According to a 2017 report conducted by Juniper Research, ad fraud is worth around $19 billion a year, or $51 million per day, and this figure is expected to rise and surpass $44 billion by 2022 — a figure north of $100 million per day.
This makes ad fraud the most lucrative form of cybercrime, and because of this, we can only expect threats and methods to continue to accelerate in popularity and sophistication with each passing year[*].
The scope of ad fraud is numbing, and it affects every portion of the web via domain spoofing, fake ads on websites, fake mobile app installs, and more. A study released by AppsFlyer in 2018 found that 11.5% of all marketing-driven installs were fake[*], and in 2015 for every $3 spent in digital advertising, $1 is estimated to have gone to fraudulent enterprises[*].
Ad fraud is a monumental issue facing everyone from the internet giants like Google and Facebook to local businesses attempting to run profitable ad campaigns. There are incentives to reduce fraud and maintain honest markets on all sides, although with many types of fraud, search engines reap short-term profits.
We’re going to cover the definition of ad fraud, who usually commits ad fraud, the major types of ad fraud, and most importantly, what your team can do to reduce your risks.
What Is Ad Fraud?
Ad fraud is any attempt to manipulate or game the digital advertising system for financial reward.
Ad fraud includes everything from hidden ads to what’s known as invalid traffic and includes things like invalid clicks, installation fraud, botnet attacks, etc.
The popular types of ad fraud change in style and sophistication every year. Fraudsters are sort of like a virus — the more you fight them with targeted vaccinations, the more the bad faith players resist and build up defenses.
It’s not only important to understand what types of ad fraud there are, which we will cover momentarily, but also who could be committing them against you.
Who Commits Ad Fraud?
Here are a few common types of ad fraudsters:
Rogue hackers and sophisticated criminal enterprises
Political activists (usually only for larger companies)
Competitors looking to spike costs for their competitors
Like all crime, ad fraud falls into two camps: organized and unorganized.
Unorganized ad fraud is typically negligible and extremely difficult to detect due to the manual and personal nature. Organized ad fraud can be much more damaging but is being pursued by the ad platforms and DSPs you’re working with as well.
The types of fraud and sophistication vary according to the type of person or organization they are. For example, an angry customer may click a few ads knowing they are making you pay for those clicks, but they wouldn’t set up an entire botnet with masked and unique IPs designed to farm clicks.
Who Is Most Susceptible to Ad Fraud?
While ad fraud affects everyone, there are industries where it is more rampant. Industries with extremely competitive search terms and strict geographical boundaries are most at risk. Some of these include:
Law firms (sometimes clicks can be worth up to and over $600!)
Home renovations or interior decorating
Doctors and dentists
Any other professional service with an extremely high customer lifetime value
Companies with outdated and vulnerable websites/security systems
Those click prices sound insane, but it makes sense when you think about it. If a lawyer can make $10,000 off of a client, then even paying for 10 x $600 clicks would still yield $4k in revenue if they land the client. It’s also worth noting that these extraordinarily high click fees aren’t set by Google; they are strictly a function of market competition and supply/demand calculations.
Unsurprisingly, the more you spend on digital ads the more you can be burned by ad fraud. It’s important to keep this in mind as you scale your enterprises to make sure you are getting a reliable ROI from your marketing efforts.
The Major Types of Ad Fraud You Need to Know About
There are many different types of ad fraud, from competitors attempting to waste their competition’s money through click fraud campaigns to incredible botnet farms that can imitate hundreds of thousands of IP addresses.
Here are the basic ad fraud types you should have on your radar:
Click fraud is an umbrella term for any type of fraud that abuses or manipulates clicks to make a profit. Common examples of click fraud include:
A competitor repeatedly clicking on expensive search term ads from their competitors.
Faux websites with bots that click into ads and immediately bounce away from the advertiser’s page, making the publisher money.
Networks of fake websites and “unique” IP addresses that publish and click on your ads and charge you money.
Annoyed employees who click on your ads.
Cookie Stuffing or Affiliate Fraud
Cookie stuffing or affiliate fraud occurs when bad faith players stuff URLs with affiliate strings that mimic conversion events and initiate affiliate kickbacks without actually being legitimate.
When executed correctly, cookie stuffing makes your campaign look like it’s doing fantastically when in reality you are losing money. If you notice extremely high conversion rates but aren’t receiving that feedback from your sales team or sales reports, then you may be a victim of affiliate fraud or cookie stuffing.
Click hijacking occurs when mobile malware is buried inside a user’s phone via legitimate-seeming apps, and this malware co-opts the ad attribution immediately after a legitimate click.
Hidden ads are digital ads that criminals hide with CSS. Then, they set up their ad platform to pay them based on impressions instead of clicks and reap the benefits. If you notice an extraordinarily low click rate to impression count, you may be a victim of hidden ads.
Domain spoofing is when criminals trick legitimate buyers into clicking on an ad that either looks like or is directly ripping off of a legitimate company but instead links them to a low-quality website where it tries to get users to input sensitive information.
There is also a sophisticated form of domain spoofing when users can be redirected to a different URL than the ad provided entirely, but this is only possible with a proxy server or other compromised assets like a user’s computer or publisher website.
