Analyzing a click
takes 200 milliseconds
Here's how wall.click does it
From the moment the snippet is added to your page until an evidence package is produced for a Google refund — we explain step by step what every wall.click component does, which signals it uses, and which decision it makes when.
<200ms
Decision time
click → score
30+
Signal types
per session
<8KB
Snippet size
async, gzipped
<40ms
Edge latency
via Cloudflare
Step 1 · Setup
Activate protection
in 3 steps
No waiting for developers, no need to memorize AI configuration — wall.click typically goes live in 10 minutes. Every install path delivers the same protection quality; pick your platform, the system handles the rest.
Add the tracking code to your site
You insert an under-8 KB async JavaScript snippet (taken from the panel) into the `<head>` tag. It affects page render time by less than 40 ms on average and is designed not to hurt your Core Web Vitals.
- One-click plugins available for WordPress, Shopify, Cloudflare, Joomla, Drupal and GTM
- Pure JS snippet for everything else — Next.js, React, Vue, Webflow and Wix compatible
- CSP-compatible and automatically captures SPA route changes
Connect your Google Ads account via OAuth
You don't share a password or API key. Through Google's official OAuth flow, we only request read access to campaign data and write access to the IP exclusion list. Budget, targeting and bid strategy are never touched.
- Active in 30 seconds — data starts flowing as soon as the account is approved
- MCC (Manager Account) support — agencies manage all clients from one account
- Access can be revoked from a single panel button; authorization is transparent
Protection rules go live automatically
Within a few hours the system learns your baseline traffic profile; the background rules and thresholds calibrate to your campaign. After that every click is analyzed in real time and any source crossing the risk threshold is written to the Google Ads exclusion list.
- Default rules work with zero configuration; advanced thresholds are optional
- Every decision — including risky sources — has a transparent reason in the panel
- False positives are whitelisted in one click; the model calibrates to your business
Step 2 · Click journey
The 200-ms story
of a single click
From the device of the user clicking your ad to the protection decision — the full timeline.
- T+0ms
Click
The ad is clicked, the user is redirected to your site
Google Ads redirects the user to your ad. wall.click is not yet involved; only the standard Google Ads click ID (gclid) is carried in the URL. No additional latency at this point — performance depends entirely on Google's infrastructure.
- T+10ms
Page opens
The snippet loads asynchronously
While your site page is shown to the user, the wall.click snippet loads async in the background. Thanks to its under-8 KB size and gzip compression, it impacts page render by less than 40 ms; your First Contentful Paint metrics are preserved.
- T+50ms
Signal capture
Device, network and behavioral signals are captured
The snippet captures device fingerprint (screen, GPU, fonts, language, timezone), network info (IP, ASN, ISP, datacenter flag), session context (gclid, campaign, keyword) and early behavioral signals (mouse movement, touch, scroll).
- T+120ms
Edge analysis
Data is sent to the nearest edge node
Captured signals are sent to the nearest edge server in Europe via a Cloudflare Worker or direct API. Encrypted over TLS 1.3, IPs are converted to one-way hashes — personal data never reaches the central server.
- T+180ms
Risk score
A multi-layer engine produces a score 0–100
The AI behavior model, fingerprint matcher, network-reputation database and global threat intelligence run in parallel; their outputs are weighted into a single risk score. The whole process completes in under 200 ms.
- T+200ms
Decision
Action determined: watch, warn, block
Score 0–40, the session flows normally. 40–70, extra verification or hiding can be triggered for forms/payment buttons. 70+ writes the IP to the Google Ads exclusion list; no more ad-budget is spent on that source.
- T+5min
Evidence package
The session becomes provable in your panel
Every triggered signal, session recording, IP detail, campaign context and decision reason lands in the panel. A one-click PDF/CSV package is generated for Google refund applications; your team can watch the session as a video and trust the decision.
Step 3 · Signal architecture
We evaluate
30+ signals per click
Looking at IP alone isn't enough. Behavior, fingerprint, network, threat intel and history — five layers come together.
