Ad Fraud

Article Contents

    Digital ad fraud (advertising fraud) is the falsification of the number of times a digital advertisement is clicked on or displayed, which impacts online advertising campaigns – as they aim to display details of a product only to the person who is most likely to want it. In return, the advertiser’s revenue increases and the publisher is rewarded with an advertising fee.

    This is a particularly vital topic for marketers to understand. Fraudulent advertising can make a significant dent in marketing budgets and skew performance results to the detriment of future strategies.

    Digital (online) ad fraud is typically carried out by competitors or fraudulent publishers who utilise automated bot traffic to repeatedly click on ads. In this instance, money is paid by the advertiser to the publisher and the advertising platform, with the potential to defraud a business of huge sums of money.

    How ad fraud works

    The way ad fraud works is simple. Many websites are funded by the sale of advertising and many other companies invest large amounts of money in advertising campaigns hoping to increase revenue in response. The system relies significantly on automated exchanges that will match adverts with potential customers. Digital ad fraud takes advantage of these automated processes to masquerade as real users and take income for displaying adverts to non-existent users. The fraudulent activity affects both advertisers and publishers.

    Advertisers are left paying for adverts that are displayed to non-existent users and publishers suffer increased chargebacks, as advertisers start to identify the number of adverts they suspect have been displayed to invalid traffic (known as IVT). Ad exchanges will detect levels of IVT and when they are too high, can block sites from accessing the exchange.

    How to detect ad fraud

    At Netacea, we work with publishing sites to identify IVT and give site owners a choice regarding how they handle the fraudulent advertising traffic. This could be by blocking a user from accessing the site, or by returning content but not adding ads to the page. Either way, the result is a drop in IVT.

    If you suspect digital ad fraud is being carried out on, there are several identifying factors to be aware of:

    • Repeated visits from the same user agent and spikes in traffic
    • Unusually low conversion rates during traffic spikes
    • Abnormal peaks in the number of clicks or impressions
    • A lack of conversions vs. other platforms

    To reliably identify IVT, we analyse the source and reputation of the origin of all traffic to spot bad actors.

    Preventing ad fraud

    You can aim to prevent ad fraud by working with a technology provider that can accurately detect automated bot traffic and identify fraudulent advertising behaviour, defining actions to be taken in the event of a fraud attack.

    However, working with a vendor that gives you an accurate view of all traffic to your web-facing infrastructure will give you a comprehensive understanding of what ordinary vs. anomalous traffic behaviour looks like, enabling the effective and efficient blocking of malicious activity present in online ad fraud.

    Frequently asked questions about ad fraud

    What is online ad fraud?

    It’s a type of cybercrime that involves the use of bots to generate fake clicks on ads.

    How does advertising fraud work?

    These clicks are used to steal money from advertisers by inflating ad impressions, click-through rates, and other metrics.

    Who uses digital ad fraud and why?

    The perpetrators can be individuals or organized groups who have different motivations for committing this crime, such as making more money off their own ad campaigns or getting revenge on an advertiser they believe has wronged them in some way.

    How to detect and prevent advertising fraud?

    The best way to avoid ad fraud is to carefully review the bidding and targeting features of your advertising platforms. You should also seek advice from cybersecurity professionals who can pinpoint when fake traffic is used.

    How do ad fraudsters make money?

    Ad fraud is usually a money-making scheme. Criminals make money by charging advertisers every time the bots click on their ads.

    It’s up to each publisher, service, and even industry to set its own standards for what constitutes fraudulent behavior in online advertising. Often the regulators don’t care about ad fraud; they instead focus on other aspects of more traditional cybercrime like botnets used in distributed denial-of-service (DDoS) attacks, credit card theft or malware distribution. With these being such large issues the topic of ad fraud will probably never be discussed widely by government officials but it should still be monitored closely.

    Who are ad fraudsters? Have they organised crime gangs?

    The perpetrators are a mix of organized crime gangs and individuals. Some of these groups have attempted to blackmail companies that rely on online advertising, threatening to harm the reputation of those firms unless they pay a ransom.

    Is advertising fraud illegal?

    The use of bots to generate fake clicks on ads is illegal in many countries. Many countries do not have laws that specifically outlaw ad fraud, but the perpetrator of such crime can still be charged with other violations, such as wire fraud or forgery.

    How much money is being made by ad fraudsters?

    Estimates suggest that bot networks are only a small portion of online ad traffic (typically 0.5-3%), and even this segment is highly variable depending on the industry and sector. Nevertheless, we can assume that where ad fraud exists there’s money involved. It’s hard to estimate how much because there aren’t any precise data but it’s reasonable to assume millions per year in revenue at least from botnet operators alone.

    Why does ad fraud continue to trouble the digital industry?

    Although ad-tech companies have been fighting against ad fraud for years, making significant progress in improving programmatic media buying, detecting and blocking malware and fraudulent traffic is still far from easy.

