Ad Fraud: What it is, the Different Types & How to Prevent it
In 2016, from every $3 spent on digital ads, ad fraud took $1, which led to an estimated loss of $7.2 billion globally.
Reports from eMarketer show ad spend loss to ad fraud worldwide rose from $35 billion in 2018 to $42 billion in 2019—with an estimated projection of $100 billion loss in 2023.
The ad fraud space is now an ever-evolving organized cybercrime industry causing publishers and advertisers to lose their funds.
How do you think ad fraud is affecting advertisers?
A research firm, Advertiser Perception, ran a pool of 317 US marketers to confirm this theory— and 37% of respondents said ad fraud was their worst issue in programmatic ad buying.
With stats like this, you see that ad fraud is a big issue in programmatic advertising. So today, we’ll share all you need to know about ad fraud, starting with the definition.
What is Ad Fraud?
Ad fraud, also known as IVT (invalid traffic), is the practice of fraudulently misrepresenting online ad impressions, clicks, traffic, conversions, or data to generate revenue.
Ad fraud encompasses advertisers and publishers using different techniques in attacking video ads, banner ads, mobile ads, affiliate marketing, search engine ads, etc.
Contrary to most assumptions of ad fraud being bot-induced—bots are only one of 10 techniques—most are human-controlled. However, there are 2 characteristics you should keep in mind in every ad-fraud occurrence.
Characteristics of Ad Fraud
There are 2 characteristics of Ad Fraud, namely:
- Human Traffic
- Bot Traffic
This is the most common characteristic of ad fraud and the most difficult to prevent and track. While the traffic is from humans—which in most cases will be from click farms, the impressions generated are fake.
An investigation by Veritasium into fake human traffic with Facebook ads as a study shows a large percentage of Facebook’s advertising model is based on ad fraud. For example, in the investigation, a Facebook ad generated 80,000 new followers for the Veritasium page but had 1% engagement.
These numbers drove down the engagement, reach, and overall impressions of the page.
The same goes for the investigation done by Rory Cellan-Jones, Technology Correspondent at BBC News, on “fake human traffic” done by humans. He discovered even though he was getting a massive amount of likes, the engagement was slim. Upon filtering his ads, he found that he had fewer likes but a better engagement. In his words:
“Then I sat down to analyze the results, with the aid of Facebook's adverts manager page. I'm a newcomer to the arcane world of online advertising metrics, but one thing leaped out. When my advert was broadly targeted, the click-through rate - the number of clicks on the advert divided by the number of times it was shown—was 0.55%. That had generated nearly 3,000 "likes" over four days. But when I restricted the advert to UK users, the click-through rate fell to 0.059%—about a 10th as many. And in the one day that advert ran, I achieved just 17 "likes" for my $10.”
All of these confirm most advertisers' and publishers’ fears about the risks associated with running ads likely to be unprofitable.
Bot traffic, sometimes called non-human traffic, is fake impressions on ads by bots. In most occurrences, bot traffic is easier to detect and prevent.
Using bot traffic in ad fraud takes the approach of automating impressions on ads. This type of fraud is common on PPC (pay-per-click) campaigns.
An example is when you run an ad on Google for generating leads. If a bot comes across this ad, the program on which it runs will click on the ad and immediately bounce back to the SERPs (Search Engine Ranking Pages). When this happens, there’s a 100% bounce rate on that page and zero leads for the company running the ad—which means no gain on running the ad.
Let’s discuss the types of techniques used in ad fraud.
Types of Ad Fraud Techniques
There are several ad fraud techniques; more are discovered every day. For this blog post, we’ll cover 10 common ad-fraud techniques.
Domain spoofing is a type of ad fraud that impersonates a publisher’s domain and dupes advertisers to place their ads on them while paying premium prices.
Publishers reserve spaces on their website for advertisers. The price varies depending on where the advertisers want the publishers to place their ads and the duration of the ad.
Fraudsters use this opportunity to create a fake domain with the publisher’s address and pass this off to advertisers as the “real” publisher’s websites.
Once advertisers fall for this, they get good impressions, traffic, and clicks just like the actual website, but they are all fake and have no engagements.
Publishers and advertisers lose money to domain spoofing, a major case found in the Financial Times (FT).
In 2017, the Financial Times uncovered major ad fraud targeted at its website through domain spoofing. This cost FT $1.3million in revenue.
Anthony Hitchings, Financial Times Digital Advertising Operations Director, said:
“The scale of the fraud we found is jaw-dropping. The industry continues to waste marketing budgets on what is essentially organized crime.”
The concept of domain spoofing goes deep into selling fake ad posts to advertisers and collecting valuable personal information from individuals.
Pixel stuffing is an ad fraud technique fraudster publishers use to place an entire ad into a 1x1 pixel area.
A 1x1 pixel area is invisible or less visible to the naked eye but still counts as a viewed impression. It won’t generate tangible results, but counts as an impression.
This type of ad fraud is common on CPI (cost-per-impressions) ads.
