Is Click Fraud Illegal? The Legal Reality for Google Ads Advertisers in 2026

If a competitor has been clicking your Google Ads to burn through your budget, or you have spotted a bot pattern in your traffic that nobody at Google seems interested in fixing, you have probably typed some version of “is click fraud illegal?” into a search bar. It is one of the most common questions home services contractors and small business owners ask once they realise what is happening to their ad spend. And it is one of the most frustrating to answer, because the honest reply is: yes, it almost certainly is illegal where you live, but that does not mean anyone is going to be prosecuted for it.

This guide breaks down what the law actually says about click fraud in the UK and the US, why criminal prosecutions are rare, the civil cases that have made it to court, and what Google Ads advertisers can realistically do when they know they are being targeted.

The Quick Answer

Click fraud is illegal in the UK, the US, the EU and most other developed jurisdictions, but it is prosecuted almost exclusively in large, organised cases involving botnets, click farms, or affiliate networks defrauding advertisers at scale. For individual Google Ads advertisers — the plumber whose competitor is clicking ten times a day, or the HVAC firm being hit by a small bot — the legal system is effectively unavailable. Civil action exists in theory but is rarely cost-effective. The practical answer to “is click fraud illegal?” is yes in principle, no in enforcement, and that gap is exactly why dedicated click fraud protection software exists.

Why People Ask Whether Click Fraud Is Illegal

Most advertisers who end up searching this question have already crossed a few thresholds. They have noticed their Google Ads budget running out far earlier in the day than it used to. They have started seeing odd patterns in their click data — repeat IPs, weird devices, geographies that make no commercial sense. And they have done the maths on how much that suspect traffic is costing them per month.

By the time the legality question comes up, the advertiser is usually looking for one of three things: their money back, a way to make the person stop, or both. Understanding what the law actually says shapes which of those outcomes is realistic and which is fantasy. For background on how common deliberate competitor clicking actually is in local services, the ClickGuardian guide on competitors clicking your Google Ads walks through the patterns most contractors see in their own data.

Is Click Fraud Illegal in the UK?

Click fraud is illegal in the United Kingdom under at least two separate statutes. The most directly relevant is the Fraud Act 2006, which criminalises fraud by false representation. Deliberately clicking a competitor’s ad in order to deplete their advertising budget, with the intention of gaining a commercial advantage by removing them from the auction, fits the elements of false representation by conduct. The click communicates to Google that the visitor is genuinely interested in the advertised service when, in fact, the visitor has no such interest and is acting only to cause financial harm to the advertiser. That is dishonest representation made for personal gain. Under the Fraud Act 2006, the maximum penalty is ten years’ imprisonment.

The Computer Misuse Act 1990 adds a second route. Where click fraud involves automated tools, bots, scripts, or any unauthorised access to computer systems — and most large-scale click fraud does — the conduct can be charged as unauthorised access or unauthorised modification under sections 1 and 3 of the Act. Section 1 offences carry up to two years’ imprisonment, and section 3 offences carry up to ten years.

Civil law sits alongside the criminal statutes. A UK business that can prove a competitor deliberately clicked its ads to cause harm has potential claims in tortious interference with business. In practice, civil claims of this kind almost never reach court. The disclosure required to identify the person responsible for the clicks is expensive, the damages are usually modest, and most claimants conclude that the legal costs will exceed any realistic recovery. The Crown Prosecution Service rarely brings click fraud cases against individual offenders for the same evidential reasons — a competitor clicking your ads from a phone, a laptop and a tablet leaves a trail that is technically traceable but realistically beyond what a local police force will investigate for a few hundred pounds of fraudulent ad spend per month.

Is Click Fraud Illegal in the US?

Click fraud is illegal in the United States under federal law, several state laws, and a handful of civil doctrines. The federal statute most often cited is the Computer Fraud and Abuse Act, codified at 18 U.S.C. § 1030. The CFAA criminalises accessing a protected computer without authorisation, or exceeding authorised access, with intent to defraud. When click fraud involves bots, automated scripts, or networks of compromised devices that interact with Google’s servers in ways that violate Google’s terms of service, the conduct can fall within the CFAA’s scope. Penalties range from misdemeanour-level fines to multi-year prison sentences for organised schemes that cause significant financial loss.

The Lanham Act adds a civil dimension. Section 43(a) creates a federal cause of action for false advertising and unfair competition, and some plaintiffs have argued that deliberate click fraud against a competitor amounts to an unfair business practice within its reach. State laws vary, but most US states have computer crime statutes that mirror parts of the CFAA, plus separate consumer protection laws and tortious interference doctrines that can support a civil claim.

