Google is making it harder to detect click fraud | Polygraph Click Fraud Detection And Prevention

Last updated: 6 July 2025

Click fraud steals billions from advertisers. This article covers how to detect click fraud bots and how Google is making detection and prevention harder.

What is click fraud?

Click fraud is an online scam that steals at least USD $100 billion every year. Here’s how it works:

A criminal creates a website and uses an ad network like Google Ads to monetize it. This means they earn money whenever someone clicks on the ads displayed on their site.
Instead of waiting for real visitors, the scammer uses bots - automated programs designed to mimic real users. These bots use residential IP addresses and change their device fingerprints regularly to avoid detection. At a glance, everything looks normal. Polygraph detects these bots by tricking them into revealing their falsehoods.
The bots search Google for high-value keywords (like “lawyer in New York”) and click on ads and search results. This gets them cookied by Google, so when the bots visit the scammer’s site, they are retargeted with expensive ads.
The bots click these retargeted ads, generating revenue. For every click, advertisers pay Google, and Google shares that money with the scammer.
To convince Google the clicks are legitimate, the bots also create fake conversions on advertisers’ landing pages - such as fake leads, newsletter sign-ups, account creations, and adding items to shopping carts. None of these conversions involve actual purchases.

The bots repeat this cycle tens of thousands of times each month, making large sums for both Google and the scammer, while draining advertisers’ budgets. There are hundreds of thousands, possibly millions, of such click fraud websites.

Why doesn't Google prevent click fraud?

Google tries to detect and stop click fraud, but not nearly enough given their resources. For example, Polygraph-a small cybersecurity firm-consistently outperforms Google and other ad networks at spotting and blocking fraudulent clicks. The reason is motivation: Google earns revenue on every click, whether real or fake, creating a conflict of interest.

About 20% of Google’s ad clicks come from bots, and many sites in their display and search partner networks are clear click fraud scams.

A quick primer on WebDriver

Before we explain how Google is making click fraud easier, and harder to detect, we need to quickly cover a standard called WebDriver.

Polygraph uses a range of advanced techniques to determine whether a browser is being controlled by a human or a bot. One simple method involves checking the value of a browser setting called navigator.webdriver.

If navigator.webdriver is "true", it means the browser is being automated by a bot. If it’s "false", the browser is likely being used by a human. While this method is basic, it can still be useful - and it’s one of many signals we use when detecting click fraud.

A (not so) helping hand from Google

Google added a feature to Chromium - the browser used by most click fraud bots - that makes detecting click fraud harder. This feature lies about the navigator.webdriver value, making bots appear as humans.

Why Google added this feature is unclear. We asked them, but they didn’t respond. This is a million-dollar question - or rather, a multi-billion-dollar one, since Google earns so much money from click fraud.

Using the feature is simple. When a bot launches Chromium with the setting --disable-blink-features=AutomationControlled, the browser pretends it’s being used by a human.

Having access to the most common click fraud bots’ code, we see they depend on this Google feature to disguise themselves as humans. For example, in the code below, notice the third-last line that adds --disable-blink-features=AutomationControlled:

async beforeLaunch(options) { const idx = options.args.findIndex((arg) => arg.startsWith('--disable-blink-features=')); if (idx !== -1) { const arg = options.args[idx]; options.args[idx] = ${arg},AutomationControlled; } else { options.args.push('--disable-blink-features=AutomationControlled'); } }

This means the bot launches Chromium with --disable-blink-features=AutomationControlled, so when companies like Polygraph check if navigator.webdriver is “true” - in other words, ask “Are you a bot?” - the click fraud bot answers “false, I’m a human.”

Polygraph to the rescue

Polygraph has a vast arsenal of bot detection techniques - far beyond basic checks like navigator.webdriver. So while Google’s decision to hide bot activity in Chromium is both unhelpful and perplexing, it doesn’t stop us from detecting the bots clicking on your ads.

We continue to detect and block fraudulent traffic, prevent fake conversions, and re-train ad networks - including Google - to stop sending bots and instead deliver real, high-quality visitors. Every time we detect and disable a bot, the optimisation algorithms learn that only human traffic converts.

Google may not be on your side, but Polygraph is - and we make sure your ad budget is spent on real people, not fake clicks.

In summary

Click fraud steals at least USD $100 billion annually from advertisers, yet advertising networks aren’t doing enough to stop it. Google has even added a feature to its Chromium browser that makes detecting click fraud harder. Despite this, Polygraph can work around the feature and detect even the most advanced click fraud bots.