Getting Ad Clicks from Strange Domains? Here's How to Stop Them

No items found.
Spotting when something is wrong with your ads may be difficult due to the omnipresent nature of bots. Whether you are the victim of clever social engineering attacks or one of the vectors of script kiddies, the bot problem remains quite widespread.
Table of Contents

With Google display ads, in particular, this often manifests itself in getting clicks from strange top-level domains (TLDs), which is the .com part of a website's URL address.

For ad campaigns with massive budgets, you could end up reaching up to hundreds of thousands of such top-level domains. Though it is now easier to distinguish — and block — malicious traffic streams thanks to the ever-evolving ad fraud detection and prevention technology, knowing why you're getting ad clicks from strange TLDs like .xyz could help put into perspective how real-time ad frauds affect your bottom line.

In this article, we will give an overview of why you might be getting traffic and ad clicks from strange domains, examples of the most prevalent shady top-level domains, and some best practices to help stop them from getting ahold of your ads.

Why You Are Getting Ad Clicks from Domains Like .xyz

TLDs like .xyz are popular with attackers because they are cheap — usually under a dollar — and allow one to register for numerous domains at once. If is taken, they could opt for or facebook.gdnor, etc. Fraudsters have little to lose if the domain is associated with little or no traffic, as they can always make another, until they find one that works.

In most cases, unlike the Facebook example we gave, the domain name doesn't even try to mirror a legitimate business. So why would Google Ads allocate traffic to these fake sites even though no one seems to ever visit them? Well, because fraudsters do everything they can to have their bots trick Google's automated bid algorithm — from spending a significant amount of time on the landing page, filling out forms where applicable, to generally mimicking the behavior of a hot lead. This makes the algorithm push even more traffic to such sites.

Examples of Shady Top-level Domains

Shady websites can take many forms. They can be a multitude of unrelated words that resemble each other sensibly, like or Some of them may also resemble prominent businesses or eCommerce sites, like wix.comor, but with tiny changes seemingly blending into the web address — or

It is common for businesses to buy domain names related to their brand to prevent scammers from using the brand name to exploit others. In any case, here are a few popular TLDs to be aware of:

Shady Top-Level Domains
.xyz .win
.trade .bid
.date .wang
.ga .stream
.country download
.review .loan

How to Deal with Ad Clicks from Strange Domains

Exclude the affecting domains

Google Ads allows you to exclude placements that either don't fit your brand, or sites on which your ads are showing but not performing well. This could work for a few spammy ad clicks. But for large volumes of them, you might have to employ and train dedicated staff to scan your web traffic and make judgment calls in blocking any suspicious-looking TLDs.

On Content, under the page menu of your Google Ads manager, navigate to Exclusions, then to Placements, and then continue to exclude the affected placements on your ads: by domain, subdomain, path name, or individual pages.

Even then, human error is a concern. To be fair, it is very easy to gloss over legit lookalikes when sometimes the only difference is an "a" for an "e." This makes this method ineffective; not to mention Google Ads doesn't allow for the exclusion of multi-level domains like

Avoid automatic placements

Enabling automatic ad placement when setting up your display ad campaigns would mean allowing Google to select the webpages and apps on the Display Network where your ads show automatically based on the targeting you've selected. This is helpful unless you receive a lot of ad clicks from the shady TLDs we outlined.

A solution would be to disable automatic ad placement, manually choosing only a few dozen sites you are confident are legitimate. But depending on the keywords you're targeting, researching the appropriate websites could take a lot of time and resources. Additionally, you'd be missing out on clicks from decent sites you'd have no idea existed.

Integrate ad fraud prevention tools into your ad operations

These tools use machine learning models to clean up your ad campaigns in general and ad placements in particular. They'll free you of the restrictions and inefficacies associated with manual placements and the painful inspections of hundreds or thousands of sites.

Ad fraud prevention tools do more than just accurately identify fake clicks from spammy websites; they'll also maximize your ROAS, protect your brand reputation, streamline your marketing operations, and much more.

Related article: 6 Benefits of Deploying an Ad Fraud Prevention Tool


Not all .xyz or other unusual TLDs are necessarily fraudulent. Alphabet, the parent company of Google and YouTube, has as its domain. Gordon Hempton, the CEO of Spot, wrote a detailed article recounting his weird experience when their company was registered on the .xyz TLD. Due to their unusual domain name, Spot gets treated as if they aren't a legitimate business, with many providers silently blocking links consisting of their domain name.

Nonetheless, there are simply too many of them — with millions of fake sites being created every month— that it'd be impossible to keep up. The safe bet for your business is to take preventive measures to reduce the exposure to any phishing attempts or scams on your ads.

Start your fraud-free journey with Spider AF's 14-day free trial today (with no CC required)!

No Credit Card Needed!
Start Free Click Fraud Diagnosis