7 common types of ad fraud (and how to prevent them)
Every web publisher has at some point had their payments withheld or account suspended by a monetization partner for invalid traffic and real or suspected ad quality concerns.
Programmatic advertising enables advertisers and publishers of all sizes to participate in an open ecosystem, but the sheer scale of the operation also means that inevitably, bad actors will slip through and try to exploit the system for their own personal gain.
Ad fraud is not a new phenomenon, with the first instances of pay-per-click fraud being noted as early as 2001. However, what has changed is the scale at which ad fraud is perpetrated now, with multi-billion dollar losses projected every year for the ad tech industry.
For publishers, knowing the most common ways ad fraud is committed is crucial for prevention. In this guide, we’ll review how ad fraud affects publishers, explain the most common types of ad fraud tactics, and finally, share steps publishers can take to safeguard themselves.
What is ad fraud?
Ad fraud is the practice of fraudulently representing traffic, clicks, impressions, conversions, or data events with the goal of generating revenue. Ad fraud is a complex phenomenon that affects legitimate publishers and advertisers across multiple mediums and formats, including banner ads, video ads, in-app ads, search marketing, and affiliate marketing.
How ad fraud affects publishers
According to data presented by Statista research, ad fraud is on track to cost the industry $100 billion in losses by 2023, up from $35 billion in 2018 and growing at an exponential rate.
Many people mistakenly believe that ad fraud only affects advertisers. While it is true that in many forms of ad fraud, advertisers are more directly affected by losing their advertising spend, ad fraud has serious repercussions for publishers as well.
First, with many types of ad fraud, the money intended for legitimate publishers ends up in the hands of bad actors who perpetrate the fraud. Due to the heightened industry awareness about ad fraud, publishers can also lose access to the ad networks and exchanges that they work with through no fault of their own. Finally, and perhaps most important of all, ad fraud erodes trust between advertisers and publishers, which is detrimental to the health of the open Web.
Types of ad fraud
Domain spoofing is the practice of disguising a website as another, more valuable website, and then duping advertisers into paying premium prices to secure counterfeit ad inventory. In one prominent example, Financial Times discovered a few years ago that such counterfeit, or “spoofed” FT.com inventory was being sold via multiple premium exchanges. The company also estimated that $1.3 million worth of fake FT ad space was being sold each month.
Domain spoofing doesn’t always rely on impersonating publishers. It can also manifest as bad actors scraping content to set up a fake site that looks and feels “legitimate”, and then trying to generate a profit by buying low-quality traffic and running ads. As Meg Graham from CNBC reported in her investigation, she was able to get approvals to serve advertising from multiple networks after setting up a site and populating it with copyrighted content from CNBC.
Many e-commerce brands and platforms, Amazon and eBay for instance, use affiliate marketing to incentivize third-party content creators to promote their products and services. When a user makes a purchase, a percentage of the sale is paid out in commission to the affiliate who influenced that sale. The attribution for such sales is managed by third-party tracking cookies.
Cookie stuffing is the practice of dropping affiliate tracking cookies unrelated to the website the user is currently visiting, without the users’ knowledge. If the user later visits the e-commerce site and makes a qualifying purchase, the cookie stuffer gets paid the commission from the sale, without actually playing any legitimate role in the purchase process. