How to detect click fraud with 7 signals
Bot traffic and fake clicks have become more sophisticated. Here are 7 technical signals that separate real users from fake sessions — with a practical detection approach for each.
You would like to believe every click on your Google Ads campaigns comes from a real prospect. Reality: industry averages put 14% to 35% of PPC traffic in the invalid click category. Google catches part of that with its filters; the rest is billed to you — straight out of your budget.
A single signal is never enough to separate fake from real. Modern botnets move from datacenter to residential IPs, mimic mouse movement and even solve CAPTCHAs. But none of them perfectly impersonates every signal at the same time. A rule engine that evaluates the seven signals below together can decide correctly more than 95% of the time.
1. IP repetition and frequency
Multiple clicks on the same ad from the same IP within 24 hours is the oldest and still one of the strongest signals. On its own it is not damning — a corporate office may share a NAT IP across hundreds of users — but it raises an alarm once a single IP exceeds five times the campaign's per-IP average.
You cannot see this signal directly in GA4 because Google masks the IP from end users. You need a server-side tracker (a snippet or server-side GTM) writing into your own logs. wall.click does exactly that and automatically pushes abnormal /24 subnets into the Google Ads IP exclusion list.
2. Datacenter ASNs
A real user does not click ads from an AWS, Google Cloud, DigitalOcean, OVH or Hetzner IP block. Those IPs belong to datacenter ASNs (Autonomous System Numbers) and are almost always a bot signal.
Quick check
You can look up the ASN of an IP via whois.arin.net or ipinfo.io. If the ASN description includes keywords like 'Hosting', 'Datacenter' or 'Cloud', it is almost certainly bot traffic.
3. Headless browser and automation markers
Tools like Puppeteer, Playwright and Selenium drive the browser programmatically. They leave signatures: navigator.webdriver returns true, window.chrome is missing, some plugin enumerations return empty, the permissions API behaves inconsistently.
Modern bots try to hide those markers (packages like puppeteer-stealth exist for that), but perfectly faking every marker at once is still hard. If a session shows three or more automation markers, score it as high risk.
4. Absence of mouse and scroll behavior
A real human clicks the ad, scrolls a bit, waits at least a second, generates some mouse movement. A bot usually clicks and bounces — total session 0-2 seconds, no scroll, zero mousemove events.
Using this signal alone is risky; some real users do click an ad and bounce because they realize it is the wrong page. But the absence of mouse activity becomes decisive when combined with a datacenter IP or a headless signature.
5. Geographic inconsistency
If your campaign targets Istanbul only but clicks land from Pakistan, Vietnam or Brazil, you are looking at either a VPN-routed bot or click farm traffic. Google's language and location targeting is not perfect — always audit the 'User Location' dimension in your reports.
A subtler version: mismatch between browser language and geo location. A device located in Turkey arriving with a vi-VN language setting is most likely a bot running on an emulator or proxy.
6. Device fingerprint repetition
Modern fingerprint libraries (such as FingerprintJS) compute a single hash from canvas, audio context, font list, screen resolution and WebGL renderer. Under ideal conditions this hash is unique per device.
When botnets clone the same virtual machine image and run it a thousand times, every replica produces the same fingerprint hash. Lots of clicks from the same hash in a short window means you are watching one botnet hitting you from different IPs.
7. The click-to-conversion gap
Last but most revealing: if clicks from a particular channel, keyword or hour show near-zero conversion, that traffic is either very low quality or fake. Campaigns that spike between 03:00-05:00 and never convert are a textbook bot attack signature.
How do you monitor all seven yourself?
Setting each one up manually takes weeks. wall.click captures these signals from the moment the snippet is installed, computes a risk score and pushes risky IPs straight into the Google Ads IP exclusion list. You also see exactly which signal triggered every block — no black box.
Practical advice: where to start
If your only infrastructure today is GA4 and Google Ads, two things you can do this week: (1) keep your 'Excluded IP addresses' list current — add suspicious /24 blocks; (2) pause campaigns that spike during the night with no conversion.
These manual fixes catch 20-30% of the problem. For the rest, you need a rule engine that watches all seven signals at once. wall.click reveals your real fraud rate during a 14-day free trial — no credit card required.
Want to put this into practice?
Try wall.click on your own site, free for 7 days
No credit card required. You'll see the real fraud rate on your site within the first week.
Start now
