by Robert Hof @forbes

It’s a question that has haunted online advertisers since soon after Google perfected pay-per-click search ads a decade ago: Are those clicks from real potential customers, or are they from scammers draining my ad budget?

Now the issue of “click fraud” has hit Facebook full-force. On July 30, Limited Run, which provides software to enable bands and music labels sell physical products like records, said it was closing its Facebook account after finding that some 80% of the clicks it got during a recent ad campaign on Facebook were likely generated not by real people but by bots. Those are coordinated groups of computers hijacked by scammers or spammers, so any clicks they generate cost advertisers money for no benefit. (In a separate issue, in fact the main reason Limited Run said it’s leaving Facebook, the company also said Facebook asked it to spend $2,000 on ads in order to change its Facebook page name, something Facebook has said is not its policy.)

Limited Run said it came to the conclusion that the clicks were fraudulent after running its own analysis. It  determined that most of the clicks for which Facebook was charging it came from computers that weren’t loadingJavascript, a programming language that allows Web pages to be interactive. Almost all Web browsers load Javascript by default, so the assumption is that if a click comes from one that isn’t, it’s probably not a real person but a bot.

To be clear, Limited Run isn’t charging that Facebook itself is responsible for those apparently fraudulent clicks. Often the culprits in click fraud are small-time ad networks and other outfits that pay people to click on Google and other ads they run on their sites, though that’s unlikely to be an issue for Facebook, which does not yet run its ads outside its own site as Google and others do. Perhaps, Limited Run has suggested, rivals could be using the bots to cost the company money by forcing it to pay for useless clicks.

The click fraud issue has at times loomed large for Google and other companies because of the potential impact on advertiser trust, and Googlecontinues to fight click fraud–as does Facebook. Indeed, the issue isn’t new for Facebook either, with complaints, including lawsuits, bubbling up since at least 2009.

But while click fraud doesn’t seem to have driven away a large number of Google advertisers, whether because the company has minimized it or because advertisers simply factor it in as a cost of doing business online, the issue is a particular concern for Facebook now. It’s trying to prove to skeptical advertisers and investors that its ads work, and claims that there’s rampant click fraud don’t help. At the same time, Facebook has said recently that some1.5% of its nearly 1 billion accounts are “undesirable,” meaning “user profiles that we determine are intended to be used for purposes that violate our terms of service, such as spamming.

Facebook has declined to say much about the Limited Run situation, though the company says it believes it catches and filters out the vast majority of “invalid clicks” before they’re even charged to advertisers. Its own page on“click and impression quality” doesn’t reveal much detail about how it deals with click fraud, however, so I asked the company for more insight on what it’s doing about the problem.

Mark Rabkin, an engineering director on Facebook’s ads team, responded to questions by email. While at times he’s repeating what Facebook has said before, he also reveals that the company has a growing staff of 300 people working on security and safety and explains in more detail the various ways the company tries to catch bad clicks. Here are his answers:

Q: To establish what we’re talking about, what is the nature of “click fraud”–people setting up bots to click, or accounts that manually manipulate clicks?

A: Our goal always is to deliver valuable ads to our users and for our advertisers.

We have multiple systems in place to help optimize ads and detect invalid clicks. As is common throughout the industry, we filter out different types of clicks that we believe do not represent a real person intentionally clicking on an ad.  We also filter out some other clicks that we determine may have low value to an advertiser based on a variety of factors.  For example, we filter out double-clicks and overly repetitive clicks even if they came from real people.

Q: What is the process by which Facebook tries to prevent or ameliorate click fraud? Are there certain qualities of accounts or click activity that are red flags? And once found, what does Facebook do to investigate and then correct as necessary?

A: Facebook has a few unique properties: you have to have an account to use the service which means you have to be logged in to see or click on an ad.  We use historical information and statistical models to identify which accounts may not represent real people and to evaluate click quality.

We also monitor user click activity over various intervals of time and we use this information and several other signals to inform what clicks we do or do not charge for. For example, a user who repeatedly clicks on ads is not likely providing real value, so we don’t charge for those clicks. When our systems detect click activity that we think is invalid, we mark it as such and do not charge for those clicks.

We can’t say much more as the effectiveness of our systems ultimately depends on keeping certain details confidential.

Q: Limited Run singled out Javascript being disabled as a key indicator of bot activity. Is that a good indicator? If so, is that used as a signal to filter out clicks from that source?

A: We have systems in place that filter out clicks coming from browsers with Javascript disabled. We believe that these systems can identify click activity from bots that do not use Javascript. We were surprised to learn of Limited Run’s experience because it’s not consistent with ours. We have asked Limited Run for their data and analysis so we can investigate their claim, but they have not yet provided it.

Q: What is the process by which Facebook refunds businesses whose advertising budgets are the victim of click fraud?

A: We believe the vast majority of invalid click activity is filtered by our automated systems, does not appear in our reports, and is not billed to the advertiser. On the rare occasion that we learn of potentially invalid click activity that was billed to an advertiser, we will work with them to investigate the issue and, if necessary, issue credits or refunds.

Q: Google has said the rate of click fraud after it filters out most of the invalid clicks first is .02%. What is the rate of click fraud on Facebook?

A: We believe we filter out the vast majority of invalid click activity through our automated systems. We don’t give out specific numbers, but we believe the rate of invalid click activity on Facebook is comparable to other companies in the space.

Q: Facebook said in 2009 that click fraud was under control. Has the problem gotten worse or better or remained steady since then?

A: We are continuously improving our detection systems as well as our sophistication in detecting bots and compromised user accounts. In addition, we also have a specially trained engineering incident response team that is on call at all times and reacts to spikes in activity by possible bots or malware. Finally, we have an independent company periodically review samples of our click data. [Facebook declined to identify the firm.]

Q: A key challenge seems to be the creation of fake accounts to engage in this activity. How does Facebook prevent this or stop it if it slips through?

A: We classify all account registrations and activities on the site in real time and take actions on accounts that we believe are false or suspicious. We identify anomalies in the activities coming from a particular user or group of users and take action on the users involved. Some of the actions may include suspending the account, blocking activities from a specific IP address range, limiting the interactions an account can have with others, or forcing the user through a “checkpoint” where they must pass a test such as a CAPTCHA, phone verification, identify photos of their friends, or provide a copy of their government-issued ID to prove that they are the person they claim to be.

Q: What can advertisers do themselves to identify or prevent click fraud?

A: We are committed to partnering with our advertisers to continually optimize their return on investment from the ads they run with us. We encourage advertisers to measure and track both their campaign performance and the traffic resulting from their campaigns, and to contact us with any questions.

Q: A recurring theme in story and blog comments is that Facebook is slow to respond to queries on apparent fraudulent clicks. Does Facebook feel it has the problem under control, or does it need to apply more staff or other resources to further reduce the problem?

A: We believe our systems perform well in identifying invalid click activity, and we remove such clicks from our reports before an advertiser ever sees them. As our usage grows, we continue to invest more and more engineering resources to combat all types of invalid click activity, spam, and malware on Facebook and across our platform. We employ over 300 full-time staff focused on security and safety.

We are reviewing our help center and other educational materials around our click systems and policies to see if there are areas where we can provide additional information for our advertisers.