The largest and most cited US click fraud case remains a 2006 settlement in which Google paid $90 million to settle a class action brought by advertisers who claimed they had been charged for fraudulent clicks. That case did not establish criminal liability for any individual click fraud operator; it was a civil dispute about Google’s contractual obligations to advertisers. Since then there have been periodic federal prosecutions of large click farm operations and botnet operators, but the pattern is the same: enforcement focuses on organised, scaled fraud rather than the small-scale competitor clicking that drains most small business budgets.

Famous Click Fraud Cases and What They Actually Tell Us

The cases that have actually been litigated are useful less for the legal precedent they set and more for what they reveal about the practical threshold for enforcement.

The Google class action settlement of 2006 was driven by the sheer scale of the fraud and Google’s own admissions about the limitations of its filtering at the time. It was not a victory for any individual advertiser; it was a contractual settlement that capped Google’s exposure to ongoing claims.

In 2017, the US Department of Justice indicted operators of the Methbot and 3ve botnets, which had defrauded advertisers of an estimated $36 million by simulating fake video ad impressions. The case resulted in convictions, including a prison sentence for the lead defendant. It is one of the clearest examples of federal prosecutors pursuing ad fraud where the scale and sophistication made the case worth investigating.

What these cases have in common is scale. Federal prosecutors are not going to investigate the locksmith down the road clicking on your ad because there is no operational case to build. The threshold for criminal enforcement of click fraud in practice sits in the millions of dollars, and even at that level prosecutions remain unusual.

Why Prosecution Is So Rare

The gap between what the law says about click fraud and what actually happens in court has four practical causes, and understanding them helps explain why prevention is almost always a better use of an advertiser’s time than litigation.

The first is attribution. Proving that a specific person made a specific click requires evidence that links an IP address, a device and a real human identity together with enough certainty to satisfy a court. That chain is technically possible but expensive to assemble — civil disclosure orders, ISP records and device forensics are all part of the toolkit, and none of them is cheap.

The second is intent. Click fraud only becomes criminal when the clicker acted dishonestly or with intent to defraud. A competitor who accidentally clicks your ad is not a criminal, and neither is one who clicks once out of curiosity about your pricing. Prosecution has to show that the clicker acted knowingly and dishonestly, with the specific intention of causing financial harm. That is a high evidential bar.

The third is damages. Most small-scale click fraud causes a few hundred pounds or dollars of loss per month per victim. Even compounded over a year, the total damages from any individual offender are typically not large enough to justify legal costs that would routinely exceed £10,000 or $15,000 before a case ever reaches court.

The fourth is jurisdiction. A great deal of click fraud now originates outside the country where the affected advertiser operates, and the cooperation required to investigate cross-border cyber-enabled fraud is reserved for major investigations. For more on how click farms and AI-driven bots have changed the detection calculus in 2026, see the ClickGuardian guide on click farms and Google Ads and the analysis of AI bots draining ad budgets.

What You Can Actually Do When You Suspect Click Fraud

The practical answer to “I think someone is committing click fraud against me, what now?” comes down to four steps.

Document the pattern. Keep a clear record of the suspicious activity — IP addresses, timestamps, click frequencies, device data and any context that supports your interpretation. Google Ads exposes some of this through its built-in reporting; click fraud protection tools expose much more. Without documentation, you have nothing to escalate.

Report to Google. Use the Google Ads Invalid Click Contact Form to submit suspected invalid clicks for investigation. Google’s response will not be dramatic — credits, if any, are issued retrospectively and tend to be conservative — but escalating through Google’s official channel is a prerequisite to any subsequent action. The ClickGuardian guide to why Google’s invalid click protection is not enough explains what Google’s process actually catches and where it falls short.

Send a cease and desist if you have reasonable evidence pointing to a specific competitor. A formal legal letter from a solicitor or attorney is sometimes enough on its own to stop the behaviour, because the competitor may not realise how easy the activity is to detect. This is the option that has the highest practical success rate for individual cases of competitor clicking.

Implement prevention. The only durable answer is to remove the financial incentive. If the click costs the attacker nothing and costs you £15 in wasted spend, the attack continues. Block the click before it reaches your site and the economics of the attack collapse. Prevention scales and does not depend on identifying or pursuing the offender.

