A field guide to the four ways a competitor can deliberately damage your paid advertising: draining your budget, poisoning your optimization signal, weaponizing the platform's own enforcement against you, and attacking your reputation. For each, we separate how it works on Meta from how it works on Google, what symptoms reveal it, how to diagnose it, and how to defend — built so a non-specialist can act, and honest about what's proven versus what's just plausible.
Competitor sabotage is real and legally actionable — a jury verdict against one saboteur was affirmed at $189.7M in 20254 — but the four attack vectors are not equally proven, and they hit Meta and Google differently. Budget-draining click fraud is well documented and is mostly a Google auction problem (Google literally names "manual clicks meant to increase someone's advertising costs" as invalid traffic1). Signal poisoning — feeding fake conversions so the algorithm chases junk — is mechanically real on Meta especially, but almost every documented case is self-inflicted (duplicate events, counting spam), not a competitor attack. Weaponizing platform enforcement — getting a rival's ads or Shopping feed banned — is the vector behind MUD's cordyceps story, and it's the least proven: the enforcement discretion clearly exists, but "a competitor reported us" remains a plausible hypothesis we could not verify. For MUD: our likeliest exposure is signal/delivery noise on Meta, not a targeted budget-drain — but this guide includes the exact tests to rule a rival in or out, and corrects the cordyceps story with what Google's policy actually says.
"Sabotage" isn't one thing. There are four distinct attacks, and conflating them leads to defending against the wrong one. Here's the honest map — including how strong the evidence is and which platform carries the bigger risk.
| Vector | What the attacker does | Evidence | Bigger risk on |
|---|---|---|---|
| 1 · Budget / click drain | Floods your ads with fake clicks to exhaust your daily budget so your ads vanish and they win the auction. | Strong | |
| 2 · Signal poisoning | Generates fake conversions (orders, leads) so the algorithm "learns" to chase junk and degrades for weeks. | Real, mostly self-inflicted | Meta |
| 3 · Weaponizing enforcement | Mass-reports / false-flags your ads, Page, account, or product feed to trigger automated bans & disapprovals. | Weakest — plausible, unconfirmed | Meta Google |
| 4 · Reputation / review attack | Coordinated fake 1-star reviews that drop your star rating below display thresholds and hurt CVR. | Thin |
The classic attack. A rival (or a service they hire) repeatedly clicks your ads with no intent to buy, draining your daily budget. Once the budget is spent, your ads stop showing and the attacker wins the now-cheaper auction. Google explicitly recognizes this — its invalid-traffic policy names "manual clicks meant to increase someone's advertising costs" as a category it filters.1
Google Search runs a daily-budget auction, which is exactly what makes budget exhaustion work. Attackers hit your most expensive keywords and your branded terms early in the day; once the cap is spent, you disappear.
Signals: expensive/branded keywords getting clicks but no qualified leads; budget exhausting earlier than usual; repeat clicks from one city, network, or device profile; spend in geos with no sales history; high mobile traffic with very short sessions.8 Diagnose: pull a click report by IP/region/hour and look for concentration that doesn't match your buyer rhythm. Defend: exclude bad geos, block repeat IPs (and whole ASNs/networks, which is far more durable than single IPs), use dayparting, set conservative budgets, and file Google invalid-click refund requests with evidence.
The quieter, costlier attack — and the one most relevant to a Meta-heavy advertiser like MUD. Modern platforms optimize toward your conversion signal. If that signal is corrupted with fake "successes," the algorithm faithfully learns to find more junk, and performance degrades for weeks after the noise stops. Crucially, the research found this is overwhelmingly self-inflicted (duplicate events, counting spam) rather than a confirmed competitor weapon — but a real attack version is documented.
Counting every form-fill or bot submission as a conversion "teaches Google to find more spam." Because spam conversions are cheaper, Smart Bidding — which optimizes for the cheapest conversions — actively seeks more low-quality traffic, creating a self-reinforcing decay loop.10,11
More of a lead-gen problem than an e-commerce one, but the principle holds anywhere you feed the algorithm a "conversion" it can fake.
This is the vector behind MUD's cordyceps Google Shopping ban — and the one we have to be most intellectually honest about. The theory: a competitor mass-reports your ads, Page, ad account, or product feed (or files false counterfeit/IP/policy complaints) to trip the platform's automated enforcement, getting you suspended without ever touching your budget. The enforcement surfaces that could be exploited clearly exist. What the research could not confirm is that competitors reliably trigger bans this way — and the single most alarming mechanism got refuted.
What actually banned MUD over cordyceps: Google's Merchant Center supplement policy does not list cordyceps, mushrooms, or "functional mushroom" anywhere.2 The banned list names things like kratom, ephedra, and "herbal Viagra." So a cordyceps ban is discretionary — an algorithm, a third-party scanner (e.g. LegitScript), or a human reviewer's judgment call — not a rule.3 That's exactly why competitors using cordyceps weren't touched: uneven enforcement, not policy.
