COVER STORY PODCAST
Martin Fleischmann put his faith in online advertising. He used it to build his Atlanta company, MostChoice.com, which offers consumers rate quotes and other information on insurance and mortgages. Last year he paid Yahoo! Inc. (YHOO)and Google Inc. (GOOG) a total of $2 million in advertising fees. The 40-year-old entrepreneur believed the celebrated promise of Internet marketing: You pay only when prospective customers click on your ads.
Now, Fleischmann's faith has been shaken. Over the past three years, he has noticed a growing number of puzzling clicks coming from such places as Botswana, Mongolia, and Syria. This seemed strange, since MostChoice steers customers to insurance and mortgage brokers only in the U.S. Fleischmann, who has an economics degree from Yale University and an MBA from Wharton, has used specially designed software to discover that the MostChoice ads being clicked from distant shores had appeared not on pages of Google or Yahoo but on curious Web sites with names like insurance1472.com and insurance060.com. He smelled a swindle, and he calculates it has cost his business more than $100,000 since 2003.
Slide Show >>
Fleischmann is a victim of click fraud: a dizzying collection of scams and deceptions that inflate advertising bills for thousands of companies of all sizes. The spreading scourge poses the single biggest threat to the Internet's advertising gold mine and is the most nettlesome question facing Google and Yahoo, whose digital empires depend on all that gold.
The growing ranks of businesspeople worried about click fraud typically have no complaint about versions of their ads that appear on actual Google or Yahoo Web pages, often next to search results. The trouble arises when the Internet giants boost their profits by recycling ads to millions of other sites, ranging from the familiar, such as cnn.com, to dummy Web addresses like insurance1472.com, which display lists of ads and little if anything else. When somebody clicks on these recycled ads, marketers such as MostChoice get billed, sometimes even if the clicks appear to come from Mongolia. Google or Yahoo then share the revenue with a daisy chain of Web site hosts and operators. A penny or so even trickles down to the lowly clickers. That means Google and Yahoo at times passively profit from click fraud and, in theory, have an incentive to tolerate it. So do smaller search engines and marketing networks that similarly recycle ads.
Google and Yahoo say they filter out most questionable clicks and either don't charge for them or reimburse advertisers that have been wrongly billed. Determined to prevent a backlash, the Internet ad titans say the extent of click chicanery has been exaggerated, and they stress that they combat the problem vigorously. "We think click fraud is a serious but manageable issue," says John Slade, Yahoo's senior director for global product management. "Google strives to detect every invalid click that passes through its system," says Shuman Ghosemajumder, the search engine's manager for trust and safety. "It's absolutely in our best interest for advertisers to have confidence in this industry."
Slide Show >>
That confidence may be slipping. A BusinessWeek investigation has revealed a thriving click-fraud underground populated by swarms of small-time players, making detection difficult. "Paid to read" rings with hundreds or thousands of members each, all of them pressing PC mice over and over in living rooms and dens around the world. In some cases, "clickbot" software generates page hits automatically and anonymously. Participants from Kentucky to China speak of making from $25 to several thousand dollars a month apiece, cash they wouldn't receive if Google and Yahoo were as successful at blocking fraud as they claim.
"It's not that much different from someone coming up and taking money out of your wallet," says David Struck. He and his wife, Renee, both 35, say they dabbled in click fraud last year, making more than $5,000 in four months. Employing a common scheme, the McGregor (Minn.) couple set up dummy Web sites filled with nothing but recycled Google and Yahoo advertisements. Then they paid others small amounts to visit the sites, where it was understood they would click away on the ads, says David Struck. It was "way too easy," he adds. Gradually, he says, he and his wife began to realize they were cheating unwitting advertisers, so they stopped. "Whatever Google and Yahoo are doing [to stop fraud], it's not having much of an effect," he says.