Publishers found this is mostly banned or blacklisted—and in some cases, third-party cyberattacks into the publisher’s website can cause this.
Ad stacking is a technique similar to pixel stuffing. In this case, the fraudster publisher stacks ads on top of each other.
With these ads stacked, users viewing the ads can’t see ads beneath, just the one on top. The advertiser on the other end will be paying for these impressions even though the user never sees them.
Ad injection is the fraudulent injection or replacing of an already existing ad with a new one without the publisher’s permission.
By replacing the ads, the fraudsters earn on the impressions these ads get, ripping off the publisher.
An example of ad injection: Apple found an H&R Block ad that appeared on its website without its permission.
Another example is the Verizon ad injection on the Sears website.
The main problem with ad injection: It’s not immediately detected unless you’re on the lookout.
Commonly, these ads infiltrate the publisher’s website is through cookies and installed extensions.
Cookie stuffing is the practice of stuffing browsers of unsuspecting users with affiliate cookies of unrelated websites. If the user later visits the website and purchases, a certain percentage is paid as commission to the affiliate.
Affiliate websites, especially ones from e-commerce brands, run a significant risk of cookie stuffing from fraudsters. In this case, fraudsters will analyze your traffic and user behavior based on buying pattern and frequency then drop fake affiliate cookies into users’ browsers.
These fake cookies will replace your cookie and once the user makes a purchase, they get paid your supposed commission.
Here’s a visual example of how cookie stuffing works from Instapage.
Cookie stuffing is no small crime for e-commerce brands. For example, see eBay and Shawn Hogan. eBay worked with the FBI to uncover the massive cookie stuffing ad fraud done by Shawn Hogan costing eBay over $28 million paid in affiliate commissions.
These are just a few of several other cases of cookie stuffing.
What comes next is worse—geomasking.
Geomasking in ad fraud occurs when fraudsters hide or spoof their real location to appear to advertisers as a genuine traffic source. In running ad campaigns, certain regions have more ad spending and higher conversions compared to the others.
An example is the U.S. and most of Europe for most ad campaigns due to their higher conversions. Fraudsters in this case geomask their real identity with a VPN or RDP to appear as real traffic to advertisers.
Let’s say you run an ad targeting dentists in the U.K. Geomasked traffic from the Philippines identifying as someone in the U.K. can skew your data and give you impressions. In this case, you’re not reaching your target—all while losing money due to poor traffic sources.
Click spamming, also known as click flooding, is an ad-fraud technique that sends a large number of low-quality clicks to an attribution or MMP tool and waits for users to install an app.
Once the user installs the app, the fraudster receives the commission meant for the advertisers.
Other ways fraudsters benefit from click spamming include:
- Inject clicks into the apps to generate commissions off impression clicks
- Running invisible ads in the background while the app is running
- Stealing private information from user devices
Compared to other ad fraud techniques, click spamming is the least threatening since it depends on users installing the affected apps. Also, with frequent updates, these “click floods” can easily be detected and removed.
Side note: MMP stands for Mobile Measurement Partner It’s a platform that collects app data from user interaction and analyzes the performance and engagement metrics.
Click injection is a common technique mostly found on Android mobile devices. It occurs by simply being the “last click” that led to an app install.
Fraudsters infiltrate mobile devices by spamming links into the attribution tool and letting them only take effect upon app installation. The attribution tool reads this as a real user download and rewards the fraudster based on commission.
Click farms consist of a large group of low-paid workers hired to specifically target paid ads in the effort to “fake” the increase in impressions, clicks, and overall engagement of ads.
The concept of click farms is simple—click ads and drain the advertiser's budget.
From HBO’s “Silicon Valley” Series
As discussed earlier, this type of ad fraud falls under the human traffic characteristics of ad fraud, and they’re the most difficult to curb and prevent. This is due to the location where most of these frauds occur—China, India, the Philippines, Egypt, and countries with little to no regulations against ad fraud.
Botnet —short for “robot network,” consists of a network of largely malware-infected devices carrying out forms of ad fraud on unsuspecting users’ devices.
With these networks, fraudsters can control users’ web browsers and redirect traffic to different online ads.
Some of the popular botnets discovered include:
- GameOver Zeus
These are the 10 types of ad fraud techniques you’ll likely come across.
- MSISDN Injection
- iFrame Traffic
- Datacenter Traffic
These all contribute to the massive chain of different ad fraud techniques.
While most cases of ad fraud are not your fault as an advertiser or publisher, preventing it is possible.
5 Ways to Prevent Ad Fraud
The fundamentals of ad fraud are based on maliciously attempting to benefit off publishers and advertisers. Setting up security parameters on both ends is the key to preventing further ad fraud. Seven ways to do that:
1. Use an ads.txt file
An ads.txt file serves as a digital agreement authorizing legitimate advertisers and publishers.
In the process of buying ads, an ads.txt file confirms the advertisers as an approved network license to place ads—and does the same to the publishers by confirming the ownership of the domain.
