. That way, it is assigned a new IP address every time it restarts. There are even more sophisticated attacks (read that as undetectable by Google) that happen by “botnets, or by having multiple ISP accounts and resetting after each click.
Google claims their algorithms do an excellent job of catching click fraudsters. In our experience, they only found and refunded about ten percent of the fraud. As that company’s consultant, I tried multiple click fraud services and I locked down their searches as much as possible; adding hundreds of negative keywords, blocking IPs, excluding the rest of the world so their ads only showed up in the five counties they serviced, as well as resorting to more and more conservative bid strategies. Altogether, I shut down their campaigns three separate times and brought them back up leaner and more locked down each time. Nothing helped. Click fraud continued to eat their lunch. The fourth time I had to shut down their Google Ads campaign was likely the last. Now that the six-hundred-pound gorilla has left the room, they are focusing on Bing, Yelp, Yahoo, Thumbtack, Angie’s List, Home Adviser, and Facebook.
That company was committed to the highest level of ad spend to get their small business a “Platinum” level of support from Google. Once the fraud attacks took over their world, I began trying to work with Google to figure out how to stop them. The only answer I ever got was, “they were investigating the issue.”
That investigation went past its own deadline multiple times with no resolution before Google simply stopped returning my calls. Despite numerous requests, Google never connected me with any of their security experts. I was always blocked by Level One support teams and brushed off with that “we are working on it” theme that just got to be too much too swallow as the weeks, then months dragged by. In other words, Google showed not the slightest hint of interest while that small business drowned right in front of them.
Google was happy to keep taking their money, but as the click fraud got worse, their ability to catch it, and any refunds that company had been seeing, dwindled to zero. The last campaign they ran cost them $650 in less than ten hours. No customer calls, no refunds, and most telling, there were eight clicks on their ads the first eleven times they were shown. Before the click fraud started, they would typically see a click for every several hundred times their ad displayed on a cell phone or desktop.
I’ve heard that as many as one-third of the clicks on Google ads may be fraudulent. That means thirty billion dollars worth of invalid clicks may be happening every year. That number boggles my mind, but in a world ruled by one search engine, there is no way of really knowing. One of the few articles I could find in my Google searches was by “Wired” magazine way back in 2006. Even back then, they were reporting that click fraud was "a billion-dollar mess" that "has the potential of destroying the entire industry."
At this point, the owner of that water damage service is admittedly bitter. We are working hard to keep his business afloat after the Google Ads attacks destroyed his entire revenue stream. As a consultant, I have to wonder how many other small businesses are in his same shoes, drowning in click fraud with no recourse and no way to get the word out about the size of this problem.