Spending on Internet ads is growing faster than any other sector of the advertising industry and is expected to surge from $12.5 billion last year to $29 billion in 2010 in the U.S. alone, according to researcher eMarketer Inc. About half of these dollars are going into deals requiring advertisers to pay by the click. Most other Internet ads are priced according to "impressions," or how many people view them. Yahoo executives warned on Sept. 19 that weak ad spending by auto and financial-services companies would hurt its third-quarter revenue. Share prices of Yahoo and Google tumbled on the news.
Google and Yahoo are grabbing billions of dollars once collected by traditional print and broadcast outlets, based partly on the assumption that clicks are a reliable, quantifiable measure of consumer interest that the older media simply can't match. But the huge influx of cash for online ads has attracted armies of con artists whose activities are eroding that crucial assumption and could eat into the optimistic expectations for online advertising. (Advertisers generally don't grumble about fraudulent clicks coming from the Web sites of traditional media outlets. But there are growing concerns about these media sites exaggerating how many visitors they have -- the online version of inflating circulation.)
Most academics and consultants who study online advertising estimate that 10% to 15% of ad clicks are fake, representing roughly $1 billion in annual billings. Usually the search engines divide these proceeds with several players: First, there are intermediaries known as "domain parking" companies, to which the search engines redistribute their ads. Domain parkers host "parked" Web sites, many of which are those dummy sites containing only ads. Cheats who own parked sites obtain search-engine ads from the domain parkers and arrange for the ads to be clicked on, triggering bills to advertisers. In all, $300 million to $500 million a year could be flowing to the click-fraud industry.
Law enforcement has only lately started focusing on the threat. A cybercrime unit led by the FBI and U.S. Postal Inspection Service just last month assigned two analysts to examine whether federal laws are being violated. The FBI acted after noticing suspected cybercriminals discussing click fraud in chat rooms. The staff of the Senate Judiciary Committee has launched its own informal probe.
Many advertisers, meanwhile, are starting to get antsy. Google and Yahoo have each settled a class action filed by marketers. In late September a coalition of such major brands as Expedia Inc.'s Expedia.com travel site and mortgage broker LendingTree is planning to go public with its mounting unease over click fraud, BusinessWeek has learned. The companies intend to form a group to share information and pressure Google and Yahoo to be more forthcoming. "You can't blame the advertisers for being suspicious," says Robert Pettee, search marketing manager for LendingTree, based in Charlotte, N.C. "If it's your money that's going out the door, you need to be asking questions." He says that up to 15% of the clicks on his company's ads are bogus.
In June, researcher Outsell Inc. released a blind survey of 407 advertisers, 37% of which said they had reduced or were planning to reduce their pay-per-click budgets because of fraud concerns. "The click fraud and bad sites are driving people away," says Fleischmann. He's trimming his online ad budget by 15% this year.
Google and Yahoo insist there's no reason to fret. They say they use sophisticated algorithms and intelligence from advertisers to identify the vast majority of fake clicks. But the big search engines won't disclose the specifics of their methods, saying illicit clickers would exploit the information.
Some people who have worked in the industry say that as long as Google and Yahoo distribute ads to nearly anyone with a rudimentary Web site, fraud will continue. "Advertisers should be concerned," says a former Yahoo manager who requested anonymity. "A well-executed click-fraud attack is nearly impossible, if not impossible, to detect."
ALTHOUGH 5 FEET 6 AND 135 POUNDS, Marty Fleischmann is no one to push around. He barked orders at much bigger oarsmen while serving as coxswain on the varsity crew team at Yale in the mid-1980s. His shyness deficit surfaced again when he later played the role of Jerry Seinfeld in the student follies at Wharton. Married and the father of three children, he tends to pepper his conversation with jargon about incentives and efficiencies.
Before he and partner Michael Levy co-founded their financial-information company in 1999, Fleischmann worked in Atlanta at the management consulting firm A.T. Kearney Inc., advising major corporations in the shipping and pharmaceutical industries. One lesson he says he learned is that big companies are loath to cut off any steady source of revenue. Google and Yahoo are no different, he argues.
