Of all the adtech trends people are talking about this year, it’s safe to say that ad fraud is the one everyone wishes would just go away. But there’s no escaping it, ad fraud is a very real problem. From clickbot fraud to malvertising, costs associated with digital advertising fraud were estimated to have reached approximately $81 billion in 2022 and are forecast to reach $100 billion in 2023. Money lost to advertising fraud has now surpassed credit card fraud and research suggests that up to 10.5% of digital marketing activity is fraudulent.
Ad fraud schemes are evolving fast and the term ‘ad fraud’ has become synonymous with a whole range of different methodologies. Methodologies like PPC fraud, malvertising, bot fraud, domain spoofing, and clickbot attacks, all of which we’ll delve into below.
For an industry already wearied by recession and feeling the squeeze of ever-tightening ad budgets, the rise in ad fraud is a legitimate concern. And for ad platforms, fraud prevention and ad fraud protection mechanisms are fast becoming a fundamental imperative, both for ad spend optimization and for preventing reputational damage.
Advertising fraud is any attempt to defraud an advertiser or publisher. Scammers use various methods to generate stolen revenue by tricking ad platforms into paying them. Fraudsters do this by falsely representing online ad impressions, conversions, or clicks. Any activity of this nature is known as invalid traffic.
When we think of advertising fraud, the first thing that typically comes to mind is fraud on the supply side. Bot fraud stealing from publishers. But that’s only half of the picture. The other half, demand-side fraud, involves stealing from advertisers.
Common types of demand-side fraud include PPC fraud (fake clicks and impressions generated by a clickbot or human agent) and attribution fraud (in which the wrong person gets paid for a publisher’s work). Demand-side fraud like PPC fraud and ad attribution fraud damages advertiser-publisher relationships and leads to security violations when fraudsters circumvent user consent to track users.
Several high-profile cases have started to emerge over the past few years. In February 2023, an investigation by fraud prevention and anti-malware platforms DeepSee and Malwarebytes uncovered a new online ad fraud ring. The attack, dubbed “DeepStreamer”, involved illegal movie streaming platforms selling ad inventory through Google Ad Manager.
Malwarebytes Labs reported that these streaming sites generated an estimated 210,550,928 visits in January 2023 and hundreds of millions of bid requests between January and February. By even the most conservative estimates, advertiser spend on the scheme is thought to have reached between $120k-1.2 million in January 2023 alone.
The scam emerged only shortly after reports of another large-scale attack. The Vastflux attack, discovered by researchers at Human Security in early 2023, is one of the biggest ad fraud campaigns ever uncovered. 1700 spoofed apps were found, impacting 120 targeted publishers, and resulting in 12 billion false ad requests daily.
“It’s clear the bad actors were well organized and went to great lengths to avoid detection, making sure the attack would run as long as possible – making as much money as possible”, comments Marion Habiby, data scientist at Human Security.
The rise of programmatic advertising, which automates the media buying process, has both revolutionized and complicated the digital advertising landscape. As well as increasing ad efficiencies and reducing advertising costs, programmatic platforms have also created an environment where clickbot scammers and PPC fraud schemes can thrive. Moving forward, these platforms will need to fortify themselves against bad actors with improved ad fraud protection mechanisms.
Advertising fraud is a serious problem for the digital advertising industry. Not only does it damage the monetary value of a platform’s ad inventory, but it also robs advertisers of their ability to accurately gauge the effectiveness of campaigns.
“Mobile ad fraud devours marketing budgets, contaminates performance data and can turn successful campaigns into losses” comments Andreas Naumann, anti-fraud evangelist for AppsFlyer.
Take ad stacking, for instance, when multiple ads are layered on top of each other in a single ad placement, with only the top ad visible to the user. If a campaign is impacted by ad stacking, the ratio between impressions and clicks is distorted, making it virtually impossible to generate an accurate assessment of that campaign’s performance.
Ad fraud also erodes reputation. If a publisher’s website is compromised by bot fraud or fake ads are injected onto the platform, it can quickly lead to a loss of trust even if the publisher isn’t at fault. Some fraudsters take this one step further still by setting up their own fake ad platforms. Advertisers are reeled-in with cheap ad space, forcing legitimate publishers to follow suit and, in so doing, devaluing the entire market.
“Invalid traffic is a major issue in the ad world,” comments Dhiraj Gupta, co-founder of ad fraud detection company mFilterIt. According to Gupta, invalid traffic is leading to “a dysfunctional interaction system between brands and consumers”.
