How to stop click fraud: a step-by-step guide
Click fraud drains budgets and corrupts optimization signals. This guide walks you through recognizing the problem, instrumenting detection, identifying the worst offenders, and taking action — without any illusions about what technology can and cannot do.
Illustrative example — the same 0–100 score, per source, worst first.
Step 1: Recognize the symptoms before you act
Click fraud rarely announces itself. Instead, it shows up as a slow bleed of anomalies that individually look like noise but together signal a problem.
Common warning signs include:
- High click volume with near-zero CTA engagement — sessions that land, spend a second on the page, and leave without scrolling, clicking a button, or submitting a form.
- Unusual bounce patterns from specific placements or sub-sources — one publisher ID or zone sending traffic that behaves nothing like traffic from other sources in the same campaign.
- Clicks that cluster around hosting and cloud infrastructure — traffic that looks like it originated from server farms or rented infrastructure rather than the residential and mobile connections real shoppers use.
- Suspiciously fast post-click interactions — form submissions or CTA clicks occurring within a few hundred milliseconds of page load, faster than a human can read a headline.
- Conversion rates that collapse when you isolate specific sub-IDs — your blended conversion rate looks acceptable, but one or two publisher IDs are dragging down the average while burning a disproportionate share of budget.
If any of these patterns appear in your current reporting, you already have enough reason to investigate further. The problem is that standard ad network dashboards rarely surface sub-source quality at this granularity. That gap is exactly what a dedicated invalid-traffic detection layer is built to close.
Step 2: Install a no-extra-hop detection script
The most important architectural decision in click-fraud detection is whether your tool inserts itself into the click path. Hop-based solutions route every click through a third-party domain before the visitor reaches your landing page. This adds latency, breaks tracking in some environments, and can cause lost clicks when that extra hop times out.
A better approach is post-arrival scoring: the visitor lands on your page normally, and a lightweight script — in ValidVisit's case, under 15 KB gzipped — fires asynchronously without touching the click path at all.
Here is what this instrumentation layer actually does. Rather than checking one or two telltale signs, ValidVisit weighs each incoming click against more than 100 independent data points — covering the network the click came through, the device sitting behind it, and the way the visitor actually behaves on the page — and folds all of them into a single verdict. Some of those data points are gathered the moment the request arrives, before the page finishes rendering; others come from how the visit unfolds once the page is live.
The network-level view looks at where the connection appears to originate and whether it carries the hallmarks of rented infrastructure, proxies, or anonymizing services that bad actors lean on. The device-level view asks whether the visit comes from a genuine, fully-featured browser on real hardware or from something automated that only imitates one. And the behavioral view watches whether the on-page activity — timing, movement, the interaction itself — resembles a person reading and deciding, or a script firing through the motions.
No single one of these decides anything on its own. Combined, they let genuine humans pass cleanly while automated traffic stands out. Every click ends up with a 0-100 quality score, so you can see not just that a session looked off, but how confident the scoring is that it was real.
Step 3: Attribute scores to publishers, placements, and sub-IDs
A quality score per click is only useful if you can aggregate it by the dimensions that matter for your ad buying decisions. The critical fields are:
- Publisher ID / site — the domain or app that served your ad.
- Placement / widget / zone — the specific ad slot within that publisher.
- Sub-ID / sub-source — the downstream traffic source a network routes through its supply chain.
- Creative and campaign — to distinguish a creative-quality problem from a supply problem.
This attribution happens via tracking tokens: the dynamic macros that ad networks append to your destination URLs at click time. Taboola uses `{site}` and `{campaign_id}`, Outbrain uses `{section_id}` and `{publisher_id}`, Google Ads uses `{placement}` and `{network}`, and so on. Each network has its own macro vocabulary.
ValidVisit maps tokens from 29 ad networks into a normalized schema — `publisher_id`, `placement_id`, `campaign_id`, `ad_id`, `creative_id`, `click_id` — so that cross-network quality reports use consistent column names regardless of where the traffic came from. You can review the token mapping for each network in the tracking tokens library.
Once tokens are flowing, your publisher/placement report becomes actionable: you can sort by average quality score, filter to `quality_status = bad`, and immediately see which sub-sources are generating the most invalid traffic (IVT).
Score your own traffic like this — early access is open.