That cynicism several years ago contributed to MostChoice's assigning an in-house programmer to design a system for analyzing every click on a company ad: the Web page where the ad appeared, the clicker's country, the length of the clicker's visit to MostChoice's site, and whether the visitor became a customer. Few companies go to such lengths, let alone companies with only 30 employees and revenue last year of just $6.4 million.
To Fleischmann, the validity of his clicks, for which he pays up to $8 apiece, has become an obsession. Every day he pores over fresh spreadsheets of click analysis. "I told Yahoo years ago," he says, "'If this was costing you money instead of making you money, you would have stopped this."'
Google, he says, does a better job than Yahoo of screening for fraud. But neither adequately protects marketers, he argues. Until March, 2005, Google, based in Mountain View, Calif., charged advertisers twice for "double clicks," meaning those occasions when a user unnecessarily clicks twice in quick succession on an ad. Confirming this, Google's Ghosemajumder says that before the company made the change, it felt it had to focus "on issues of malicious behavior," though now it identifies double clicks and bills for only one.
Fleischmann's daily immersion in click statistics fuels his indignation. How, he wants to know, did he receive traffic this summer from PCs in South Korea which are clicking on insurance1472.com and insurance060.com? The only content on these identical sites -- and five other clones with similar names -- are lists of Yahoo ads, which occasionally have included MostChoice promotions. Fleischmann's spreadsheets revealed, not surprisingly, that all of the suspected Korean clickers left his site in a matter of seconds, and none became customers. The two individuals registered as owning the mysterious insurance sites are based in South Korea. They didn't respond to requests for comment, and most of the sites disappeared in late summer, after MostChoice challenged Yahoo about them.
Fleischmann, like most other advertisers, has agreed to let Google and Yahoo recycle his ads on affiliated sites. The search engines describe these affiliates in glowing terms. A Google "help" page entitled "Where will my ads appear?" mentions such brand names as AOL.com (TWX) and the Web site of The New York Times. Left unmentioned are the parked Web sites filled exclusively with ads and sometimes associated with click-fraud rings.
Google and Yahoo defend their practice of recycling advertising to domain-parking firms and then on to parked sites, saying that the lists of ads on the sites help point Internet surfers toward relevant information. Google notes that it allows advertisers to identify sites on which they don't want their ads to run.
But this Google feature doesn't apply to many parked sites, and Yahoo doesn't offer the option at all. In any event, excluding individual sites is difficult for marketers that don't do the sort of time-consuming research MostChoice does. Whether they know it or not, many other companies are afflicted in similar ways. At BusinessWeek's request, Click Forensics Inc., an online auditing firm in San Antonio, analyzed the records of its 170 financial-services clients and found that from March through July of this year, 13 companies had received clicks from Web sites identified as dubious by MostChoice.
Yahoo declined to comment on insurance1472, -060, and other suspect sites in its ad network. The Sunnyvale (Calif.) search giant stressed that in many cases it doesn't deal directly with parked sites; instead, it distributes its ads by means of domain-parking firms.
BusinessWeek's independent analysis of the MostChoice records turned up additional indications of click fraud. Over the past six months, the company received 139 visitors through an advertisement on the parked site healthinsurancebids.com, which offers only ads supplied by Yahoo. Most of these visitors were located in Bulgaria, the Czech Republic, Egypt, and Ukraine. Their average stay on MostChoice.com was only six seconds, and none of them became a customer.
Healthinsurancebids.com offers a revealing entry point into the click-fraud realm. It is one of several parked sites registered to Roland Kiss of Budapest. Kiss also owns BestPTRsite.com. "PTR" refers to "paid to read." In theory, paid-to-read sites recruit members who agree to read marketing e-mails and Web sites tailored to their interests. PTR site operators pay members for each e-mail and Web site they read, usually a penny or less.
In reality, many PTR sites are click-fraud rings, some with hundreds or thousands of participants paid to click on ads. BestPTRsite says it has 977 members. On Aug. 23 its administrator sent an e-mail to members containing a list of parked sites filled with ads. One of these sites, mortgagebg.com, which is also registered to Kiss, has been a source of apparently bogus clicks on MostChoice. The e-mail instructed members to click on different links every day, a common means to avoid detection. Members were also told to cut and paste text from the Web pages they click as proof of their activity. "If you send us back always the same link you will get banned and not paid! So take care and visit everyday a new link," the e-mail said.
