The Truth About Click Fraud: Why You Probably Can't Stop It (And What to Do Instead)

The Uncomfortable Truth Nobody in the Industry Wants to Say

Click fraud is, for most advertisers, almost impossible to stop completely. That's not a defeatist position — it's an accurate one. And the reason it matters is that building your strategy around the assumption that you can stop it will cost you more money than the click fraud itself.

Click fraud is not a new problem. It's been a structural feature of pay-per-click advertising since the early 2000s, and the fundamental dynamic hasn't changed: as long as someone can profit from or benefit from draining your ad budget through fake clicks, they will find ways to keep doing it. The tactics evolve faster than the defences. IP blocking — the core mechanism of most protection software — is the advertising equivalent of bailing out a boat with a teaspoon.

This isn't to say you should do nothing. There are genuinely effective approaches, and we'll get to them. But the first step is giving up the idea that a third-party subscription service is going to solve it for you.

"You open your change history and there are hundreds of IP addresses being added to the exclusion list every single day. The alerts are firing. The reports are thick. And then you look at your conversion rate and nothing has changed."

Why Click Fraud Protection Software Doesn't Really Work

Products like ClickCease and ClickGuard work by identifying suspicious IP addresses — based on click frequency, geographic anomalies, device fingerprints — and adding them to your Google Ads IP exclusion list. The logic sounds reasonable. Block the bad IPs, stop paying for the bad clicks.

The problem is that this logic only holds if the click fraudsters are using a fixed set of IPs. They're not. Anyone operating a click fraud operation at scale — whether it's a competitor trying to drain your budget, a click farm, or automated bot traffic — has access to rotating residential proxies, VPNs, and botnet infrastructure that can cycle through thousands of IPs per day. Block one, another hundred appear.

So what does the software actually give you?

A busy change history. Hundreds of IP exclusions being added constantly looks like something is being done. It creates the appearance of active defence.
An explanation for why results are down. "We're fighting a lot of click fraud" becomes the answer when campaigns underperform. It gives people an excuse to avoid harder conversations about targeting, creative, or offer quality.
A feeling of control over something that is largely outside your control.

None of those things are worthless — peace of mind has value. But if you're paying £200–£500 per month for a click fraud service and expecting it to materially improve your campaign performance, the evidence doesn't support that expectation. The click fraud continues. The budget drains. The only difference is you can watch it happen in more detail.

The Google Ads IP exclusion limit

Google Ads caps IP exclusions at 500 per campaign. A moderately active click fraud operation can cycle through 500 unique IPs in days. This ceiling alone makes IP-based blocking a fundamentally limited approach, regardless of how sophisticated the detection software is.

The B2C vs. B2B Distinction That Changes Everything

Before deciding what to do about click fraud, you need to understand a structural difference between B2C and B2B advertising that directly affects how much Google knows about who's clicking your ads.

B2C advertisers have a meaningful advantage here. The vast majority of retail consumers — people shopping for products and services in their personal capacity — are logged into a Google account when they're browsing. They're logged into Gmail. YouTube. Google Maps. Android. Chrome sync. The average person is logged into Google products for most of their waking internet hours.

When someone who is logged in clicks your ad, Google has actual data about them: their age range, gender, household income bracket in some markets, search history patterns, YouTube interests, and more. That data powers demographic reporting in your Google Ads account. It's also what makes demographic-based filtering possible.

B2B is a different picture. Business users researching software, services, or suppliers are often using work machines, private browsing, or simply aren't logged into personal Google accounts during work hours. A meaningful portion of your B2B clicks will come from users Google can't identify — they show up in your demographic reports as "Unknown."

B2C

Most customers are logged into Google. Gender, age, and interest data is available for the majority of clicks. Unknown demographic = red flag. Legitimate customers tend to be identifiable.

B2B

Work users often aren't logged in. Unknown demographic is a normal part of your traffic. Excluding Unknown is riskier — you may lose real prospects alongside the fraudulent traffic.

This distinction matters because the most practical defence against click fraud — demographic exclusion — works very differently depending on which category you're in.

The Unknown Exclusion: The Closest Thing to an Actual Fix

Bots are not logged into Google accounts. Click farm workers operating manually from residential IPs might be, but the vast majority of automated invalid traffic — the kind that shows up as sustained, high-volume, non-converting click patterns — is not. This means it shows up in your demographic data as Unknown: unknown gender, unknown age, unknown household income.