Behavioral signals
A human doesn't consume a page like a bot. Mouse trajectory, scroll pattern, touch pressure, keyboard input and time on page — together these signals are the strongest evidence of intent behind the session.
- Unnatural linearity of mouse motion (Selenium/Puppeteer signature)
- Too-fast or too-slow scrolling — outside the real reading profile
- Clicks triggered without mouse-over (headless browser indicator)
- Time on page — under 1 second usually indicates fake traffic
- Submit attempt without focusing on the form field
Device fingerprint
IP alone is not enough; a user switching to mobile changes IP, a VPN bypasses it in one click. wall.click combines 20+ signals like screen resolution, GPU signature, font set, language and timezone to build a stable identity resistant to incognito and browser resets.
- Canvas and WebGL render signature
- Installed font set and font metrics
- Screen resolution, color depth, color gamut
- Audio context fingerprint
- User-agent client hints (Sec-CH-UA)
- Browser plugin list and language configuration
Network and origin
A click from a country where your ad doesn't show points to a tool that's bypassing your targeting. ASN, ISP, datacenter and hosting provider data cleanly separate real user traffic from server traffic.
- VPN, proxy and mobile residential proxy networks
- Datacenter traffic from AWS, Google Cloud, DigitalOcean, OVH
- ASN-level reputation database for 180+ countries
- Tor exit nodes and known anonymizing services
- Heavy traffic clusters from outside your target geography
Threat intelligence
Fake clicks usually feed on coordinated networks. Beyond your own account data, anonymized global threat data from thousands of wall.click customers is used to catch the same bot-farm IP pools.
- Cross-account threat sharing — an IP flagged for one customer is known to you
- Click farm, incentivized traffic and competitor click classification
- Repeated click pattern (rate-limit) detection
- Known bot-network signatures and botnet C2 IP lists
Context and history
How many ads the same IP has clicked in the last 24 hours, how the same fingerprint roams across campaigns, heavy bursts at midnight — these patterns over time can't be derived from a single click but matter cumulatively.
- Click density of the same fingerprint over the last 24 hours
- Inconsistency between timezone and actual click time
- Identical fingerprint reaching the same campaign from different IPs
- Devices that converted in the past marked as "safe"
Step 4 · Automatic blocking
Blocking
is not a single method
Based on risk profile: Google Ads IP exclusion, CIDR blocks, on-site conditional hiding, and manual rules — four-layer defense.
Google Ads IP exclusion list
IPs over the risk threshold are written directly to the Google Ads IP exclusion list. Applied at account, campaign or ad-group level. To avoid hitting the 500-IP per-account cap, the highest threat profile is prioritized; old, low-risk records auto-rotate.
CIDR block blocking
If a range (e.g. /24 or /16 CIDR) — typically a datacenter or bot farm — represents the threat instead of a single IP, the entire range is blocked as a single record. Shutting down a 256-IP block at once uses the 500-IP cap most efficiently.
On-site conditional hiding
Even before Google Ads exclusion is triggered, when a session is flagged as suspicious, your forms, payment or call buttons can be hidden for that user. The fake click is taken not to a user but to an empty page; conversion fraud is cut at the door.
Manual rule and temporary blocking
Automation is preferred, but sometimes manual intervention is necessary. All IP, ASN and country decisions can be overridden from a single table; timed blocking (24h / 7 days / permanent) gives flexible response to transient threats.
Step 5 · Continuous learning
The system gets
better every day
Auto trigger, calibration, model update and threat-network expansion — a self-improving loop.
1. Data is collected
Every session — both safe ones and risk-flagged ones — is stored in the panel with its triggered signals. False-positive feedback ("this was a real customer") and false-negative feedback ("we paid for this but it was fake") grow the model's training set.
2. Model is updated
Behavior model and fingerprint matcher are retrained at regular intervals. Signatures for new bot tools (Playwright, undetected-chromedriver, etc.) are added; aging signal weights are reduced.