Reached by telephone, Kiss says that his registration name is false and declines to reveal the real one. He says he's the 23-year-old son of computer technicians and has studied finance. He owns about 20 paid-to-read sites, he says, as well as 200 parked sites stuffed with Google and Yahoo advertisements. But he says he will take down healthinsurancebids.com to avoid discovery. He claims to take in $70,000 in ad revenue a month, but says that only 10% of that comes from PTRs. The rest, he says, reflects legitimate clicks by real Web surfers. He refrains from more PTR activity, he claims, because "it's no good for advertisers, no good for Google, no good for Yahoo." It's not unusual for people who are involved in PTR activity to profess that they restrict their behavior in some way for the good of advertisers and the big search engines.
After joining several PTR groups, BusinessWeek reporters received a torrent of e-mail showcasing hundreds of parked sites filled with Google and Yahoo ads. The groups urged participants to click aggressively on ads. "People don't click because they're interested in the subject," says Pam Parrish, a medical editor in Indianapolis who has participated in PTR sites. "They're clicking on ads to get paid."
Parrish, 52, says that when she started three years ago, PTR sites drew clickers like herself: potential customers looking to pick up a few spare dollars. At one point, she says she belonged to as many as 50 such sites but earned only about $200 all told. More recently, she says, most PTR sites have dropped the pretense of caring whether members are interested in the sites they visit. Parrish and others active on PTR sites say click fraud became more blatant as Google and Yahoo made their ads more widely available to parked sites.
Google and Yahoo say they filter out most PTR activity. "We manage that very well," says Google's Ghosemajumder. "It hasn't been an issue across our network, but it's something we take very seriously." Yahoo adds that PTR sites carrying its ads are in "very serious violation" of its standard distribution agreement. Yahoo says it scans its network for PTR activity, but declines to describe its methods.
PTR impresarios often don't fit the profile of an illicit kingpin. Michele Ballard runs a 2,200-member network called the-Owl-Post.com from her home in the small town of Hartford, Ky. On disability since a 1996 car accident, Ballard, 36, lives with her ailing mother and her cat, Sassy. She says she works day and night running Owl-Post, a five-year-old group named after the postal system in the Harry Potter novels. Sometimes, Ballard says she takes a break at lunchtime to tend her vegetable garden or help her elderly neighbors with theirs.
She sends her members a daily e-mail containing links to parked Web pages, many of them filled with Google ads. Her e-mails, decorated with smiley faces, suggest to members: "If you could just give a click on something on each page." She owns some of the parked pages, so she gets a share of the revenue when ads on them are clicked. She claims her take amounts to only about $60 a month, noting that if she made more than $85, the government would reduce her $601 monthly disability check.
In August, Google cut off a domain parking firm that hosted some of Ballard's sites. Showing her resilience, she moved the sites to other domain parkers, although none of those currently distributes Google ads. "Google would prefer you not to send out ads on paid e-mails, because they get too much crappy traffic," she says in a phone interview. She realizes that advertisers would get angry "if they knew we were just sitting here, clicking and not interested" in their wares. But, she adds, "They haven't figured that out yet."
Despite these views, Ballard says she doesn't think she's doing anything improper, let alone illegal. While investigations of some Internet criminals have revealed evidence of click fraud, the activity itself hasn't been the subject of prosecution. Ballard says Owl-Post is "like a huge family" whose members sometimes help out colleagues in financial distress. She says the network includes people who have low incomes and are desperate to earn cash to pay their bills. "A lot of people would be hurt if [the PTR business] crashed," she says.
Google's Ghosemajumder says any operation inviting people to click on ads is encouraging fraud, but he expresses skepticism about the overall scale of PTR activity: "People have a great tendency to exaggerate when they say they can attack Google's service."
