Industry estimates put click fraud at 14–22% of all paid traffic on Google Ads and Meta. For a $50K/month spend that is $7,000–$11,000 going to bots, competitors and click farms every month. Here is how to find it, document it for refunds, and shut it off at the source.

Most advertisers don't notice click fraud because the symptoms look like ordinary underperformance. CTR is fine, but conversions are oddly low. Bounce rate creeps up. CPL drifts even though bidding hasn't changed. The dashboards still look "green-ish" so nobody escalates. Meanwhile a small slice of every campaign is bleeding straight into automated traffic.

Google and Meta both run their own invalid-traffic filters. They are real, they catch a lot, and they are not enough. Both systems are tuned to err on the side of charging the advertiser when the verdict is ambiguous, because every click filtered out is platform revenue forfeited. The gap between what they filter and what is actually fraud is your problem to detect.

What "click fraud" actually means in 2026

The phrase covers four very different attackers, and the detection approach for each is different.

1. Competitor click attacks

The oldest variant. A competitor (or a contractor they hired) repeatedly clicks your ads to drain budget and push you off the auction. Modern attackers do this from residential proxy pools so the IPs look like real visitors, and they rotate user-agents to avoid trivial fingerprint match. Volume is usually low (50–500 clicks/day) but targeted at your most expensive keywords. Cost: catastrophic if you bid on a $40 CPC term and the budget caps out by 11am.

2. Click farms

Real humans on real phones, paid $0.001 per click, usually based in Bangladesh, Vietnam, Indonesia, or the Philippines. They click your ad, sometimes scroll the landing page for a few seconds, then leave. Volume can be very high. The traffic is technically "human" so traditional bot detection misses it, but the behaviour signature is unmistakable once you look for it: identical session length, identical scroll depth, no mouse-move between click and exit, and an outsized share from VPN or residential-proxy IPs in specific ASNs.

3. Bots and ad scrapers

Headless Chrome, Puppeteer, and Playwright scripts. Sometimes auditors crawling search results to track competitor positioning. Sometimes affiliate publishers padding their click counts. Sometimes outright fraud rings monetising malware-installed ad-clicking software on consumer devices. We covered the detection stack for these in our Puppeteer & Playwright guide.

4. Affiliate and arbitrage abuse

An attacker buys cheap traffic from a low-quality network, points it at your ads through a redirect, and earns the affiliate commission when a tiny fraction converts. Or runs a Google Ads account that bids on your brand keyword and routes the click through their referral link. Detection requires correlating ad referrer with subsequent landing-page behaviour and known affiliate IDs.

Reality check. Most click fraud you encounter will be category 2 (click farms) and 3 (bots). Category 1 happens but is rarer than people think. Category 4 only matters if you run an affiliate programme.

The signals that catch click fraud

You don't need to invent these — they're well-known. The hard part is running them in real time on every paid click without slowing the page.

VPN, residential-proxy, and datacenter IP flags

The single highest-yield signal. No legitimate consumer is searching Google from a Hetzner IP. No real iPhone user clicks an ad from an OVH datacenter ASN. A flagged IP doesn't prove fraud on its own, but combined with any other signal it is decisive. Around 60% of click-farm and bot ad clicks come through one of these three IP categories.

Headless and antidetect-browser detection

A real visitor uses a real Chrome, Safari or Firefox build. A fraud farm uses Puppeteer with stealth plugins, or one of the antidetect browsers (Multilogin, GoLogin, Kameleo, Dolphin{anty}). Detecting browser tampering at the moment of the click — before the conversion event fires — lets you tag the session as fraud and exclude it from optimisation.

Behavioural signals on the landing page

Real users scroll, move the mouse, sometimes click around. Click farms exhibit telltale patterns: identical viewport-pixel coordinates of the entry click, exit within a tight time window (typically 6–14 seconds, just long enough to satisfy a "spent time on page" requirement), and zero mouse movement variance across hundreds of sessions. Once you know what the pattern looks like in your own analytics, the click farms are very obvious.

