By Burt Helm

Fri Mar 3, 3:59 PM ET

Ever since search ads took flight, advertisers have been in a quandary. How do they determine whether the people clicking on their ads are real customers or fraudsters looking to game the system? Many companies, which pay Google Inc. each time someone clicks on an ad, figured that so long as search ads were generating enough measurable sales, "click fraud" was simply a cost of doing business.

Now advertisers are taking a second look. Why? Because click-fraud artists have figured out how to siphon off ad revenues from the bogus clicks without attracting much attention. What's more, these guys are starting to automate. So while no one knows how much illicit clicking is going on, it's a safe bet that the scourge may well grow exponentially.

Google, Yahoo! Inc, and other search firms say they have a handle on the problem. But although they reimburse clients for some bogus click charges, they won't say exactly how they determine what's fake. That has advertisers increasingly wondering if the industry is sufficiently dedicated to combating click fraud.

Seeing an opening, a range of companies are looking to help advertisers sort out good clicks from bad. One is credit-card fraud-detection specialist Fair Isaac Corp., which is launching a major study of the click-fraud phenomenon. "Losses due to click fraud could equal more than $1 billion (a year)," says Kandathil Jacob, Fair Isaac's product marketing chief. "It's worth our effort to look at it."

The most pernicious fraudsters set up bogus Web sites, contracting with Google, say, to place search ads on them, then artificially drive up the number of clicks. Google pays Web sites a portion of the per-click revenue. When a fraudulent Web site has hundreds of pages with up to three ads on each one, that adds up to mucho dinero -- which comes right out of advertisers' pockets.

Throw in automation, and you begin to see the potential danger to Google's business model. Some scammers using robotized software called "clickbots" employ anonymous "proxy" servers to create the illusion that visitors from all over the world are clicking on ads. Search firms can figure out whether phony visitors are at work by seeing which clicks come from anonymous Internet addresses.

But now the bad guys are using viruses to hijack thousands of PCs and create whole networks of clickbots. That way they make it look as though the traffic is legit. Detecting these crooks isn't so easy. "They're bloodsucking mosquitoes," says Ken Dunham, who works for the Web-security intelligence firm VeriSign iDefense. "You just can't get them all."

Using Crooks' Tools Companies that crack the problem could make a lot of money. Fair Isaac, which analyzes 85% of U.S. credit-card transactions for fraud, is angling to provide similar services to search firms and advertisers. To start with, Fair Isaac is teaming up with respected search consultant Alchemist Media Inc. to pull together advertising-traffic data. With that in hand, Fair Isaac hopes to develop tools to track and foil the crooks.

Others are employing the scamming technology to see how well Google and other search firms track fake clicks. Web consultant Greg Boser is using clickbots to drive traffic to clients' search ads. The idea: jack up the clicks, then compare that number with the sum Google reimburses advertisers for bogus traffic. "No one has any idea how much of this is going on," says Boser. "We're going to see how well (the search engines) protect advertisers."

Google and Yahoo say they're on the case. To stop click fraud, they scour Web traffic for repeated clicks, unusual patterns, and visits from anonymous servers. "Click (fraud) is a serious but manageable challenge," claims John Slade, Yahoo's senior director of product management. The question is whether the search companies can stay far enough ahead of the click scammers to satisfy advertisers.

Copyright © 2006 BusinessWeek