3. Thresholds calibrate
Risk thresholds calibrate automatically to your industry, average CPC and campaign structure. A 70 block threshold for e-commerce can be 60 for a B2B lead-gen campaign; this industry profile is learned automatically.
4. Threat network expands
A new bot network flagged for one wall.click customer is added anonymously to every other customer's threat database. Even if your account has never been attacked, others' experience protects you.
Step 6 · Infrastructure & compliance
Solid infrastructure,
transparent compliance
EU-located servers, GDPR/KVKK compliance, 99.9% uptime SLA — both performance and assurance.
EU-located infrastructure
All servers are in Frankfurt (in the EU). Data is never transferred to third-party ad networks; retention is configured between 30–90 days depending on your plan and auto-deleted afterwards.
Encryption and access
Data traffic is end-to-end TLS 1.3-encrypted; the database uses AES-256 at-rest encryption. Admin-panel access is zero-trust, re-verified per session; optional 2FA and Google Workspace SSO are supported.
GDPR and KVKK compliant
IPs are stored as one-way hashes; personal data in session recordings is automatically masked. The data minimization principle applies — only signals required for detection are kept, and right-to-be-forgotten is guaranteed on request.
Uptime and performance SLA
API endpoints run with a 99.9% uptime guarantee; average response time stays under 50 ms. Snippet delivery happens over a global CDN at the nearest edge node. System status is live on our status page.
Step 7 · Frequently asked questions
Still have questions?
The 8 most common questions from our customers, with clear answers.
What if the system blocks a real customer by mistake?
False positives are inevitable but rare. Every blocked source is listed in the panel with its reason; you can whitelist with one click. This manual intervention accelerates the model's calibration to your business. Also, defaults are conservative — sessions that look suspicious but aren't 100% certain are flagged, not blocked.
Does it touch my Google Ads campaign budget or bids?
No. wall.click only takes read access (reports, campaign structure) and write access to the IP exclusion list. Budget, targeting, bid strategy and keyword lists are never touched. OAuth permissions are clearly listed in the panel; you can revoke any time.
If it decides in 200 ms, hasn't the user already seen the page?
Yes, the first click always passes through — that's unavoidable. But the goal isn't to stop "that one click," it's to automatically block subsequent clicks from the same source. Bot farms and competitors don't make one click; they make tens or hundreds from the same IP. wall.click prevents budget burn from the second click onward.
Isn't the 500-IP exclusion cap per account too low?
Alone, yes. That's why two strategies run in parallel: (1) the highest-threat IPs are prioritized and old, low-risk records auto-rotate; (2) /24 and /16 CIDR blocks are written as a single record, so 500 lines can cover hundreds of thousands of IPs. On top of that, on-site blocking is a defense layer outside the cap.
Can I get a refund from Google for fake clicks?
Yes — the Google Ads Invalid Click Refund program supports this. wall.click produces PDF and CSV reports in Google's required format: date, IP, campaign, reason, session-replay link. These evidence packages significantly increase your approval rate. Typical customers reclaim 5–15% of monthly ad budget as refunds.
Does the snippet slow my page down?
Practically no. The snippet is under 8 KB, loads asynchronously, and is not render-blocking. Average First Contentful Paint impact is below 40 ms. It doesn't affect your Core Web Vitals (LCP, INP, CLS); you won't see a difference in your measurement reports.
Are my data shared with Google, Meta or anyone else?
No. Your data is yours alone. It's stored on our Frankfurt servers and never transferred to third-party ad networks or analytics services. Anonymous aggregate statistics (e.g. "this IP range is dangerous") are used for threat intelligence, but that sharing contains no data identifying you.
Can I manage multiple sites or multiple Google Ads accounts?
Yes. Unlimited sites can be connected on Pro and Agency plans; each site runs independently with its own snippet and rules. The Agency plan additionally provides workspace separation — each client's data is kept in an isolated area with role-based access.