Egregious "Healthcare and medicines" flags can suspend the entire account, killing both Shopping ads and free listings at once.3 Separately, false counterfeit-goods complaints (claiming you mimic a brand) are a known account-suspension trigger.17
Signals of a possible flag attack (vs. ordinary enforcement): a sudden disapproval/suspension with no recent change on your side; the same item that ran fine for months; near-identical competitors untouched; a cluster of reports/negative activity right before. Diagnose: pull the actual suspension notice and policy citation — for the cordyceps ban, the appeal correspondence would tell you whether it was algorithmic/LegitScript or report-driven (we never confirmed which). Defend: keep ingredient/claims documentation and COAs ready for fast appeals; verify your Business Manager and reduce account interlinking; avoid claim language that hands a reviewer (or a reporting rival) an easy target; maintain a backup ad account / Merchant Center as a continuity hedge.
A coordinated flood of fake negative reviews — from bot accounts or hired reviewers, posted in a compressed window — to damage your brand and, indirectly, your ad performance.16 This was the thinnest-evidenced vector in the research; treat the ad-performance link as plausible mechanism, not proven cause.
The concrete mechanism: Google only displays Seller Rating stars on your ads if your composite is ≥3.5 stars. A review-bombing campaign that drags you below 3.5 makes the stars disappear from your ads entirely15 — a measurable CTR/CVR hit, not just a vanity metric.
Defend: report coordinated fake reviews to the platform with evidence (timing clusters, no-purchase reviewers), keep a steady flow of genuine reviews so a burst can't dominate, and watch whether your Seller Rating stars ever drop off your Google ads.
The asymmetry is the whole point: attacks are cheap to commission, damage is expensive to absorb.
There's no statute literally named "click fraud," but competitor sabotage is actionable — and recent precedent is favorable to victims. The key is picking the right theory.
| Case / law | What it establishes · status |
|---|---|
| CPI v. Vivint (4th Cir., affirmed Jul 22 2025) | The headline precedent: a jury found systematic unfair competition and awarded $189.7M ($49.7M compensatory + $140M punitive), affirmed on appeal. Compensatory split across four theories — Lanham Act $5.4M, common-law unfair competition $13.5M, tortious interference $1.5M, NC deceptive-practices $29.3M.4 Caveat: the conduct was deceptive door-to-door sales, not ad-platform sabotage — it's precedent on the legal theories, not a direct ad case. |
| Tortious interference | The most durable theory for ad sabotage. In Motogolf v. Top Shelf, the CFAA claim was dismissed but the tortious-interference claim survived.5 |
| Lanham Act / unfair competition | Deceptive commercial conduct that harms a competitor — a core CPI v. Vivint theory.4 |
| Computer Fraud & Abuse Act (CFAA) | Available in theory — Juju v. Native Media held click fraud can violate the CFAA13 — but it repeatedly fails where your ads/site are publicly accessible (no "unauthorized access"), as in Motogolf.5 |
| Lane's Gifts v. Google (2006) | Landmark click-fraud class action; Google settled for $90M (~$30M fees + ~$60M ad credits), admitting no liability.13 |
Reality check: proving who did it is hard (IP rotation, proxies). Litigation is a last resort after you've gathered hard evidence; the first lines are technical defense and platform refund/appeal claims.
A consolidated watchlist. None of these alone proves sabotage; clustering across several is the tell.
Work from cheapest test to most expensive. The goal is to rule a competitor in or out before you spend money or legal effort.
The cordyceps ban, honestly: our instinct was "a competitor got our Shopping feed banned." The research points somewhere more mundane and more useful — Google's supplement policy doesn't list cordyceps anywhere, so the ban was a discretionary call by an algorithm, a third-party scanner, or a reviewer. That fully explains why same-ingredient competitors stayed live: uneven enforcement, not a rule, and not necessarily anyone reporting us. A competitor flagging us is possible but we have no evidence for it — and the scariest version of that mechanism (one flag nuking all linked accounts) was refuted. If we want to actually know, the suspension notice and appeal thread would tell us.
Our current Meta bot/zero-duration traffic: still reads as delivery/affiliate fraud or signal noise, not targeted sabotage — it's broad, it scales with our own Reels/Advantage+ expansion, and it's not the concentrated, branded-term, budget-exhaustion pattern a rival would use.
What to actually do: (1) Treat signal hygiene on Meta as the priority — validated CAPI, dedup, weekly conversion-to-revenue reconciliation. (2) Keep supplement/claims documentation ready so any future Merchant Center or Meta flag is a 48-hour appeal, not a multi-week outage. (3) Run the §9 diagnosis once on our worst campaign to formally rule a competitor in or out. (4) Only buy a click-fraud tool if that diagnosis shows concentrated, targeted clicks — otherwise it's solving our smallest problem.
Defensive research for MUD\WTR growth, v2 (Meta-focused rebuild). Findings were fact-checked with adversarial verification; claims that failed verification are flagged in-line and excluded. Source quality is mixed: platform policy definitions and court records are primary/high-confidence; click-fraud and agency blogs are corroborated across vendors but have commercial incentive to dramatize. Vectors 3 (enforcement weaponization) and 4 (review attacks) are the least-evidenced — treat as plausible mechanisms, not established fact. Statistics vary by methodology — directionally reliable, not exact.