Over the past year, we’ve been working hard to share more information about how we protect you against click fraud. Last July, the invalid clicks report was released to provide you with the number of invalid clicks we detect (and don’t charge for) in each individual account. A few weeks ago, our Click Quality team provided a list of common concerns and tips related to their click fraud investigations and let you know how to request an investigation. Now, Shuman Ghosemajumder, Business Product Manager for Trust & Safety, has an update:

As part of our effort to provide you with more information on invalid clicks, we wanted to give you some additional background on how our systems, processes, and teams work together to manage click fraud for our advertisers, while also sharing what the overall landscape of invalid click detection at Google looks like.

Let’s dive right in with an overview of how it works. At a high level, we have a three stage-system for invalid click detection: (1) our real-time filters, (2) offline analysis, and (3) reactive investigations. The diagram below gives a more detailed explanation of what each does:

As you can see, the invalid clicks detected in the first two stages are the result of proactive work by Google. In stage one, we automatically filter most of these clicks before they even reach your account to protect against malicious activity and optimize your return on investment (ROI). The much smaller amounts of invalid clicks found in stage two are reflected in Click Quality Adjustments listed on your billing summary page. In either case, you don’t need to take any action or write to us to receive this protection. The third stage only includes the relatively rare cases where advertisers are affected by undetected click fraud. In those cases, an advertiser writes to us, we conduct an investigation, and if we find signs of undetected click fraud, we mark those clicks as invalid and give a refund to the advertiser.

So, how many invalid clicks are detected proactively vs. reactively? Here’s the breakdown:

Impact vs. activity
Click fraud is similar to email spam in a lot of ways. The most significant similarity is that the seriousness of the problem is not measured by how much spam is sent, but rather how much gets into a user’s inbox. When looking at click fraud, the most important measure is not the “activity” metric – which measures the volume of invalid clicks that occur overall – but the “impact” metric. The activity metric could go up or down significantly and the impact on advertisers would not change if filters are catching the invalid clicks. So far, we have only publicly shared this activity metric, which we have disclosed as being less than 10% of all clicks, and explain in more detail next. After that explanation, we want to talk about the impact metric for the first time. This measures what percentage of all clicks are clicks reported by advertisers which, after investigation, turn out to be invalid and have not already been caught by Google. Explaining these topics is complicated, but we’re going to give it a try. Here goes.

Activity - invalid clicks fluctuate constantly but average less than 10% of all clicks
Our invalid clicks rate – the activity rate – has remained in the range of less than 10% of all clicks every quarter since we launched AdWords in 2002. At Google’s current revenue rate, every percentage point of invalid clicks we throw out represents over $100 million/year in potential revenue foregone.

Because it is difficult to definitively determine the “intent” of a click in many cases, the number of invalid clicks that we filter also include those filtered for reasons separate from fraudulent intent. Cases of provable click fraud attempts constitute a small minority of the clicks we mark as invalid. There are many greyer cases of possible click fraud attempts (but without clear scientific “proof”), for which we still choose not to charge advertisers. For example, we have an automated rule which filters out the second click of all double clicks as a matter of policy. We mark this kind of activity as invalid simply to optimize advertiser ROI. Those clicks are included in our “activity” metric and are also a good reason we use the term “invalid” clicks instead of fraud.

This combined approach is the essence of click fraud management: the goal is to cast the net of invalid clicks sufficiently wide in order to have a high degree of confidence that actual malicious behavior is effectively filtered out. By proactively filtering clicks worth potentially hundreds of millions of dollars every year, we are able to provide very effective protection against attempted click fraud.

Impact - less than 0.02% of all clicks are reactively detected as invalid
Our Click Quality team investigates every inquiry we receive from advertisers who believe they may have been affected by undetected click fraud. Many of these cases are misunderstandings, but in most cases where malicious activity is found, the clicks have already been filtered out (and not charged for) by our real-time filters. Because of the broad operation of our proactive detection, the relatively rare cases we find of advertisers being affected by undetected click fraud constitute less than 0.02% of all clicks.

Put another way, for every ten thousand clicks on Google AdWords ads, fewer than two are reactively detected cases of possible click fraud. This proportion has stayed within this range every quarter since we launched AdWords, even as the issue of click fraud has received more widespread media attention. In the cases of reactively detected invalid clicks, a refund or credit is provided to the advertiser, and we utilize the discovery as a feedback mechanism to improve our proactive detection systems.

What do these numbers mean for me as an advertiser?
It is important to understand that the network-wide invalid clicks rate is separate from an individual advertiser’s invalid clicks rate. The invalid clicks rate is what we call an open loop number, which means that the more invalid activity we detect, the more protection we provide. A machine attempting a click fraud attack can send any number of clicks, even exceeding the maximum number of clicks that are allowed based on an advertiser's daily budget, but our systems will automatically filter these clicks so that the advertiser is not impacted. For example, an advertiser with a $10 daily budget could be attacked by someone attempting click fraud consisting of $1 million worth of clicks. When our filters protect against that attack, the advertiser’s invalid clicks rate would increase dramatically – meaning we were filtering out a very high proportion of their clicks – and their campaign would be unharmed. Similarly, that attack alone would increase the overall invalid clicks rate on our network, even though it was limited to a single advertiser. In this manner, a large attack focused on just a few advertisers can actually manipulate Google’s overall invalid clicks rate for that day, so this is an externally manipulable number.

Thus, the overall invalid clicks rate, as well as its day-to-day fluctuations, has almost no relation to the invalid clicks rate for an individual advertiser. In order to provide the real data to our advertisers, we launched the invalid clicks report in the AdWords Report Center last year. This feature provides the precise number of clicks we are filtering out on each of an advertiser’s campaigns.

We are disclosing these network-wide figures in order to provide greater transparency to Google advertisers and the marketplace as a whole. These figures illustrate the significant level of proactive protection we provide, and how this has resulted in minimizing the actual impact of click fraud on advertisers. As noted above, these network figures do not have any bearing on what individual advertisers may experience, and you should refer to your invalid clicks report for that data.

Moving forward
Click fraud protection is something we take very seriously, and it requires a great deal of research and development to do effectively. We believe we lead the industry in terms of our level of investment as well as the effectiveness of the protection we provide, but we also look forward to continuing to innovate and invest in this area of our advertising system just as we do in others. It is clearly in the long-term best interests of both Google and the industry as a whole to effectively protect advertisers against click fraud. This is why we are also working with dozens of other companies to establish industry standards for click fraud protection, as one of the founders of the Interactive Advertising Bureau’s Click Measurement Working Group.

Ultimately, the biggest benefit of the pay-per-click advertising model is that advertisers can measure the performance of their campaigns extremely accurately, and thus the most important metric that both our advertisers and Google are focused on is providing the best possible return on investment.