u/2ndFloorYoutuber

Lately I’ve been noticing a pattern across multiple campaigns where:

• CTRs look stable or even improved
• CPC behavior hasn’t changed drastically
• But downstream engagement feels weaker than usual

In some cases, session behavior doesn’t match what I’d normally expect from similar historical traffic (short engagement cycles, inconsistent page interaction patterns).

I’m trying to understand whether this is:

• a broader shift in traffic mix across placements
• changes in optimization algorithms (PMax / Smart bidding effects)
• or just improved detection lag between Ads + analytics platforms

Has anyone else been digging into traffic quality beyond standard Ads metrics recently? If so, what signals are you relying on now to validate intent?

I have a country block rule set up in Cloudflare to restrict traffic from a specific region, and it shows as active in the firewall rules.

However, I’m still seeing requests from that country appearing in the logs.

Has anyone experienced this before? Could this be due to proxy/VPN traffic or something bypassing geo-based filtering in certain cases?

Has anyone else noticed Google Ads traffic looking “normal” in clicks but not translating into real engagement lately?

I’ve been reviewing a few accounts and seeing situations where CTR and sessions look fine, but user behavior doesn’t match typical intent patterns.

Curious if this is more of a tracking issue, traffic quality shift, or something else others are also experiencing?

Lately I’ve been seeing more cases where Google Ads campaigns show decent click volume, but conversions don’t line up at all.

After checking traffic logs on a few sites, a surprising amount of traffic turned out to be automated or suspicious bot activity hitting landing pages repeatedly.

What made it harder to spot:

• CTR looked normal
• Bounce rates were inconsistent
• Sessions appeared “real” in analytics
• Ad spend kept climbing without matching revenue

In some cases, filtering and challenging suspicious traffic at the edge significantly cleaned up campaign data.

Curious if others here have noticed an increase in low-quality or bot-like traffic recently, especially on Meta + Google campaigns?

quick observation that's been bugging me for a few months. i think a lot of us look at google's invalid traffic adjustments and assume the bot problem is handled. it isn't.

invalid traffic adjustment shows what google auto-refunded for clicks they identified as fake. most accounts i look at show 2-5% invalid traffic. seems fine. but when i started cross-referencing google ads click logs with network-level data on the same domains, the real bot traffic was often 4-6x higher than what google was catching.

google's auto-detection is decent at catching:

• known bot signatures and headless browsers
• repeat clicks from the same fingerprint
• traffic that immediately bounces from the landing page

what it misses:

• distributed click attacks across residential IP networks (real consumer ISPs)
• click farms with actual humans clicking for pennies
• bots that mimic real browsing for 10-15 seconds before exiting
• coordinated attacks from rotating IP pools

i had one ecom account spending $40k/month on google ads where the reported invalid traffic was 4%. when i pulled their server logs and analyzed the actual clicks landing on the site, around 22% had bot fingerprints. google was catching less than a fifth of it.

how to spot it yourself

couple things to check on accounts you manage:

google analytics — filter "new users from paid" with bounce rate above 90% AND session duration under 5 seconds. if that segment is over 15-20% of paid traffic, your real bot rate is way higher than google reports.

geographic clicks — pull the country report. clicks from countries outside your target geography are almost all bots, but google's auto-filter often counts them as valid because they technically clicked the ad.

device + browser combinations — bots love unusual combos. if your "windows + chrome 89" segment converts at 0.1% while everything else is at 2%, that's a tell. legit users update their browsers, bots don't.

day-parting anomalies — invalid traffic spikes between 2-5am EST regardless of campaign settings. if you see traffic spikes during those hours that have zero conversions, that's bot activity.

what helps

at the platform level: tighten geo targeting (exclude entirely, don't just bid-adjust down to zero), enable all built-in bot exclusions in campaign settings, add IP exclusion lists for repeat offender ranges.

at the network level: if your client has access to a web application firewall or CDN with bot detection (cloudflare, akamai, fastly), getting that configured properly cuts the bots before they ever click your ads. ad networks see fewer suspicious patterns because the bots can't even reach the site to "click" effectively.

third party click fraud tools (clickcease, ppc protect, etc) work in the middle — they detect and exclude bot IPs at the google ads account level. helpful but they're reactive. the bots have to click first before they get added to the exclusion list.

one thing i've noticed across ecom accounts specifically

when click fraud spikes on ads, the merchant's store usually starts seeing fraud orders or card testing attempts around the same dates. same operators monetizing multiple channels. so if you manage ads for an ecom store and you see weird invalid traffic patterns, worth asking the client if they've noticed unusual order patterns in shopify/woo. might be the same attack from a different angle.

anyway, curious what others here see in their accounts. is your google ads invalid traffic number matching what you'd expect, or do you think it's understated too?

okay so this has been on my mind for a few weeks. been working with a bunch of woo stores and card testing attacks have picked up noticeably since around march. wanted to share what's going on because most store owners don't even know they're being hit until their payment processor pauses them or chargebacks start rolling in.

quick context for anyone who hasn't dealt with it. card testing is when attackers get stolen card numbers in bulk and they need to figure out which ones still work. so they use your woocommerce checkout as a free validation tool. they hammer your checkout endpoint with small $1-5 orders, see which ones go through, then take the working cards and use them for big purchases elsewhere. you're basically being used as a card validator, and the chargebacks land on you weeks later.

the worst part isn't even the chargebacks. it's when your payment gateway sees the pattern and either holds your funds or shuts you down entirely. had a store owner reach out last month whose stripe got paused for 90 days because of this. they had no idea it was happening until the email came in.

what it looks like in your dashboard:

bursts of small orders, usually $1 to $10. often at weird hours like 2-5am your time. slight variations on the same name and email (john1@, john2@, like that). a bunch of declined transactions in a row followed by a few successful ones. spike in failed payments in your woo logs. sometimes the orders all come from similar IPs, sometimes rotating proxies.

if any of that sounds familiar, you've been tested.

here's what most stores get wrong. they rely on woocommerce's built in fraud checks and maybe an anti-fraud plugin. those are order-level filters. they catch the order after it's been submitted, after the card has already been validated for the attacker. by then the damage is done.

what actually works is blocking the bots before they even hit your checkout. that's the layer most stores skip. couple things that help at the infrastructure level:

a web application firewall in front of your store with bot detection turned on, plus a rate limit rule on your checkout and cart endpoints. something like 5 requests per minute per IP is usually safe (doesn't affect real shoppers, kills automated testers). this single change cuts most card testing dead. most stores already have access to this through their CDN or hosting provider, they just never configured it.

inside woocommerce, look at anti-spam plugins that add honeypot fields to checkout. attackers' bots fill them in, real customers don't see them.

require AVS and CVV matching in your payment gateway settings. lots of stolen cards don't have matching billing addresses, so this knocks out a chunk.

if you're on stripe or a similar processor, turn on their built-in fraud rules and set custom blocks for things like "block if shipping country differs from billing country" or "block if more than 2 orders from same email in 24 hours."

one thing nobody talks about. card testing often happens alongside click fraud on your facebook or google ads. same operators run both. if you've noticed weird ad spend with no conversions in the last month AND fraud orders, it's almost always connected. worth checking your ads manager for unusual click patterns around the same dates the fraud orders started.

quick check you can do today. open your woo orders list, filter by failed payments in the last 30 days. if you see clusters of small failed amounts at unusual hours from similar email patterns, you're being tested. time to add the network layer before your processor flags you.

anyway, hope this saves someone a payment gateway ban. happy to answer questions if anyone's seeing weird patterns in their store.

Is Anyone available to help me with my cold email setup?