IP-based blocklists were built for a world where fraudsters reused a small pool of addresses. In 2026, residential proxies and click farms make IP blocking trivial to bypass. Here’s why person-based detection is the modern standard.
The AdProtektor Team9 min read
For years, “click-fraud protection” meant one thing: detect a bad IP address, add it to a blocklist, repeat. That model worked when fraudsters reused a small, stable pool of addresses. In 2026 it’s broken — residential-proxy networks and click farms have made IP rotation trivial and cheap, so a blocklist is bypassed the moment the next click arrives from a fresh address. This article explains why IP blocking fails against modern fraud, and what replaced it: person-based detection that identifies the actor behind the click rather than the network they happen to be on.
How IP blocking works
IP-based protection is conceptually simple. When a click looks suspicious — too many clicks, no conversion, a known bad range — the tool records the visitor’s IP address and adds it to an exclusion list. Future clicks from that exact address are blocked or excluded from your ads. Google Ads has this built in (up to 500 IP exclusions per campaign), and first-generation fraud tools automated it at larger scale.
The assumption underneath is that an IP address identifies the fraudster. Block the address, block the fraudster. For a long time, that was roughly true.
Why IP blocking no longer stops fraud
Three things broke the assumption:
Residential proxies commoditized IP rotation. For a few dollars, anyone can route traffic through millions of real consumer IP addresses and rotate them on every request. A blocklist can only stop an address it has already seen — so against a rotating attacker, it’s permanently one step behind.
Click farms use real devices on real networks. Banks of real phones on mobile carriers produce clicks from constantly-changing carrier-grade NAT addresses that look indistinguishable from your real mobile customers.
Mobile fraud changes IPs naturally. A phone moving between Wi-Fi and cellular, or roaming across cell towers, changes IP repeatedly during a single session — no proxy required.
Ask any fraud tool one question: “What happens when the same fraudster comes back on a fresh residential IP?” If the answer is “new IP, new evaluation,” you have a one-click bypass.
The hidden cost: blocking real customers
IP blocking doesn’t just fail to catch fraud — it actively risks blocking real customers. IP addresses are not permanent identities:
ISPs reassign residential IPs regularly, so an address you blocked last week as a fraudster may belong to a genuine prospective customer today.
Entire offices, buildings, schools, and mobile carriers share a single public IP via NAT — block it, and you block everyone behind it.
Blocking broad IP ranges to keep up with rotation multiplies this collateral damage.
Every blocked visitor is a customer you chose not to serve
Blunt IP-range blocking is one of the most common ways fraud tools quietly suppress real traffic. The more aggressively a tool blocks IPs to compensate for rotation, the more real customers it catches in the net.
What person-based detection is
Person-based (behavioral) detection flips the model. Instead of asking “is this IP bad?”, it asks “who is the actor behind this click, and have we seen them before?” It builds a behavioral and device fingerprint from many independent signals, including:
Navigation context — referrer and landing patterns, session structure, repeat-visit history.
Because these signals describe the person, not the network, the same fraudster is recognized after they switch IP address, device, or browser. The fingerprint travels with the actor. That’s the entire point: a residential-proxy rotation changes the IP but not the behavior.
IP blocking vs. person-based detection, side by side
Dimension
IP blocking
Person-based detection
Identifies
A network address
The actor behind the click
Survives IP rotation
No
Yes
Survives device / browser change
No
Yes
Risk of blocking real customers
High (shared / reassigned IPs)
Low (multi-signal, with whitelisting)
Catches click farms on real devices
No
Yes
Best used as
One enforcement action
The primary detection layer
IP exclusion still has a role
None of this means IP exclusion is useless. It’s still a valid enforcement action — once you’ve identified a fraudster by behavior, pushing their current IP to your Google Ads exclusion list is a reasonable way to act on the verdict. The shift is about sequence and primacy: identify the person first, then use IP exclusion (and Custom Audience exclusion, and tracking-template diversion) as one of several ways to enforce. IP exclusion as the detection mechanism is what’s obsolete; IP exclusion as one enforcement primitive among several is still useful.
How AdProtektor does it
AdProtektor builds person-based profiles from 100+ signals, so the same fraudster is caught on a fresh IP, a new device, or a different browser. It then enforces across Google Ads (IP exclusion + tracking-template diversion) and Meta (Custom Audience exclusion) — and keeps a session recording of every flagged visit so you can verify and reverse any decision in one click. Start a free trial to see it on your traffic, or read our complete guide to click fraud for the bigger picture.
The bottom line
IP blocking was the right tool for a world where fraudsters reused addresses. That world is gone. If your protection evaluates each click as a fresh event keyed on its IP address, modern fraud bypasses it with a single proxy rotation — and your real customers get caught in the over-blocking that follows. Person-based detection identifies the actor, not the address, and that’s the line that separates protection that works in 2026 from protection that looked good in 2018.
FAQ
Frequently asked questions
Why doesn’t IP blocking stop click fraud anymore?
Because fraudsters no longer reuse IP addresses. Residential-proxy services route traffic through millions of real consumer IPs and rotate them constantly, so each fraudulent click can arrive from a different, never-before-seen address. A blocklist can only stop an IP it has already seen and recorded, which means it is always one step behind. Worse, blocking residential IP ranges risks blocking real customers who later get assigned the same address by their ISP.
What is person-based (behavioral) detection?
Person-based detection identifies the human or bot behind a click using a behavioral and device fingerprint — a combination of signals such as mouse-movement patterns, click timing, scroll cadence, viewport and device entropy, navigation paths, and automation tells. Because these signals describe the actor rather than the network, the same fraudster is recognized even after switching IP address, device, or browser. IP exclusion then becomes one of several enforcement actions, applied after the person is identified.
Does person-based detection block real customers by mistake?
A well-built system minimizes false positives by whitelisting legitimate crawlers (Googlebot, Bingbot, ad-verification bots) and by requiring multiple corroborating signals before blocking. Good tools also keep session recordings and per-decision evidence so you can review and reverse any block in one click. The risk to watch for is the opposite approach — blunt IP-range blocking — which is far more likely to catch real customers sharing a residential or corporate IP.
AP
The AdProtektor Team
Ad-fraud researchers & engineers
AdProtektor builds person-based AI click-fraud protection for Google Ads and Meta. This article is written by the same team that ships the detection engine — engineers and analysts who look at invalid-traffic patterns across millions of ad clicks every week.
See how much fraud is hiding in your traffic — in 5 minutes.
Most accounts find that 10–20% of paid clicks are bot, click-farm, or repeat-offender traffic. Start your free trial — the first numbers come back the same day you install.
