Yes, but those aren’t spoofed identities, they’re actual humans intentionally clicking the link. This is harder for the defender to defend against, but it’s also vastly harder for the attacker to scale. Defenses against this sort of “organic” traffic do exist, because this is something that people committing ad fraud attempt to do using compromised browsers of real people.

Edit: I mostly want to stress that there’s a huge body of (largely proprietary) work on this topic. Thousands of skilled people have been full-time employed for decades thinking about exclusively this topic, on both the offensive and defensive side, in a continuously escalating arms race. Anyone just getting started on this topic has a couple of decades of literature review to catch up on before they should imagine that their proposals are novel. I don’t mean to discourage you if it’s a topic you find interesting, but you should bear in mind that the answer to “But has anyone thought of XYZ?” is “Yes” for basically all values of XYZ. There’s a lot of money at stake if the answer is no.