Networks of human clickers aren't the only source of fake Web traffic. Scores of automated clicking programs, known as clickbots, are available to be downloaded from the Internet and claim to provide protection against detection. "The primary use is to cheat advertising companies," says Anatoly Smelkov, creator of Clicking Agent, a clickbot he says he has sold to some 5,000 customers worldwide.
The brazen 32-year-old Russian software developer lives in the city of Novosibirsk in western Siberia and says he received a physics degree from the state university there. A fan of the British physicist and author Stephen W. Hawking, Smelkov says Clicking Agent is a sideline that generates about $10,000 a year for him; he also writes software for video sharing and other purposes.
Clickbots are popular among online cheats because they disguise a PC's unique numerical identification, or IP address, and can space clicks minutes apart to make them less conspicuous. Smelkov shrugs off his role in facilitating deception. He points out that the first four letters of the name of his company, LoteSoft Co., stand for "living on the edge." Teasing, he asks: "You aren't going to send the FBI to me, are you?"
Google and Yahoo say they can identify automated click fraud and discount advertisers' bills accordingly. Jianhui Shi, a Smelkov customer who goes by the name Johnny, says that for this very reason he steers away from Google and Yahoo ads. An unemployed resident of the booming southern Chinese city of Shenzhen, Jianhui says he has used Clicking Agent to click all sorts of ads on sites he controls, making about $20,000 a year from this activity. While he doesn't click on Google and Yahoo ads, he says that more skilled Chinese programmers modify Clicking Agent to outwit the American search engines. "Many in China use this tool to make money," he wrote in an e-mail to BusinessWeek.
Back at the bare-bones MostChoice offices in north Atlanta, Marty Fleischmann continues to demand recompense. He says he has received refunds from Google and Yahoo totaling only about $35,000 out of the $100,000 he feels he is owed. In one exchange, MostChoice e-mailed Google to point out 316 clicks it received in June from ZapMeta.com, a little-known search site. MostChoice paid an average of $4.56 a click, or roughly $1,500 for the batch. Only one converted into a customer. Google initially responded that "after a thorough manual review" some bad clicks were filtered out before MostChoice was charged. Refund request: denied.
But as clicks from ZapMeta kept arriving, Fleischmann demanded in an Aug. 7 e-mail to Google: "You should be trusting us and doing something about [ZapMeta] as a partner, instead of finding more ways to refute our data or requests." (BusinessWeek's e-mail to ZapMeta's site and its registered owner, Kevin H. Nguyen, elicited no response.)
Finally, on Aug. 8, Google admitted that clicks from ZapMeta "seem to be coming through sophisticated means." A Google employee who identified himself only as "Jason" added in an e-mail: "We are working with our engineers to prevent these clicks from continuing." MostChoice received a $2,527.93 refund that included reimbursement for suspect clicks from an additional site as well.
Google says it has refunded MostChoice for all invalid clicks and won't charge for any additional ZapMeta clicks until the situation is resolved. But Google also says it doesn't believe ZapMeta has done anything improper. As of late September, ZapMeta continued to carry ads that had been recycled from Google, although not MostChoice ads.
Randall S. Hansen, a professor of marketing at Stetson University in Deland, Fla., sees a larger lesson in tales of this sort. "We are just beginning to see more and more mainstream advertisers make the Internet a bigger part of their ad budget, and move dollars from print and TV," says Hansen, who has held marketing jobs at The New Yorker and People magazines. "But if we can't fix this click-fraud problem, then it is going to scare away the further development of the Internet as an advertising medium. If there is an undercurrent of fraud, then why should a large advertiser be losing $1 million, or maybe not know how much it is losing?"
Corrections and Clarifications
"Click fraud" (Cover Story, Oct. 2) incorrectly reported that Expedia.com is owned by IAC/InterActiveCorp. In fact, it is owned by Expedia Inc. (EXPE), which was spun off from IAC/InterActiveCorp (IACI) in 2005.
By Brian Grow and Ben Elgin, with Moira Herbst