From ghost click farms to rogue agentic browsers, click fraud is only getting harder to detect for digital marketers. This type of ad fraud involves intentionally generating fake clicks to drain online advertiser budgets or fraudulently raise revenue. Unfortunately, smarter click fraud creates a vastly more expensive and damaging problem.
Our collaborative report with Juniper Research projects ad fraud will cost $172 billion by 2028, an increase of almost $100 billion over five years. Click fraud drives a significant portion of this scam, which is eight times the size of credit card fraud and rivals drug trafficking in scale. Despite this, it receives far less attention from law enforcement.
The introduction of artificial intelligence (AI) considerably ups the ante. Bad actors can now co-opt technology to better mimic human behavior and siphon off more profits. Marketers have no choice but to fight fire with fire in the new year.
Algorithmic detection methods are the best bet for distinguishing between legitimate and illegitimate users in real time. Only by implementing defensive systems that analyze millions of data points and identify bot network patterns can the sector hope to kill click fraud once and for all in 2026.
5 Ways to Stop Click Fraud in 2026
- Algorithmic Detection: Analyze millions of data points to identify bot network patterns in real time.
- Behavioral Analysis: Monitor micro-behaviors like mouse velocity, scroll patterns and keystroke dynamics.
- Device Tracking: Identify suspicious markers across browser fingerprints and geographic locations.
- Practical Filters: Implement honeypots via hidden form fields and block known fraudulent IP addresses.
- Remarketing Campaigns: Target users who have already visited your site and demonstrated legitimate engagement, you significantly reduce exposure to bot traffic and made-for-advertising (MFA) websites.
The Rise and Rise of Click Fraud
Click fraud operates in the shadows of digital marketing with a scam that’s both lucrative and relatively easy to get away with. Here’s how it works on the publisher side: Fraudsters quickly set up websites, fill them with low-quality content, partner with ad networks and stuff them with pay-per-click (PPC) or hidden ads. Legitimate advertisers unknowingly bid for placements and suddenly find themselves exposed to invalid traffic.
Then comes the flood of fake clicks. Bots, automated scripts or low-paid humans at click farms repeatedly interact with ads, inflating metrics. The result is threefold: Advertisers pay for worthless engagements, fraudsters collect payouts from ad networks and marketing budgets across the board take a hit. In fact, this scam can generate billions of fraudulent requests per day while facing far lighter legal scrutiny than comparable financial crimes. This reality pushes overall ad fraud losses to one in five marketing dollars.
In a nutshell, whether caused by bots, malware, click farms, competitors or fraudulent publishers, the result is businesses paying for ad interactions that have zero chance of converting. And this is a problem that only worsens as technology improves.
An Expansive Attack Vector Just Got Smarter
This year, attacks reached dangerous new heights by hijacking legitimate devices at scale, extending the danger of click fraud beyond just fake websites.
In September, researchers reported a massive click fraud operation involving hundreds of malicious apps that hijacked personal smartphones worldwide. Users downloaded seemingly legitimate apps that secretly launched browsers and navigated to scammer-controlled domains. From there, AI-powered bots that closely mirror human scrolling and browsing behavior simulated authentic ad engagement, turning user devices into “ghost” click farms.
Add this to another high-profile case in June that commandeered 10 million devices across 200 countries into a botnet. The malware targeted Android-based devices, including cheap phones, tablets, TV boxes, aftermarket car infotainment systems and portable projectors. Once compromised, these devices executed click and ad fraud and served as part of a global residential proxy network, masking traffic as legitimate user activity.
Understanding who’s looking at what is key to combating click fraud, but another advancement could further complicate detection. OpenAI recently launched its agentic browser, Atlas, and commentators were quick to point out that prompt injection could hijack these agents for malicious marketing activities such as automating form spam, posting fake reviews or repeatedly clicking ads without the user’s knowledge. Atlas runs on Google Chrome with identical user and session data, so this threat could make it difficult to distinguish agentic bots from human browsers.
Fighting Back to Kill Click Fraud This Year
Our sector needs to stamp this scam out for good. After all, in addition to wasted spending, distorted marketing data sullies decision-making. The good news is that marketers aren’t alone in this fight.
Much like their offensive counterparts, marketing defenders can leverage prevention software and AI-powered detection platforms to better identify click fraud. Micro-behaviors like mouse velocity, scroll patterns and keystroke dynamics are elements that sophisticated bots still struggle to perfectly replicate. Here, AI-trained models can recognize unusual behavior and identify inauthentic engagement.
It’s also helpful to monitor devices over time, tracking patterns like click frequency, browser fingerprints, and geographic location. Smart systems map relationships between IP addresses and user agents to flag anything with suspicious markers, like detecting hundreds of clicks from the same address within minutes or multiple users sharing identical device characteristics. This way, we can expose coordinated bot networks even when individual requests appear legitimate on their own.
Other practical tips include blocking known fraudulent IPs, implementing honeypots like hidden form fields that trap bots and running remarketing campaigns to target past visitors and reduce exposure to fake traffic. By focusing ad spend on users who have already visited your website — and demonstrated legitimacy through initial engagement — marketers can minimize fraud exposure. Likewise, avoid made-for-advertising (MFA) websites because they’re often only built to host ads with minimal content. As a result, they’re prime targets for fake clicks because fraudsters usually control both the site and the bot traffic.
In concert, these efforts can slow the bleeding, as fraud mitigation platforms that more closely monitor every click and analyze traffic patterns could recover $23B annually, according to the report with Juniper Research.
Digital marketing is squarely in the crosshairs of click fraud. It’s up to businesses, platforms, and technology providers to take the target from their backs by closing ranks and strengthening defenses. The tools exist and the stakes are clear: We must stop treating click fraud as inevitable and start treating it as solvable. Only by cutting off avenues for this scam and removing the profit motive can we get rid of it for good.