Step 4: Identify and triage the worst offenders
With scored, attributed data in hand, the triage process is straightforward. Open the publisher/placement report and look for:
1. Sub-sources with a high proportion of `bad` quality scores (score below 50) across a meaningful click volume. A single bad session from a placement is noise; hundreds of sessions from the same publisher ID with an average score of 20 is a signal. 2. Sub-sources with a high `suspicious` rate and zero CTA engagement. Even if sessions score in the 50-79 range, a placement that sends thousands of clicks with no form submissions and no meaningful on-page interaction is not delivering value. 3. Infrastructure clusters: when a large share of the low-scoring traffic from a placement traces back to the same narrow band of networks or hosting providers, that concentration is itself a pattern worth acting on, and it can inform IP-level exclusions. 4. Hourly anomalies: IVT often arrives in bursts during off-hours. The hourly performance report can reveal whether a placement sends clean traffic during business hours and floods with bots at 3 AM.
The quarantine pipeline captures flagged events for review rather than silently dropping them. This is deliberately cautious: real users sometimes browse from corporate VPNs or shared office IPs, so a flag is the start of an investigation, not an automatic verdict. Review flagged sessions by looking at why each one scored low — and at how those low scores concentrate within a placement — before deciding to act on the source as a whole.
Step 5: Manually exclude bad IPs, placements, and sub-sources in your ad platform
This is the honest part of the guide: ValidVisit does not block clicks before they arrive, and it does not push exclusions automatically to your ad platform. No post-arrival detection tool can intercept traffic before your budget is debited — the click has already happened by the time the beacon fires.
What detection gives you is cleaner data for your manual exclusion decisions. The practical workflow:
- Google Ads: navigate to Content > Placements, then add poor-performing placements to your exclusion list. For search, add the identified IPs via the IP exclusion tool under Settings.
- Taboola, Outbrain, MGID, and other native networks: use the campaign's publisher or site-blocking interface to block specific site IDs or sub-sources. Most native platforms expose this at the campaign or account level.
- Meta and TikTok: publisher-level blocking is more limited, but you can exclude specific placements (Audience Network sites) and adjust targeting to reduce exposure to low-quality inventory segments.
The win is not that you stop bots from arriving. The win is that you stop those invalid clicks from polluting your conversion data, which means your bidding algorithms — Google's Smart Bidding, for example — train on signals from real users rather than bots. Over time, cleaner conversion data tends to produce better bid optimization and more efficient spend allocation. That is the real value of removing IVT from your feedback loop.
Document your exclusions with the date and the quality score data that justified them. This audit trail is useful if you later apply for an invalid clicks refund or dispute with a network.
Step 6: Monitor, iterate, and prevent regression
Click fraud protection is not a one-time configuration. IVT sources evolve: bot operators rotate IPs, move onto fresh blocks of infrastructure, retool the automation so it looks more like a real browser, and migrate to new publisher accounts. A sub-source you excluded three months ago may be replaced by a similar one tomorrow.
An effective monitoring routine looks like this:
- Weekly: review the suspicious traffic report. Look for new placements or sub-sources where the bad traffic ratio is increasing. Flag any campaign where the average quality score is declining week-over-week.
- After any budget increase or new campaign launch: new campaigns attract new traffic sources, some of which may be low quality. Run a publisher quality audit within the first week of any significant spend ramp.
- After platform-side changes: if your ad network updates its supply chain or you enable new placements, re-baseline your quality benchmarks for that traffic segment.
- For ongoing prevention: use the tracking tokens for every new campaign from day one. Tokens that are missing or misconfigured leave you blind to publisher-level quality data — you can see overall quality but cannot attribute bad traffic to its source.
The goal is to make IVT exclusion a routine part of campaign management, not an emergency response. Advertisers who build this review cadence into their workflow tend to see it pay off not just in reduced wasted spend, but in progressively improving conversion rates as their optimization algorithms work from cleaner signal.
Frequently asked questions
Can click fraud detection actually stop bots before they waste my budget?+
What is the difference between blocking click fraud and detecting it?+
How do I know which placements to block in Google Ads or native networks?+
Does click fraud affect Google's Smart Bidding and conversion optimization?+
Score your paid traffic for bots and invalid clicks.
One script, every click scored 0–100 and attributed to the source that sent it.
Free trial at launch · lock in early-access pricing
One script · raw IP never stored · GDPR legitimate-interest basis