Sometimes a click isn’t really a click. Sometimes the person knocking on a website’s door is really a wolf in shopper’s clothing, perpetrating a fraud that wastes marketers’ advertising dollars or steals commissions.

Skip Pratt says his Web hosting company BAPort.com was being defrauded on 20 percent of its clicks. He was so frustrated by the problem that he developed a click fraud analysis application and started PPC Trax, an analytics company.

While most agree click fraud is a growing concern, there is no consensus on just how widespread or costly it has become. Depending on whom you ask, the amount of advertising dollars lost to fraudulent clicks ranges from negligible to as high as 40 percent.

The Interactive Advertising Bureau estimates that from 20 to 35 percent of ad clicks are fraudulent. When asked about click fraud, 25 percent of online marketers say it is not a problem, 45 percent say they are concerned about it and 6 percent view it as a serious problem, according to a 2004 Search Engine Marketing Professional Organization (SEMPO) study.

The study also indicates that the majority of the click fraud is thought to occur on publisher and affiliate sites, not on search engines websites.

Chris Henger, vice president of marketing at Performics, says click fraud is not occurring on a large enough scale to have a material impact on the return on investment of advertisers that are Performics partners. He says click fraud is analogous to shoplifting in the retail world: companies have to watch out for it, but it won’t ruin the industry.

“I recognize that it is an issue, but it has gotten blown out of proportion,” Henger says.

He says that if click fraud really constituted 20 percent of advertising, it would show up in advertisers’ ROI and would cause search-marketing prices to fall.

But some think click fraud is a much bigger deal. ClickRisk president and CEO Adam Sculthorpe says the click fraud he has observed for his clients ranges from 15 to 70 percent of the total traffic. Sculthorpe has detected click fraud occurring on more than 1,200 websites and says his random sampling of log files indicates that “potentially there has been several hundred million dollars of total click fraud since 2003.”

Regardless of the actual numbers, there has been more media coverage of click fraud over the last several months. That media attention fuels the perception that click fraud is on the rise, and that is creating a real problem for search engines and threatening the pay-per-click model.

“After The Wall Street Journal published its article (in April), there was panic in the streets,” says SEMPO president Dana Todd.

Todd says that while the majority of smaller companies have heard about click fraud, many feel they do not have the resources to compare their performance with the reports they get from their search engines.

“Thousands of businesses that spend less than $1,000 a month are not going to spend the time to go through extensive reports,” she says.

Unfortunately for online marketers, there is no surefire technology solution to prevent click fraud from occurring, and it is becoming increasingly difficult to detect. “Despite what anyone tells you, it is technically impossible to stop,” says Steve Messer, CEO of LinkShare.

Messer says click fraud first became rampant in 1998 and 1999, causing LinkShare to shut down its pay-per-click TrafficShare network. “We had Ph.D.s working around the clock on click fraud defense technologies,” Messer says. But like many other cost-per-click networks at the time, LinkShare could not maintain a profitable business.

Commission Junction similarly ceased its pay-per-click advertising in 2001 because of click fraud, according to Elizabeth Cholawsky, the company’s vice president of marketing and product development.

Fraudian Slip

Companies that generate revenue for themselves by clicking on their ads use websites both created expressly to defraud as well as legitimate destinations, according to Ben Edelman, a Harvard law student who tracks online activities. Edelman says legitimate websites that artificially raise their revenue by a small percentage are very difficult for search engines to detect. “The system is set up so companies should be a little dishonest,” Edelman says.

While there are many not-so-bright fraudsters who do not mask their IP addresses and are easily identified, other more nefarious types are developing sophisticated software applications to commit click fraud.

LinkShare’s Messer says software that covertly requests advertisements or other Web pages is freely available on hacker message boards. Clever click fraudsters embed that code within other software – such as chat applications – so that each time a user sends a message, a “click” is also made.

Such click fraud software can be distributed through viruses that exploit software vulnerabilities and permanently reside on users’ machines, creating a network of unknowing accomplices with IP addresses that look genuine, according to Messer.

While ISPs can somewhat protect against spam by blacklisting known spammers and blocking messages with phony IP addresses, there is no automated mechanism for identifying click fraud in real time, says Messer. He says the only way to protect advertising dollars is to identify what appear to be fraudulent clicks after the fact by sorting through server logs.

Also, because advertisers and search engines are unwilling to share information about who is committing click fraud, there is almost no industry coordination in fighting it. Industry groups are talking about it more openly, though, including the Dallas/Fort Worth Search Engine Marketing Association, which has made click fraud the subject of several recent monthly meetings.

Defensive Measures

Along with Pratt’s PPC Trax, several other startups including ClickDefense, WhosClickingWho and VeriClix now offer fraud protection services that separate the wheat from the chaff in Web traffic data. These companies place snippets of code within ad pages that capture and analyze data from the computer requesting the page to look for signs of click fraud.

Pratt says PPC Trax’s software algorithm compares 22 to 24 characteristics of a click, including IP addresses as well as other factors that he considers proprietary information. However, sorting legitimate clicks from fraudulent ones is an imperfect science at best. “It’s virtually impossible to prove click fraud,” according to Pratt, who says he has more than 35 clients.

VeriClix offers a free pay-per-click auditing service that monitors ad programs from Google, Kanoodle, Overture and others. VeriClix founder Jeff Martin says he was working for an advertising agency when he saw an “obvious need” for a service that scrutinizes clickthrough rates. VeriClix is able to provide the service for free because it receives funding from search engine optimization firms Zunch and Search Engine Optimization Advantage.

