Facebook Click Fraud 101

Our posts earlier this week about the alarming amount of click fraud at Facebook left more than a few unanswered questions. The problem is real and was confirmed by Facebook. But what wasn’t clear is exactly how or why it was happening. Now, after we’ve interviewed a number of advertisers and fraudsters, we know exactly how and why they are doing it.

First the why. Click fraud is serious business on the big search engine advertising networks because the bad guys can make serious money. Sign up for an Adsense account and put those ads on parked domain names or wherever. Then all you have to do is start clicking those ads like crazy, using bots or cheap labor. The search engines fight this via obvious and not so obvious means, and an arms race begins. To win you need access to a lot of good IP addresses and not get too greedy. And like inflation and the government, a little click fraud is tolerated by Google and others. It keeps the dollars flowing.

But Facebook is a different story. As of now they don’t really have an Adsense equivalent – Some App developers can run Facebook ads for a revenue split, but that’s it. Those guys wouldn’t be able to get away with click fraud for very long because there are too few of them and it’s too easy to monitor spikes in performance.

So what’s the incentive? We’ve spoken to a number of Facebook advertisers who have explained exactly what’s happening – advertisers are clicking on competitor ads to drive up their costs and drive down their ROI. As advertisers leave the system in disgust, prices go down and the people left win.

At least that’s the theory. But what’s really happening is better explained by game theory stuff that we all learned in micro economics courses. The advertisers know they’d all collectively be better off if they didn’t engage in click fraud against each other. But anyone that “does the right thing” is put at a severe disadvantage competitively. So unless and until Facebook can put a stop to this, advertisers argue that they are actually forced to engage in click fraud to have a fighting chance at making any money.

Some of these guys are spending $30,000 a day on ads on Facebook alone (the maximum for self serve advertisers) and put significant capital at risk. They’re not particularly worried about much more than keeping that capital safe, and earning a living.

And for the most part these are affiliate marketers – middleman arbitragers that don’t create or sell products but simply pass leads and orders on to others who monetize users directly. They have to monitor ROI carefully, particularly because they are paying Facebook per click and in turn getting paid for conversions (sales, leads, etc.). Click fraud puts them out of business fast.

Facebook Click Fraud 101:

Here’s how advertisers are engaging in click fraud:

First, its hard to even see the ads in the first place. On search engines they are there on the parked domain page, or you see them when you type in a query. But on Facebook ads are hyper targeted to users based on deep demographic data – like single men who live in San Diego and like the Xbox and U2, for example. If you aren’t a user who fits that description on Facebook, you don’t see the ads.

So the bad guys just create thousands of fake Facebook accounts with a wide variety of demographic information. This sounds like a lot of work, but it’s highly automated. One advertiser told me how he paid $200 to an Indian operation for 2,000 Facebook accounts. Another said the going rate was just $10 per 100 accounts if you supply the unique email accounts. Once the accounts are created, they use software to fill out the varied demographic information, and that software also manages all these accounts.

The fraudster then logs in to Facebook via these accounts and views the ads that are displayed. The right competitive ads come up and Bingo, the software then clicks them. Facebook rules allow an account to click any advertisement up to six times in a 24 hour period, and all those clicks are charged. All you need is a few accounts to view the ads and then click to the max. Facebook even makes it easy to find the ads. They have an “Ad Board” that shows all ads targeted to that user (mine has 15 ads on it).

Often the fraudsters have their art down to a science and their software clicks ads so fast and moves on to the next one that it doesn’t even hang around long enough for the underlying URL to resolve. Facebook still sees (and charges for) the click, but the advertiser’s server never registers a page view. That’s what bugs advertisers the most. In our original post we quoted one advertiser who at least wanted to see the traffic from the spam bots: “If I were at least getting bot traffic or something that would be one thing, but right now Facebook is simply stealing 20% of clicks that I paid for, which adds up to thousands of dollars.”

The people we spoke with say they’ve been doing this since last year, and have had almost no account profiles shut down. “Just 2 of my 2,000 accounts were closed” said one source.

How Facebook Is Fighting This:

We’ve spoken to Facebook a number of times this week to understand how they are fighting click fraud. We also wanted to wait on this story until Facebook felt comfortable that we weren’t going to make the situation worse by mapping out how fraud is done.

Facebook says the fraud is now under control. One way they monitor fraud is to view conversions off ad clicks – some ads ink to other Facebook pages where surveys and offers are completed, and Facebook can monitor if a click results in a conversion. Conversion rates have stabilized since the changes they made last Sunday, Facebook tells us, meaning fraud has decreased.

Facebook has told us a few ways that they are combating the fraud. They’ve asked us not to publish all of those methods because fraudsters may have an easier time bypassing the defenses. But we’ve checked with experts who agree that the protections Facebook has put in place make sense.

One thing Facebook is willing to talk about on record is that they are heavily monitoring click rates on ads and flagging accounts that are statistically out of bounds for human review. It doesn’t sound like they intend to close known fraudster accounts down, though. Just keeping an eye on them and reversing any ad clicks may in fact be a smarter way of combating them and gathering more data. I agree.

Advertisers who’ve been affected will have credits applied to their accounts automatically, Facebook says. And they can also contact Facebook directly with concerns.

Some advertisers are saying click fraud rates haven’t declined this week at all, but others are saying they see a significant decline in fraud over the last few days. We’re working with one group who’ve set up test ads to monitor fraud on Facebook as well. As of tonight they are still seeing discrepancies in the number of clicks Facebook says they sent and what their server logs show. So clearly the problem has not been fixed entirely, and it probably never will be. It’s an arms race, but at least Facebook is admitting to the problem, and actively fighting it.