Click Fraud on Google Search: Evolution and Patterns
I’ve been running search campaigns long enough to see click fraud not as an abstract threat but as a concrete practice with concrete patterns. For over ten years I’ve worked in paid search exclusively — only search campaigns, only service businesses — and over that time I’ve developed a fairly specific understanding of how fraudsters actually operate. Not theoretical. Practical. So in this article I’ll talk only about what I’ve investigated myself.
How it started for me
Around 2017, some people walked into the company where I was managing all digital marketing and made an interesting offer: they would click our competitors’ ads into oblivion, draining their budgets completely. Competition in our niche was brutal — about five companies fighting for the top spot in search results. To make their case, our visitors demonstrated the tool they used. A router loaded with multiple SIM cards, a software shell that rotated browser identifiers and pulled a fresh IP through a different SIM on every request. Then a pre-built list of queries would go into Google, the target site would be located, a click would fire, followed by a primitive imitation of human behavior: mouse movements, a short pause. That was it. This was 2017, and this was considered a working tool.
We didn’t click our competitors. We figured it was wrong, and on top of that it would heat up the auction and hurt us first. But we did test the device on our own campaigns to understand what it looked like from the inside. We found that Google does filter this kind of artificial activity: some clicks came back as invalid and the budget spent on them was refunded. Still, around 20 percent of that activity was counted as real user clicks. We understood that the most painful part wasn’t the net losses — it was that a day’s budget could burn through very fast. Even if Google issued a credit later, the ads had already stopped running for the day. And soon enough we felt it firsthand: one of our competitors had bought that device and turned it on us.
Back then, countermeasures were relatively straightforward. Phantom browsers with no history did a poor job impersonating real users. IP filtering worked, at least for a while. Google even kept that setting to this day, though the 500-address-per-campaign limit combined with fraudsters’ ability to cycle through tens of thousands of IPs makes it a completely useless artifact.
How it evolved
Over the following years we watched click fraud grow in scale, take on new strategies, and most likely shift its technical infrastructure. Phantom browsers acquired history: purpose-built cookie profiles, pre-cultivated digital footprints. These profiles were sold on darknet markets, and the fact that they were sold means someone was buying them. Bot farms emerged, typically co-located with call centers: racks of smartphones, each one living its own virtual life in a specific location under a specific IP. The devices woke up in the morning, went to sleep at night, browsed topics they were supposed to care about, and built up the behavioral pattern of a real person. Occasionally an operator would manually step into a specific device’s session and add that human inconsistency that algorithms struggle to fake on their own. I heard this directly from someone who worked at one of those bot farms, co-located with a call center, in Manila in the mid-2020s. His words were that click fraud was the least harmful of the things they were doing there.
Attempts to use real people outside criminal networks also happened. Micro-task platforms let shady operators hire people for a small fee to run a search, find a specific site’s ad, click through, and even complete some kind of on-site action. That approach burned out quickly: Google got good at identifying those profiles and stopped crediting their activity. The platforms themselves came under pressure and either dropped the questionable use cases or pivoted their business entirely.
Today’s situation is harder. Fraudsters’ tools have evolved alongside detection systems, and a well-prepared fraudulent session is now virtually indistinguishable from a real user by its digital fingerprint. Not all of it — there are still amateurs running outdated toolkits, and that traffic Google and third-party anti-fraud systems handle reasonably well. But based on what I see in the campaigns I manage, fraud does survive the filters and gets credited as real user activity. I can’t back this up with hard statistics since I don’t have historical datasets going back far enough, but my practical sense is that the volume of fraud slipping through Google’s filters has grown over the years. Specialized systems that work at the site level and try to detect non-human behavior have an increasingly hard time with traffic that acts like a person, because it was most likely modeled on actual human behavioral data.
What’s still detectable
For all its sophistication, modern fraud has one fundamental constraint: to cause real damage to an advertiser, there has to be a lot of it. One or two stray clicks a day goes unnoticed. Even 50 to 100 clicks — Google filters most of them, maybe 10 to 20 get through, and nobody particularly notices that either. What causes real damage is a massive campaign, volume that deviates significantly from the baseline activity level for specific queries in a specific niche. That means fraudsters are forced to leave traces in the data, even when their traffic impersonates human behavior convincingly at the individual session level.
Those statistical deviations are where detectable patterns live.
Pattern one: zombie phrases
Long queries — seven words or more. A real person can write a complex, detailed search query, but the probability of several different people writing the same long, specific query multiple times on the same day is essentially zero. If such a phrase suddenly starts showing up in a report several times daily — especially with no historical precedent — that’s not organic traffic. I call these zombies: they look like real queries, they were real at some point, but they aren’t anymore. Easy to detect, easy to remove through negative keywords.
Pattern two: isolated spikes
Low-baseline queries that suddenly spike sharply in impressions over one or two days. Not long, not suspicious in form — just low-frequency. Normal audience behavior doesn’t generate bursts like that without an external cause. If there’s no news event, no seasonal factor, no campaign setting change behind the spike, it’s a very likely sign of a fraud attack. Especially when that spike accounts for the majority of the term’s total weekly impressions, with near-zero activity on either side of it.
Pattern three: blending into high-frequency traffic
The hardest one to catch. High-frequency queries naturally show up many times a day, and nobody finds that suspicious. Fraudsters know this and try to hide their activity in that noise, injecting fraudulent traffic into exactly those high-volume terms. But even here there’s a statistical trace: impression counts on otherwise stable terms climbing on specific days in a way that deviates from normal variance by more than two standard deviations. That requires an analytical tool rather than manual review, but the pattern is real.
What else is happening
Fraudsters typically rotate several hundred to several thousand queries through a single niche. A common pattern is a shared base — a question format, for instance — with many variations in the attached words: different city names, celebrity names, brand names. That’s its own signature: when your campaign gets flooded with queries that are nearly identical but differ by one or two words.
Fraudsters also don’t keep the same query set running indefinitely. Topics shift, individual query groups intensify and fade, creating semantic waves that force Google’s algorithm to keep recalibrating. The result is that what most advertisers want from Smart Bidding — for it to learn quickly, stabilize, and find an efficient balance of bids and spend — doesn’t happen. The algorithm is stuck constantly recalculating in an unstable environment.
And fraud doesn’t stop at the click. On-site behavior is now convincingly simulated too. Not the jerky straight-line mouse movements of early tools — we’re talking smooth cursor paths, link navigation, naturally uneven scrolling, and at the end, a form submission, sometimes with data from a real person. If your campaigns are optimized for on-site conversions, I have bad news: some of those conversions may not be coming from humans. Once the algorithm accepts a bot conversion as legitimate, it has no reason not to keep showing your ads to the same kind of traffic. And if that traffic is large enough, the algorithm’s entire optimization will be pointed at attracting more of it.
This isn’t going to end
Click fraud evolves alongside the tools built to detect it. When one side finds an effective countermeasure, the other adapts. This has never been a static situation. There are patterns I deliberately didn’t describe here — not because they don’t exist, but because I’d rather fraudsters not know that those patterns are visible to me and that I have ways of responding to them.
I find this professionally interesting, because it demands constant attention and constant updating of methodology. Advertisers understandably don’t find it interesting at all — they want outcomes, not process. So the first practical step is figuring out whether your campaigns have this problem in the first place. There are niches where fraud is essentially absent, or at levels so low they’re not worth worrying about.
The three patterns I described can be checked in your campaign’s Search Terms Report using the ClickFraud Analyzer. It’s fast, free, and requires no registration. Your report is not stored anywhere.