For B2C advertisers, this creates an opportunity. If your legitimate customer base is overwhelmingly logged-in users — and for most retail and consumer service businesses, it is — then the Unknown segment of your traffic contains a disproportionate share of your invalid clicks. Excluding it doesn't guarantee you eliminate all click fraud, but it removes the segment that's most likely to contain it.

The practical approach is to exclude Unknown from either gender or age targeting (or both) for a defined test period — typically four to eight weeks — and watch what happens:

Check your demographic breakdown first

In Google Ads, go to Audiences → Demographics. Look at the Unknown row for both gender and age. If Unknown is getting a high share of clicks but a disproportionately low share of conversions relative to your known demographics, that's your signal.

Exclude Unknown gender (or age) at campaign level

Set Unknown to "Excluded" in your demographic targeting. This does not mean you only show to people Google has verified — it means you won't bid on users Google cannot identify. Your known demographics still serve normally.

Run it for four to eight weeks and compare

Look at click volume, cost, and conversion rate before and after. Two outcomes are common: either the fraudulent clicking stops (the person doing it realises your ads are no longer showing) or it drops significantly because the traffic source can't impersonate logged-in users at scale.

If the fraud stops, test re-enabling Unknown

After a clean period, re-enable Unknown targeting and monitor closely. Some fraudulent clicking campaigns are opportunistic — when your ads stop being available to them, they move on. Others are persistent and will resume. If it comes back, exclude again.

We documented a real case of this approach working against a persistent click-forwarding operation on a roofing client's Google Ads account. The Unknown demographic exclusion reduced spend by 80% while maintaining the same number of real conversions. Read the full case study here.

Industry-specific caution

This approach works best when your legitimate customer base is predominantly identifiable by Google — which is true for most B2C retail and local services. It is less suitable for B2B, for industries where privacy-conscious users are the norm, or in markets where Google's demographic coverage is lower. Always check your conversion data by demographic before excluding anything — don't exclude a segment that's actively converting for you.

The Microsoft Ads Reality: When There's No Fix at All

Google at least has the demographic infrastructure to make the Unknown exclusion approach viable. Microsoft Ads — Bing — is a different situation, and in many ways a harder one.

We had a client receiving an unusual volume of traffic from Microsoft Ads. The click volume looked impressive in the dashboard. The conversion rate was close to zero. We opened Microsoft Clarity on their site and the picture became immediately clear.

The bot traffic indicator in Clarity was flagged red. Session recordings showed the same pattern repeating: the mouse cursor would appear on screen and move in a perfectly straight vertical line, up and down, up and down, for thirty minutes. Over and over. Not a single deviation. Not a single scroll. Not a single click on any page element. Just a cursor executing a script, keeping the session alive, running up the paid click count.

It wasn't ambiguous. No human moves a mouse in a perfectly straight line for half an hour.

// What Microsoft Clarity showed on the session recordings

Session duration: 31 minutes, 42 seconds

Pages visited: 1

Mouse movements: 4,847

Movement pattern: Straight vertical line, repeating

Clicks on page elements: 0

Scroll events: 0

Clarity bot flag: YES

We contacted Microsoft Ads support with this evidence. Their response was that Clarity flagging traffic as bot-generated did not constitute sufficient proof. They wanted specific, independently verifiable evidence of fraudulent clicks — a standard that was, in practice, impossible to meet from an advertiser's position without access to their internal traffic validation systems.

Microsoft's own analytics product was flagging the traffic as bots. Their own advertising platform was charging for it. And their support team was declining to act because the bar of proof was set at a level only Microsoft itself could satisfy.

This is not an isolated experience. The lack of meaningful invalid traffic protection on Microsoft Ads relative to Google Ads is a consistent complaint from advertisers across industries. Google has invested heavily in automated invalid traffic detection and does refund credits for traffic it identifies as invalid — imperfectly, but the mechanism exists. Microsoft's equivalent is significantly weaker.

What to Actually Do If You're Being Hit

Here's the honest practical framework, in order of what to try:

Step 1: Diagnose before you act

Pull your demographic breakdown in Google Ads. Look at click volume and conversion rate by gender (Unknown vs. known) and by age (Unknown vs. known). If Unknown is getting clicks but not converting at anything close to the rate of your known demographics, you have evidence to act on. Don't exclude Unknown just because you suspect fraud — confirm it in the data first.