    There are many reasons for this.  In many cases, the real business model behind the bots is hidden, making it difficult to anticipate their next move.  The methods used by botnets to control advertising traffic may change rapidly. For example, a simple click on an ad may mean different things today than it did just three months ago.   The use of digital advertising fraud as a weapon has changed (for example cyber-attacks with DDoS). Another challenge is that although ad-tech companies can block traffic from known sources of malicious traffic, it’s hard to predict what new sources might emerge.

    What does the future hold for the fight against advertising fraud?

    The complexity and extent of the problem mean it will be very difficult to completely eradicate ad fraud, but there are a number of things that can be done.

    How can publishers combat ad fraud?

    Publishers can take a number of steps to combat ad fraud. First, they should use tools that can detect suspicious behavior from bots. Second, publishers should be ready to respond quickly if they think their ads are being displayed on bad sites where ad fraud is occurring.

    How can advertisers combat ad fraud?

    Advertisers can take a number of steps to combat ad fraud. First, they should be cautious about what sites their ads are being displayed on. Advertisers should also keep an eye out for suspicious behavior from the publisher and demand evidence that proves the site’s validity, such as reports from independent third parties or certificates attesting to the site’s compliance with recognized standards in digital advertising.   Finally, advertisers need to use tools that can help them track how often users click on their ads and browse around their websites in order to make informed decisions about where to spend their money on digital advertising in the future.

    How can ad tech companies combat ad fraud?

    The methods used to combat online advertising fraud are constantly evolving, but the job is made easier because of a range of tools and techniques that can be applied to block known sources of malicious traffic. The digital advertising industry as a whole has grown much more sophisticated over recent years, but the process remains a cat-and-mouse game: it’s highly likely that new types of bots will emerge in future.

    What you can do about mobile advertising fraud?

    If you’re faced with mobile advertising fraud – there are a few options.  First, check your agreement with the ad network – it might have special terms for its mobile traffic and be able to ban specific countries even at the request of the publisher.  Secondly, if this doesn’t work – don’t wait until the next billing cycle and look into other networks that can get more clicks from your country. If this is not an option either, you can always block all traffic coming from specific countries or just limit it by geo-targeting (this will also help lower your CPL).

    At what ad spend level does it make sense to pay attention to ad fraud?

    It really depends on the ad network. As soon as you start seeing your impressions dropping – it’s a clear sign that something’s wrong. There are certain thresholds when an advertiser should pay attention to fraud. If, for example, it is 10-20% of your total traffic, then this is a clear warning signal and you need to further investigate what might be going on. But if it’s less than 5% – I would not worry about it too much because there are always additional factors that influence CPMs such as seasonality or ad unit type (e.g. video ads will cost more during Christmas holidays).

    What metrics do you recommend to measure ad fraud?

    There are two main metrics that will help you detect suspicious activity. First, the click-through rate (CTR) – the average CTR is 2-5% on most ad networks. Second, look at your traffic sources and make sure that they reflect well on what you do as a publisher.

    What are the most blatant ways ad fraud has been conducted in the past, present, and future?

    Extremely blatant ways of generating fake traffic are banner- and pop-under-injection. Recently, there has been a rise in the use of bots from countries with developing economies, whose users rely on mobile internet. There are several reasons why someone would use fraud, f.ex. to make money (you get paid for ads that you didn’t actually serve) or to boost their own ratings (which can be used as part of a business model).

    Why is blockchain believed to solve the problem of advertising fraud?

    Because it is a transparent, shared ledger between multiple parties in order to track transactions. It’s also a suitable technology for digital ad markets because it provides an efficient way of getting rid of the so-called “middleman”, i.e. the trusted party whose role was to validate and authenticate all transactions.

    Block Bots Effortlessly with Netacea

    Book a demo and see how Netacea autonomously prevents sophisticated automated attacks.
    Book

    Related

    Blog
    Netacea
    |
    29/04/24

    Web Scraping

    Web scraping (or web harvesting or screen scraping) is the process of automatically extracting data from an online service website.
    Blog
    Netacea
    |
    29/04/24

    Two-Factor Authentication

    Two-factor authentication (2FA) is an extra layer of security to help protect your accounts from hackers and cybercriminals.
    Blog
    Netacea
    |
    29/04/24

    Non-Human Traffic

    Non-human traffic is the generation of online page views and clicks by automated bots, rather than human activity.

    Block Bots Effortlessly with Netacea

    Demo Netacea and see how our bot protection software autonomously prevents the most sophisticated and dynamic automated attacks across websites, apps and APIs.
    • Agentless, self managing spots up to 33x more threats
    • Automated, trusted defensive AI. Real-time detection and response
    • Invisible to attackers. Operates at the edge, deters persistent threats
    Book a Demo

    Address(Required)