As malware and other cyberfraud technologies become more insidious, marketers stand to lose not just money but consumer trust as well. ClickFacts' CEO explains what's hurting the PPC industry and how to fight back.

Imagine every time you launch a browser to conduct a search you receive the following message: "Warning: searching online may result in the loss of personal information and even your identity. Proceed at your own risk."

While this isn't our reality yet, these flags might become commonplace if a growing crowd of sophisticated, unscrupulous fraudsters get their way. 

The future of online commerce continues to get brighter, but is also being threatened. Research firm comScore recently released its ecommerce update for the first 51 days of the 2007 holiday season (November 1 – December 21) and marked a 19 percent increase over 2006 numbers for the same period -- from $22 to $26.29 billion. Clearly, people are flocking to the web to do their business. The online channel's fast growth is a tremendous validation for online advertising, but also an opportunity for fraudsters to exploit audiences built through paid search campaigns -- the primary method by which consumers find what they need online. By 2010 -- just two short years from now -- paid search, or pay-per-click (PPC), will be a $60 billion industry (IAB/PWC 2006). But fraud losses in the same period are predicted to surge to $11.6 billion (Trend Micro). So it should come as no surprise to see click fraud keeping pace by evolving beyond robbing marketing budgets to robbing consumers of their identities as well. 

Click fraud used to be the sole concern of a brand's marketing team. Malicious individuals would click on a brand's ads (or write software to do this for them) to run down competitors' advertising budgets. The issue played out behind the scenes as an ugly byproduct of a nascent online technology, not something that affected the perception of a brand's customers. But in recent months, click fraud has taken an insidious turn, expanding from a marketing issue to one that threatens anyone unlucky enough to click on the wrong search ad or land on a compromised web page. 

Fraudsters now embed malicious programs right into landing pages, banners and PPC ads delivered via blue chip ad networks like Google and Yahoo; they even hijack entire brands through "redirects," which spoof legitimate pages but are full of malicious content. Advertisers victimized by these attacks suffer immediate physical damage to their ad campaigns, loss of customers and a long-term damaged reputation as a result.    

Malware, including spyware, phishing schemes, page redirects, typo-squatting and "brand-jacking" (hijacking a brand's web page -- copyright infringement for profit) has been around almost as long as the web itself. But only recently have virus or "exploit" writers focused on the PPC industry to find new targets. These exploits, obtained cheaply (as low as $30 or $40) from sources such as the notorious Russian Business Network, are placed within legitimate site landing pages (which was documented in the recent Bank of India incident); within paid search ads; as a Trojan that replaces Google's AdSense ads with those from a malicious provider or as a "redirect" -- a fake site that mirrors a legitimate site but is loaded with malicious software. 

After a searcher clicks an infected ad or lands on a compromised landing page, the exploit is launched onto his or her machine. From that point forward, the user's personal information is broadcast across the web. Any advertiser unlucky enough to be the carrier of exploits obviously suffers a huge hit to its reputation, which ultimately affects the bottom line. Here, the problem of click fraud rises from one that previously concerned the brand's marketers to one that now rises to the CEO level. The brand's very business is on the line when it comes to compromising customer trust.

If your brand's PPC campaign is responsible for the theft of customers' personal information or identity, there's nothing any PR department can do to rebuild your reputation afterward. The problem is widespread, too. Consumer Reports' 2007 "State of the Net" report warned that consumers face a one in four chance of becoming a victim of cyberfraud. 

Several high profile examples serve as a warning to advertisers and publishers, including Major League Baseball's MLB.com and hockey's NHL.com, Canada.com's news portal, the business publication the Economist and Lycos' Tripod service. One would think these well-known sites would be better protected, but the exploits are hard to detect. Malware is uploaded as a harmless file with the attack code embedded. None of the sites responsible for carrying the malware had any malicious intent, but they all compromised their visitors' computer security, personal information and identity nonetheless. By then the damage is done: victims don't separate the brand from the experience -- they just lose faith in the brand and go somewhere else.        

So what can brands do about click fraud to keep themselves and their customers safe?

1. A good first step is to start taking some responsibility for campaigns. Too often marketers rely on their agencies to handle the PPC campaign from start to finish, including keeping the brand safe from click fraud. This is lazy and more than potentially harmful to the brand. Although most agencies have their clients' best interests in mind, they're primarily interested in generating traffic. But, the quality of that traffic isn't always top-notch. So instead of waiting until an advertising campaign is over and the budget is spent, be proactive and address invalid (and potentially unsafe) traffic while a campaign is in progress to improve campaign performance. Pay attention to abnormal behavior, including traffic generated from spyware, malware, hit bots and other "black hat" sources. 
2. Having third-party auditing tools at hand to monitor the PPC campaign provides accountability and increases return on ad spend while ensuring the health of the brand's image.
3. Education! Educate yourselves on the latest cyber attacks and issues, and how to thwart them, by reviewing sites like About Click Fraud.

Ad networks share these responsibilities, too. Check that they verify that their publishers are providing real, valuable content to site visitors and not engaging in click fraud for financial gain. By eliminating pornography, violence, racial intolerance, violations of intellectual property and other chaff, ad networks strengthen the trust of their advertisers and the reputation of their network.  

As long as there remains a financial incentive for people to commit fraud, the click fraud problem will not fully disappear; in fact, it's getting worse. But, full disclosure by adverting networks and a measure of due-diligence on the part of advertisers can alleviate angst over how best to protect a brand's identity and its customers online.

Michael Caruso is CEO and co-founder of ClickFacts. Read full bio.