The Scale of Click Fraud
Industry estimates for global ad fraud sit north of $80 billion a year, and click fraud is a fat slice of that. Independent studies routinely find that 14-20% of PPC clicks are invalid. So for every $5 you hand Google, around a dollar is buying clicks that were never going to turn into a customer.
Google's own invalid-traffic system catches some of it and issues credits. Their filter is calibrated conservative on purpose: they would rather let a few bad clicks through than flag a legit user. Real-world result is that a meaningful chunk makes it past their filter and lands on your budget.
How Click Fraud Works
The simplest version is a competitor or their agency clicking your ads to drain your daily budget. Their ad moves up in the auction once yours stops serving. This is common in industries where CPCs run $50-200 (legal, insurance, home services). It is cheap to run and hard to trace.
More organized fraud comes from click farms. Sometimes low-wage labor. More often automated. Some exist to inflate revenue for publishers on the Google Display Network. Others are hired to knock out competitors. The bot variant uses rotating residential proxies that make the clicks look like regular suburban America, which is the whole point.
The newer pattern is worse. The bot does not stop at the click. It lands on your page, fills the form with fake data, and your SDR spends the afternoon trying to reach a person who never existed. Your reported cost per lead looks fine. Your cost per actual customer is three times what you think it is.
Signs Your Campaigns Are Being Targeted
Look for clicks going up while conversions stay flat. Check the search terms report for irrelevant queries triggering your ads. Those are two of the easiest signals to catch without any extra tooling.
Geo anomalies are another one. You are targeting Chicago and Dallas but seeing clicks from a small pool of IPs in countries where you do not sell. Time of day matters too: B2B traffic lives in business hours. Heavy click volume at 3am on a Tuesday is suspicious.
At the lead level watch for clusters: same IP range across multiple submissions, disposable emails, phone area codes that do not line up with the geo, form fills that all complete in the same 1-second window.
Google's Built-in Protections and Their Limits
Google's Invalid Clicks filter runs ML on click patterns, known botnets, datacenter ranges, and the like. When it flags something, you either never get charged or get a retroactive credit.
The gaps are real. It does not catch sophisticated residential-proxy bots. It does not deeply inspect what happens after the click. And the reporting is opaque: you cannot easily see what it flagged, what it missed, or contest anything. Running on Google's defenses alone leaves a meaningful hole.
Building a Defense Layer
The real fix is post-click, at the form. When a paid visitor submits, score the submission. Is the IP from a datacenter or a residential VPN? Is the email disposable? Did they interact with the page or jump to submit? What referrer chain got them here?
Scoring at the form gives you two wins. Flagged leads never reach your SDRs, so the waste stops. And the data feeds back into campaign optimization: you can see which ad groups and keywords are sending fraud and cut them.
Combine lead-level scoring with campaign reporting and you get a real cost per qualified lead for every segment, not the vanity number from the ad platform dashboard.