VeriClix determines suspicious activity based on an algorithm that tracks the frequency of clicks, originating IP address and other identifying information. Advertisers can adjust the number of repeated clicks that are observed before a warning of suspicious activity is generated, according to Martin.

Foxes Guarding the Henhouse

At the heart of the issue for many Web publishers is the role the search engines play in click fraud. Internet advertisers spent $9.6 billion in 2004, and because the lion’s share of advertising dollars are spent through search engine marketing (over $4 billion in North America in 2004 according to SEMPO), the heat is on Google, Yahoo and others to act to limit click fraud.

Search engines have an obligation to monitor clicks as part of the service that they provide to advertisers, Martin says. However, he notes that the search engines have an inherent conflict of interest, since actually identifying click fraud reduces their revenue. Instead Martin suggests that combating click fraud requires an unbiased third-party auditor.

“Yahoo and Google have created a new business model that has grown beyond the proportions of what they ethically should be handling themselves,” Martin says.

But search engines have been slow to address click fraud, according to Greg Sterling, managing editor with analyst firm The Kelsey Group. “Click fraud threatens to erode confidence in the pay-per-click model,” he says. “Search engines haven’t done a lot to counteract the negative publicity.”

LinkShare’s Messer says that, for now, Google is growing faster than click fraud so it is not as noticeable, but advertisers’ return on investment may depreciate over time. Messer tells his customers not to bid on Google’s keyword program. “We won’t work with AdWords,” he says.

Performics’ Henger says that Google and Yahoo have always paid attention to customer concerns and are doing what they can to fight click fraud. “Google would not be so foolish as to turn a (blind) eye to click fraud just to make a few extra million dollars today and jeopardize its long-term business,” he says. Henger notes that Google and Yahoo have the proper financial incentives to control click fraud.

Google’s Role

Google CFO George Reyes shook up the search world when he told audience members at an investor news conference that click fraud poses the single biggest threat to the company’s business model.

Google business product manager Shuman Ghosemajumder wouldn’t say how much click fraud the search engine sees on its website, but contends that the amount is not increasing. “Overall losses due to click fraud are very small,” he says.

Google employs Web analysis software that automatically filters out any traffic that the company considers fraudulent before the company sends reports to its advertisers, according to Ghosemajumder. “We can’t prevent it from happening, because the action comes from an external source, but we can prevent the action from having an effect on advertisers,” he says.

Google has scientists and artificial intelligence experts on staff to fight click fraud, but Ghosemajumder declined to say how many employees are involved in the effort.

Google provides free conversion tracking software so that its customers can look for suspicious fluctuations in clickthrough ratios, and the company has a department dedicated to resolving customer disputes over click fraud. Detecting click fraud “is all about finding patterns,” and Google is spending a lot of money researching how to identify those patterns, Ghosemajumder says.

Ghosemajumder says that fraud (such as inflating circulation numbers) occurs in print media as well. “We provide one of the most accountable forms of advertising available,” he says.

Click fraud perpetrators may be unafraid of their actions because thus far there have been no criminal prosecutions. Ghosemajumder thinks that may change someday, noting that people have been successfully prosecuted for writing viruses or denial of service attacks, which are similar activities aimed at interfering with the operation of a business.

The Price of Isolation

Finding broad patterns of click fraud across the advertising universe has been a challenge because companies consider Web analysis data proprietary information. Unlike group efforts to combat spam and track computer viruses, search engines, advertisers and click fraud analysis companies have not shared information about when and how fraudsters are acting.

PPC Trax’s Pratt says his company does not compile click fraud statistics because the data is the property of his clients. VeriClix’s Martin says that search engines should provide more data to give advertisers a better view of their clicks.

“Google is holding information [about click fraud] close to the vest,” says Martin. He believes that search engines should make public all information about click rates that are not trade secrets.

Martin says that search engines should provide an application programming interface that would allow click data to be automatically extracted and compiled by third parties.

The data would not identify the advertiser and makes it possible to identify patterns of click fraud across the Internet. Impartial clearinghouse companies could mediate between advertisers and search engines and give advertisers greater confidence in the pay-per-click model since search engines have an inherent conflict of interest in tracking fraud (each click identified as spurious reduces their revenue).

Requiring search engines to turn over click data to third parties would be a reasonable request, according to Henger of Performics. Akin to the debate over global warming, some parties will continue to say that click fraud is an imminent threat of apocalyptic scale, while others say it is merely a mild irritant. However, search engines wanting their industry to continue its incredible growth will have to persuade the court of public opinion that click fraud is not a significant problem, and that they are doing all they can to fight it.

“Search engines have a responsibility – it’s a trust issue,” says SEMPO’s Todd. She says search industry participants should work together to “create a massive anonymous data pool” that would enable click fraud to be more easily tracked. “We don’t want to go back to the insanity of the ’90s where ad dollars are taken for granted.”

Regardless of where you rank click fraud on your scale of big cyber offenses, most agree that some level of action needs to be taken to help stop it and to move online marketing forward.

JOHN GARTNER is a freelance writer in Portland, Ore. He is a former editor at Wired News and CMP. His articles regularly appear on Wired.com, AlterNet.org and in MIT’s TechnologyReview.com.