Last updated: 16 July 2025

This article explains the basics of click fraud, outlines two common techniques used by scammers, and shows how to detect them. It also covers the simplest and most cost-effective way to protect your ads from fraudulent clicks.

What is click fraud?

Click fraud is an online scam that steals at least $100 billion from advertisers each year. It typically works like this:

A criminal creates a website capable of showing search results-often on a page with articles and a search box at the top. The scammer then applies for a publisher account with an ad network such as Microsoft Ads. This account allows the site to display ads related to search terms entered by visitors. For instance, a search for "antivirus software" will trigger related ads.

Instead of relying on real users, the criminal hires a programmer to build a bot that mimics real internet behavior. To hide that it's running from a server, the bot routes traffic through residential and cellphone proxy services.

The bot visits the scam site thousands of times a day, randomly choosing high-value keywords like “buy laptop online,” and clicks ads around 10% of the time.

Each click costs the advertiser money, which is shared between the ad network and the scammer. If the bot is well-designed, these fake clicks can generate six-figure payouts monthly.

The major issue is that many ad networks have weak-or nonexistent-click fraud detection systems. Relying on them to protect your ads is a costly mistake.

How to detect click fraud?

Detecting click fraud can be challenging and usually requires advanced programming and cybersecurity knowledge. Below are two basic click fraud methods and how to identify them.

The first involves browser automation using a system called WebDriver. For example, a fraudster might automate their browser to visit a website and click on ads repeatedly. This method is simple to detect.

When a browser is under automated control through WebDriver, a browser property called navigator.webdriver is set to true. You can detect this using the following JavaScript:

if (window.navigator.webdriver && window.navigator.webdriver === true)
  console.log("Browser is being controlled by webdriver");

The second method involves buying inexpensive online ad space where the fraudster is allowed to control the ad iframe. In such cases, a banner ad-for something like a laptop-might appear legitimate. But the scammer could also load their own site inside that iframe and use JavaScript to click ads.

This trick makes it seem like real users are clicking the ads, because the scammer’s site is being invisibly loaded by real visitors, and the IP addresses of the clicks belong to genuine users.

Fortunately, iframe-related fraud is relatively easy to spot. You can check whether your site is being loaded in an iframe and whether the dimensions of that iframe are suspiciously small:

if (window.parent.location && window.self == window.top)
  console.log("Advertiser page is not inside an iframe");

if (window.innerHeight === 0 && window.innerWidth === 0)
  console.log("Advertiser page is not visible (page is 0 x 0 pixels)");

These are among the simplest forms of click fraud-yet even major ad networks often fail to detect them.

Polygraph, by contrast, is able to detect all forms of click fraud, including sophisticated automated techniques.

The easiest way to detect click fraud

Building your own system to detect click fraud is complex and expensive. A simpler and more cost-effective option is to use a specialist detection service.

Polygraph doesn’t just detect click fraud - it also prevents fake conversions and helps improve the quality of traffic your campaigns receive over time. Here’s how it works:

  • Detecting fraudulent traffic - Polygraph identifies even the most advanced click fraud bots, including bots designed to avoid detection.
  • Preventing fake conversions - Click fraud bots often trigger fake conversions, which trick ad platforms into thinking that low-quality traffic is converting. Polygraph stops these fake conversions, preventing ad networks from optimizing toward bad data.
  • Retraining the ad networks - When fake clicks and conversions are blocked, the ad networks start optimizing for genuine users instead. This “retraining” effect means your campaigns are more likely to receive real, high-quality traffic in the future.
  • Keeping your campaigns broad and efficient - With Polygraph filtering out bot traffic, you don’t have to over-restrict your targeting. You can keep your campaigns open and broad, while still attracting real users-not bots.
  • Supplying detailed evidence of each fake click - Polygraph logs the data you need to claim refunds from ad networks, helping you recover wasted budget and hold platforms accountable.

In summary

If you advertise online, detecting fake clicks on your ads is essential. Many ad networks offer limited protection against click fraud, so relying on them alone is risky.

Polygraph specialises in detecting and preventing click fraud, helping safeguard your ad budget from scammers.