Because of the spread between what they collect and pay out, unfettered click fraud would create short-term profits for these companies.
[3] Those engaged in large-scale fraud will often run scripts which simulate a human clicking on ads in Web pages.
One type of fraud that circumvents detection based on IP patterns uses existing user traffic, turning this into clicks or impressions.
The use of 0-size iframes and other techniques involving human visitors may also be combined with the use of incentivized traffic, where members of "Paid to Read" (PTR) sites are paid small amounts of money (often a fraction of a cent) to visit a website and/or click on keywords and search results, sometimes hundreds or thousands of times every day[6] Some owners of PTR sites are members of PPC engines and may send many email ads to users who do search, while sending few ads to those who do not.
Often, scripts fail to mimic true human behavior, so organized crime networks use Trojan code to turn the average person's machines into zombie computers and use sporadic redirects or DNS cache poisoning to turn the oblivious user's actions into actions generating revenue for the scammer.
P selectively determines whether to load the manipulated (and thus fraudulent) script to U's browser by checking if it was from S. This can be done through the Referrer field, which specifies the site from which the link to P was obtained.
If the advertisement commissioner visits the Web site of P, the non-fraudulent page will be displayed, and thus P cannot be accused of being fraudulent.
Without a reason for suspecting that such collaboration exists, the advertisement commissioner has to inspect all the Internet sites to detect such attacks, which is infeasible.
[9] One major factor that affects the ranking of websites in organic search results is the CTR (Click-through Rate).
In contrast to PPC fraud, where a competitor leverages the services of a botnet, or low-cost labour, to generate false clicks, in this case the objective is to adopt a "beggar thy neighbour" policy against competitors by making their CTR rate as low as possible, thereby diminishing their position in search results.
This technique can effectively create a cartel of business services controlled by the same bad actor, or be used to promote a certain political opinion etc.
The scale of this issue is unknown but is certainly evident to many website developers who pay close attention to the statistics in webmaster tools.
Business Week suggests that Google was unwilling to cooperate with the prosecution, as it would be forced to disclose its click fraud detection techniques publicly.
[19] On June 18, 2016, Fabio Gasperini, an Italian citizen, was extradited to the United States on click fraud charges.
When it comes to mobile ad fraud detection, data analysis can give some reliable indications.
In particular, it defines "the Fundamental Problem of invalid (fraudulent) clicks": The PPC industry is lobbying for tighter laws on the issue.
The Tuzhilin report did not publicly define invalid clicks and did not describe the operational definitions in detail.
Rather, it gave a high-level picture of the fraud-detection system and argued that the operational definition of the search engine under investigations is "reasonable".
Other work by Majumdar, Kulkarni, and Ravishankar at UC Riverside proposes protocols for the identification of fraudulent behavior by brokers and other intermediaries in content-delivery networks.