Why Prevention Beats Litigation Every Time

The reason serious click fraud protection software exists is that the legal system was never designed to handle thousands of micro-scale fraud cases worth a few hundred pounds each. The cost of the legal route is fixed and high. The cost of each individual fraudulent click is variable and low. Until that asymmetry changes, the only practical strategy for individual advertisers is to make the fraud impossible at the point of attack rather than punish it afterwards.

ClickGuardian protects Google Ads accounts by monitoring every click for fraud signals in real time and automatically excluding offending IPs, devices and behavioural signatures from your campaigns. The blocked clicks stop appearing in your campaign at all, which means you stop paying for them. The cost of running it for a year is typically less than the fraudulent spend it prevents in a single month for a competitive home services campaign.

For UK and US contractors who want to see what their fraud exposure looks like in monetary terms, the ClickGuardian ROI calculator takes a few inputs from your Google Ads account and produces a realistic estimate of what you are currently losing. Industry-specific data for plumbers, HVAC firms, roofers and other trades sits behind the headline figures, and the click fraud statistics page keeps the underlying numbers up to date.

The legal route exists. It is just not the route most Google Ads advertisers should be planning around in 2026.

Frequently Asked Questions

Is click fraud illegal?

Yes, click fraud is illegal in the United Kingdom, the United States and most other developed jurisdictions. In the UK it can be prosecuted under the Fraud Act 2006 and the Computer Misuse Act 1990. In the US it can be prosecuted under the Computer Fraud and Abuse Act and various state computer crime statutes. However, criminal prosecutions for click fraud are rare in practice, and almost always involve large-scale organised fraud rather than individual competitor clicking. Civil action is also available in theory but is rarely cost-effective for the sums involved.

Can I sue someone for click fraud?

You can sue someone for click fraud in both the UK and the US if you have evidence linking specific clicks to a specific person and can prove financial damages. The practical obstacles are significant. Identifying the offender often requires civil disclosure orders against internet service providers, which are expensive to obtain. The damages from typical small-scale click fraud rarely justify legal costs that routinely run into tens of thousands of pounds or dollars. Most advertisers who have considered suing eventually conclude that prevention through dedicated click fraud protection is a more efficient use of the money.

Is it illegal to click on a competitor’s Google Ads in the UK?

Deliberately clicking on a competitor’s Google Ads in the UK with the intention of depleting their advertising budget can amount to fraud by false representation under the Fraud Act 2006, and to a breach of Google’s terms of service. The clicker is making a false implicit representation that they are a genuinely interested visitor, when in fact they intend only to cause financial harm to the advertiser. The maximum penalty under the Fraud Act is ten years’ imprisonment, although prosecutions of individual offenders for small-scale click fraud are extremely rare. The clicker also exposes themselves to a potential civil claim for tortious interference with business.

Has anyone ever been convicted of click fraud?

Yes, there have been criminal convictions for click fraud and ad fraud, but they have almost all involved large-scale organised schemes. The most prominent US case involved the operators of the Methbot and 3ve botnets, who were indicted by the Department of Justice in 2017 for defrauding advertisers of an estimated $36 million through simulated video ad impressions. The lead defendant received a prison sentence. Smaller cases against individual offenders are unusual because the financial threshold for criminal investigation effectively rules out the everyday competitor clicking that affects most small business advertisers.

What should I do if I think a competitor is clicking my Google Ads?

The first step is to document the suspicious activity using Google Ads reports and, ideally, a dedicated click fraud protection tool that captures IP addresses, device fingerprints and behavioural patterns. The second step is to report the suspected invalid clicks to Google through the Invalid Click Contact Form, which is the only route to a refund of Google Ads spend. The third step, if the evidence points clearly to a specific competitor, is to consider a formal cease and desist letter from a solicitor. The fourth and most practical step is to implement click fraud protection software that blocks the offender from clicking your ads at all, which removes the financial incentive for the attack regardless of whether the offender is ever identified.

How much does click fraud cost the average small business?

Estimates vary by industry and geography, but independent research consistently shows that 10 to 15 per cent of Google Ads clicks across all advertisers are invalid even after Google’s own filtering. In high-risk sectors like home services, legal and dental, the figure can exceed 25 to 30 per cent. For a contractor spending £3,000 a month on Google Ads, that translates to between £300 and £900 of wasted monthly spend before any prevention is in place. The ClickGuardian click fraud statistics page keeps the underlying numbers up to date.

---

Last updated: May 2026. For more on the operational side of click fraud protection, see the ClickGuardian guide to stopping click fraud on Google Ads, the comparison guide to choosing a protection product, and the glossary of click fraud terms. To estimate what click fraud is currently costing your business, use the ClickGuardian ROI calculator.