Ad fraud isn’t a singular thing. It encompasses many different activities and techniques. The Interactive Advertising Bureau categorizes these schemes into three distinct groups: schemes based on fake traffic, fake supply, and fake data.
Schemes based on fake traffic typically use a variation of bot fraud. These schemes involve falsely inflating the number of website visits and engagements to increase the total number of impressions registered. This is a type of PPC fraud and includes methods such as:
Bot fraud: programs that trick publishers into thinking that users are engaging with ads by generating false clicks, page loads, and plays via a clickbot.
Click fraud: groups of real people paid to engage with ads across platforms, on mass. Both bot fraud and click-based PPC fraud are types of ‘human traffic impersonation’.
Ad hijacking: modifying a device to perform desired actions (such as clicking on a link or creating an ad request) without the device user’s consent.
Ad stacking: layering multiple ads on top of each other in a single placement. Users unknowingly view multiple ads and advertisers pay for the impressions.
Pixel stuffing: reducing ads in size so that they aren’t visible to the human eye. Ads are technically ‘viewed’, and advertisers still have to pay for each impression. Both ad stacking and pixel stuffing are types of ‘invalid human activity’.
Schemes based on fake supply involve tricking advertisers into bidding on illegitimate placements and include methods such as:
Ad injection: hacking web pages and inserting ads without the publisher’s consent. Ads may be visible or hidden behind other pieces of content.
Cross-domain embedding: connecting two websites via an iFrame (an HTML element that places a second webpage within a parent page) to trick advertisers into bidding on ads served on unsafe or low-quality websites.
Domain spoofing: there are various types of domain spoofing. A common spoofing method is URL substitution (changing URLs at the time of bidding so that ads are served on a different website than was originally bid on).
Schemes based on fake data involve hacking performance metrics to show buyers inflated impression, viewability, and website visit metrics, giving a false impression of performance.
Ad fraud isn’t going to disappear overnight, meaning ad fraud prevention is set to become a mainstay of every adtech platform and marketing room very soon. Thanks to emerging ad fraud prevention technologies, there are actionable ways to start combatting fraud head on.
Publishers often become unintentional hosts for fraud. Publishers can help to prevent this from happening by rigorously monitoring their inventory for signs of fraudulent activity. And this doesn’t have to be a labor-intensive process. Tools like DoubleVerify and Integral Ad Science are specifically designed to detect fraud and deliver verified inventory to advertisers.
Getting independent verification from third-party fraud-detection platforms helps SSPs and DSPs block questionable traffic before it becomes a real problem. Platforms like Human Security offer DSP, SSP, and Media Owner protection that ensures their inventory is free from bots. In turn, this increases platform legitimacy.
Some in the adtech industry are turning to blockchain as an ally against ad fraud. Ad fraud prevention platform, Adwatch, for example, leverages blockchain for advertisers, publishers, and ad networks, to certify programmatic campaigns. By encrypting campaign metrics in the blockchain, Adwatch creates an immutable ledger where all data can be tracked and accounted for.
“The Adwatch vision is to secure the entire programmatic advertising supply chain with a unified set of data that’s been verified, that’s secured by blockchain, and that’s free of discrepancies” reports Adwatch.
Setting clear viewability standards for ads ensures that they are served in legitimate and viewable formats. Setting strict standards for the size, placement, and maximum loading times for ads prevents them from being served in fraudulent ways - like pixel stuffing, ad injection, or ad stacking.
Keep a blacklist of any known, fraudulent domains. Blocking these domains from receiving ad impressions, prevents ads from being served on fake websites set up to generate fraudulent clicks and impressions.
The growth of ad fraud is in many ways a story of success. The proliferation of clickbot fraud, malvertising, and various other forms of advertising fraud is the unfortunate side effect of a thriving digital advertising industry. Carried by the digital ad boom, fraudsters stumbled upon an easy and profitable enterprise.
Preventing ad fraud will be no easy task. Like a virus, ad fraud is constantly mutating and one scheme can have dozens of variants. And that means ad fraud protection measures must act equally fast. Whether or not advertising fraud will ever be eradicated is questionable. What is certain is that to protect budgets and limit reputational damage, ad platforms now have only one option.
Last Updated: 11 October 2023
In an industry defined by constant innovation, Adtech specialist Bradley helps customers realise their strategies with reliable, scalable infrastructure.
He’s a Reading FC and F1 fan, and father of two.