Cross-session linking via persistent visitor ID

The same physical device clicking your ad 20 times across 20 different IPs in 6 hours is invisible to IP-based filtering, but trivial once you have a stable browser-side visitor ID that survives incognito and IP rotation. This is the signal that catches sophisticated competitor attacks routed through residential proxy pools.

Conversion lag mismatch

Genuine visitors who click an ad have a conversion lag distribution — it might be minutes, hours, or days, but it is not perfectly bimodal. Click-fraud traffic typically converts at zero (the most common case) or instantly via a scripted micro-conversion to make the campaign look healthy. The shape of the lag distribution alone will surface entire campaigns that are mostly fraudulent.

How to integrate detection into a paid-ads stack

The point of detection is to act on it. Two integrations get you most of the value:

1. Block the conversion event for fraud sessions

Most ad optimisation algorithms learn from your conversion signal. If you fire conversions for fraudulent visits, you are training Google's bidding to find more fraudulent visits. Stop firing the conversion event when Sentinel flags the session as bot/proxy/tampered:

// On your landing page, before firing the conversion pixel
const verdict = await fetch('https://sntlhq.com/v1/evaluate', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer sk_live_YOUR_KEY',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ token: window.__sentinelToken })
}).then(r => r.json());

if (!verdict.isSuspicious && !verdict.details.isBot) {
  gtag('event', 'conversion', { send_to: 'AW-XXX/YYY' });
  fbq('track', 'Lead');
}

2. Document refund-eligible clicks

Both Google Ads and Meta accept invalid-traffic refund requests if you provide structured evidence. The minimum is: timestamp, IP, user-agent, landing-page URL, GCLID/FBCLID, and the specific signal(s) that flagged the click. Sentinel writes this to your dashboard automatically — you can export it as CSV and attach to the refund request. Recovery rates we have seen: 18–34% of documented invalid clicks accepted for refund within 90 days.

3. Add proxies and antidetect browsers to negative-audience lists

Both ad platforms support custom audiences. You can build a "known fraud" audience from Sentinel-flagged sessions and exclude it from your campaigns. This stops the same device from costing you money on the next click — the reduction in wasted spend usually exceeds the API cost by 30–50×.

What about the platform's own filters?

Google Ads invalid-click filtering and Meta's invalid-traffic system are real and useful. They block the most obvious bot traffic before billing. But:

  • They run with delays — sometimes hours or days — so the fraudulent session has already polluted your conversion training data before the filter triggers.
  • They are tuned conservatively. Borderline traffic gets billed.
  • They have no visibility into what happens on your landing page after the click. The richest fraud signals (behaviour, persistent ID, on-page tampering) are invisible to them.
  • They are the same company collecting the ad spend. There is a structural conflict of interest.

You don't replace Google's filters. You stack on top of them. The marginal fraud they miss is exactly the fraud worth catching — it's the sophisticated traffic that costs you the most per click.

How much will this save you?

Order-of-magnitude estimate based on accounts we've seen:

  • $10K/month spend: $1,200–$2,000/month wasted on fraud, of which $500–$900 is recoverable through detection + refund flow.
  • $50K/month spend: $7,000–$11,000/month wasted, $3,500–$6,500 recoverable.
  • $250K/month spend: $35,000–$55,000/month wasted, $20,000–$35,000 recoverable.

The bigger driver is usually the second-order effect: stopping fraud sessions from polluting your conversion data lets the platform optimisation actually find real customers. The ROAS improvement on the legitimate spend that remains is typically larger than the direct refund savings.

Try it on a single campaign first

Don't wire it into every campaign at once. Pick the most expensive keyword in your account, the one with the highest CPC and the worst-performing conversion rate. Add the Sentinel SDK to that landing page, run for two weeks, and look at:

  1. What % of clicks were flagged as bot, proxy, or tampered.
  2. The conversion rate on flagged vs unflagged clicks.
  3. The cost of flagged-click refund requests (most ad platforms have a 60-day window).

If the flagged clicks convert at 1/5th the rate of unflagged ones — which is the typical pattern — the case for rolling out across the account makes itself.

Free API key at sntlhq.com/signup. 1,000 requests/hour, no credit card. Node SDK on npm, REST API docs if you're integrating from Python, PHP, Go or Ruby.