This is when fraudsters build bots that can fill out forms or other typical conversion events and inflate your conversion stats — affecting any of your existing Cost per Conversion campaigns.
Digital Ad Fraud or Impression Fraud
This is when advertisers pay for specific impressions on chosen sites but fraudsters use iframes to redirect those ads to low-quality sites instead, blurring your results and preventing your dollars from being spent legitimately.
Mobile Ad Fraud
Mobile ad fraud is another broad term that covers any ad fraud that occurs on a mobile device. This includes false impressions, click fraud, click injections, or bot installs.
For example, illegitimate publishers who want to attract more false impressions may stuff a bunch of ads into a single pixel or build an advertisement location outside of a typical mobile view to inflate their numbers[*].
Another example of mobile fraud is click injections. Click injections occur when fraudsters piggyback off of organic users’ Android metadata to trigger a click immediately after an app install, resulting in a real user but a false attribution, which triggers an app install ad payout if set up correctly.
App Installation Fraud
App installation fraud is very popular these days, and click farms sometimes pay people low wages to download an app, do some basic interactions, and then uninstall the app.
Fake installs are also common, which is when fraudsters use emulation software to create a series of fake devices with fake users. These fake users use a script to engage with an ad and download an app, which triggers an ad attribution event.
User Falsification Fraud
Video ad fraud occurs when someone is either profiteering from falsifying impressions or user legitimacy.
For example, one type occurs via geography misrepresentation — where fraudsters seeking higher costs per impressions falsely claim their traffic is coming from U.S.[*].
In other words, fraudsters disguise their IPs as being higher quality users but actually only display ads to low quality or irrelevant users. E.g. if you were a local tire shop in Indianapolis but had ads actually showing to people who lived in Lithuania.
Botnet Ad Fraud
Botnet fraud is arguably the most sophisticated type of fraud. Hackers use networks of ISPs and computers to send fake clicks and impressions to ads. They usually make money by clicking their own ads to get money from the DSP (Demand-Side Platform – e.g. Google Ads).
One of the most prolific botnet schemes was known as Methbot, which when discovered had an infrastructure consisting of 571,904 dedicated IPs, 6,000 domains, and 250,267 distinct URLs, and all of those could house a video ad and used variants of famous publisher names to fool users[*].
As you can tell, there are a bunch of ways to commit ad fraud, so what can businesses do to ensure the safety of their advertising efforts?
The Smartest Ways to Reduce Ad Fraud in Your Business
While DSPs like Google Ads and Facebook are investing enormous resources into combating ad fraud and their detection grows in sophistication each year, there are still a variety of strategies you can implement to protect yourself from ad fraud.
1. Try Baiting the Bots
If you’re seeing super high conversion rates on a form but aren’t seeing many legitimate users, you can try to add a hidden form field to trick bots. Because actual humans won’t look inside the code, they won’t fill out that form question — only bots will.
2. Block IP Addresses
Export your server logs and search for repeat IPs in mass. If a particular IP address occurs thousands of times without meaningful interaction, go ahead and block that address.
3. Use Anti-Fraud Software
There are many software companies that have built applications that test and monitor your ads to reduce and point out potential instances of ad fraud. You can view a list of those here.
4. Refer to ROAS Instead of “Vanity” Metrics
Just because you may be a victim of ad fraud doesn’t mean you can’t make a profit with ads. Instead of measuring everything against impressions and clicks, always refer to your Return on Ad Spend and have proper tracking up. In other words, if you know you spent $5,000 on ads and got back $15,000, that’s all you really need to know.
5. Consider Implementing Ads.txt
Ads.txt is an IAB-pioneered industry solution designed to restrict inventory between publishers and distributors to only approved vendors. This eliminates faux publishers scamming people with click fraud.
Ads.txt works by creating a public record of authorized digital sellers for publisher inventory that programmatic buyers can index and reference if they want to purchase inventory from authorized sellers[*].
It works like this:
Publishers post their list of authorized sellers to their domain.
Programmatic buyers crawl the web for those fields and create a list of authorized sellers for each of those publishers.
Programmatic buyers filter and match those ads.txt available ads against the data provided in an ad bid request.
While ads.txt is promising, it’s only as good as its adoption, as discussed by David Smith:
I think it is the right thing to do because we want to know whether we should be buying from the people that we are buying from,” said David Smith, CEO, and founder of Mediasmith. “But the key will be the IAB getting publishers to sign on…
The most effective solution is a combination of all of these efforts — you just need to balance the effort it takes to be proactive against the damages ad fraud has on your marketing!
A World Beyond Ad Fraud
The best alternative and solution to fighting ad fraud and delivering improved ROI is to create an ad ecosystem where clicks are provably real human beings who have an interest in what they click on.
This means we must fundamentally reimagine the way our current digital system works. By using an immutable blockchain ledger and permission-based platform, we can ensure only real people interact with ads and that ads are only served to legitimate users who wish to view them.
When you compare that to the myriad of virus-infected PCs connecting to faux web pages and massive botnet operations, it’s clear what the next step we need to take is.
See how Permission.io is fundamentally restructuring how we think and interact with digital ads.