Step 2: Exclude Unknown demographics for 4–8 weeks

If the diagnosis supports it and your business is B2C, exclude Unknown gender and/or Unknown age at campaign level. Monitor click volume, cost per click, and conversion rate over the following weeks. This is not a permanent change — it's a targeted test that also acts as a deterrent.

Step 3: Use Microsoft Clarity (or equivalent) to document what you're seeing

Even if Microsoft won't act on Clarity data as proof of fraud, it gives you a clear picture of what's happening. If you can see bot behaviour clearly — straight-line mouse movements, inhuman session patterns, zero engagement — that's enough to make a budget decision, even if it doesn't get you a credit from the platform.

Step 4: Make a budget decision, not a technical one

If the demographic exclusion doesn't resolve it, or if you're on Microsoft Ads and the problem is structural, the honest answer is that you may need to redirect budget. A channel that's delivering a high volume of clicks that consistently don't convert is not delivering value — regardless of the reason. The money spent chasing a technical fix or on protection software is often better applied to channels that are actually working.

What not to do: subscribe to a protection service and wait

The change history will fill up. The reports will land in your inbox. The dashboard will show you thousands of blocked IPs. None of this means the problem is solved. If you're going to use protection software, use it as a monitoring tool to understand patterns — not as a solution to a problem it cannot structurally solve.

Getting Hit With Invalid Traffic and Not Sure Where to Start?

The first step is reading the demographic data correctly to figure out whether the Unknown exclusion approach is appropriate for your business. Get in touch and I'll take a look at what the data is actually saying.

Get a second opinion Read the click fraud case study

Frequently Asked Questions

Does Google refund money lost to click fraud?

Google has automated systems that detect and filter invalid clicks, and credits do appear in accounts for traffic Google identifies as invalid — these show up in your billing as "Invalid activity adjustments." The credits are real but incomplete: Google's detection catches a portion of invalid traffic, not all of it. You cannot manually claim credits for specific clicks you believe are fraudulent without going through Google's investigation process, which has a high evidentiary bar and inconsistent outcomes.

Is click fraud always from competitors?

No — and assuming it is can lead you to focus on the wrong problem. Click fraud sources include: competitors trying to drain your budget, ad fraud networks profiting from publisher-side click inflation, click farms (manual workers paid per click), bots and botnets, and accidental clicks from mobile users. Competitor-driven click fraud tends to be more targeted and persistent; bot and ad network fraud tends to be more diffuse and higher volume. The mitigation approach differs depending on the source.

Will excluding Unknown demographics hurt my reach significantly?

For B2C advertisers, the impact on legitimate reach is usually smaller than it looks. Most of your converting customers are logged-in users Google can identify. The Unknown segment tends to be a mix of privacy-conscious users, occasional users not logged in, and — disproportionately — bot and invalid traffic. Check your conversion data by demographic before you exclude: if Unknown is converting at a reasonable rate for you, the exclusion carries more risk. If it's converting at near zero, you're mostly excluding traffic that isn't helping you anyway.

Should I still use click fraud protection software?

If you're going to use it, use it as a monitoring and reporting tool, not as a solution. The detailed logs of suspicious IP patterns can be useful for understanding what you're dealing with. What it won't do is materially reduce the volume of invalid clicks hitting your account, because IP rotation makes IP-based blocking structurally ineffective at scale. The budget spent on protection software is often better applied to testing demographic exclusions, improving landing page conversion rate, or diversifying ad spend to channels with lower fraud exposure.

Microsoft Ads flagged bot traffic and won't refund it — what are my options?

Your options are limited, and that's the honest answer. You can escalate within Microsoft support, request a formal invalid click investigation, and document everything — Clarity recordings, session data, click-to-conversion comparisons. Occasionally this results in credit. More often it doesn't. The practical response is to reduce or pause Microsoft Ads spend on the affected campaigns and redirect budget to channels where you can measure real returns. Microsoft Ads has significantly weaker invalid traffic protection than Google Ads, and that structural gap is not something an individual advertiser can fix.

The Truth About Click Fraud:
Why You Probably Can't Stop It (And What to Do Instead)

In This Article