2. Partner With Verified Vendors
Measuring traffic quality and overall ad metrics is a task that should be done only by professional anti-ad-fraud experts. Their goal is to identify invalid traffic and malicious attempts at skewing your ad data. These vendors measure your traffic sources, user engagement, performance, and every interaction is done on your website—and perhaps your affiliates.
3. Opt for Bot Management Systems
An influx of programmed bot traffic on your website is a bad signal to your ads—and if not prevented, can cause a loss of funds. Opting for a bot management system solves this by filtering out bot traffic and behaviors. Again, content delivery networks are a solution for this.
For example, Cloudflare’s Bot Management feature applies behavioral analysis, machine learning, and fingerprinting to differentiate bots from real humans.
4. Monitor Third-Party Scripts
The effectiveness of ads is dependent on their “reach.” Therefore, publishers and advertisers use third-party scripts like plugins and extensions to their advantage in capturing a larger audience.
This is good for both parties, but the risk outweighs the benefits—especially from these unverified third-party scripts. Therefore, we recommend you monitor all third-party scripts you install on your website or allow access to your sensitive information.
5. Investigate User Interaction
For some kinds of ad fraud, like click spamming and click injections, the publisher and advertisers might have a hard time finding the attack source.
Investigating user interaction at every point up to app installation is a good way to detect and prevent further occurrences. A good way to do this is: Have users reach out to you and report their experience installing and using the app.
Other tips to help prevent ad fraud:
- Use industry-standard preventions such as ads.txt, sellers.json, app-ads.txt, and SCO (Supply Chain Object)
- Have no more than 2 intermediaries between you and the publisher or vice versa
- Vet your publishers and advertisers—and inquire about their ad prevention methods
- Use MRC-accredited ad fraud solutions.
3 Ways to Detect Ad Fraud
Finding invalid clicks and traffic is easy if you’re working with an ad-detection and prevention partner. But what about if you’re solely managing your ads and not sure if you’re a victim? Here are ways to detect ad fraud on your website:
Depending on your industry, click-through rates can be pretty high—but would most likely not be above industry standard. On the other hand, if you notice you’re having absurdly high CTRs with high bounce rates and little to no engagement, then check that out.
Check your traffic sources and the average time-on-page session of most clicks. Then, compare all your findings with the ad's performance—you’ll get your answer.
Suspicious IP Addresses
As discussed, not all ads have the same CPC. In addition, the cost-per-click is relatively high for ads with traffic sources from regions such as America, France, Germany, and Australia. Therefore, advertisers and publishers targeting these areas have certain expectations regarding conversion.
There's a problem in situations where an is targeted to traffic from Germany and France, but somehow, the traffic is coming from India or China. So if you find IP addresses from these regions outside your proposed target, the best solution is to ban their IPs from accessing your website.
It’s safe to know that some fraudsters have advanced software that allows them to geomask their real location. In this case, finding an expert ad-fraud detection partner is the best choice.
Try our latest ad fraud prevention feature, and never worry about draining your ad budget on invalid clicks.
Low Overall Performance
A low or lack of significant performance from some or all of your ad channels is a sign of ad fraud. For example, say you’re running an ad campaign with the same landing page on Linkedin and Facebook.
Let’s say both channels deliver 10,000 views and 3,000 clicks each in 7 days. Your Facebook ad resulted in 300 qualified leads—while Linkedin had 0 clicks. It’s unlikely you’d have that many views on both channels and have no clicks—if you find something like this, investigate the sources of your ad traffic.
How to Pick The Right Ad Fraud Detection Vendor
There are different levels of ad fraud detection vendors. While most can handle basic on-screen bot intrusion and other ad fraud techniques, only a few can help you prevent it by setting up a rigid system.
Depending on your ad spend and traffic sources, your goal is to find an ad-fraud detection vendor that suits your website and can carefully and efficiently monitor your ads.
Your proposed ad-fraud vendor should have a double-layered approach to ad fraud.
- Immediate ad-fraud detection uses machine learning to understand patterns and fix them.
- In-build shield for all ads to prevent all types of attacks by combining behavioral patterns of traffic sources and recognition of bot activity.
The idea behind this is to protect both advertisers and publishers from the ever-evolving ad-fraud world.
What Happens Next?
The last decade’s advances in technology brought many opportunities to businesses, one being programmatic advertising. Unfortunately, although this is a good thing, it’s also opened doors to malicious attempts by fraudsters trying to make gains.
Ad fraud is a constant. So trying to stop it is only a wish at this point. Protecting yourself and your business is a priority. We advise you to set up preventive measures like using ads.txt, traffic source tracking, seller.json, etc. Monitoring all of these can be time-consuming, which is why we advise working with an ad-detection vendor like Edgemesh.
If you enjoyed this article, check out our blog for more articles on improving your website for better conversions and traffic.
Try our latest ad fraud prevention feature, and never worry about draining your ad budget on invalid clicks.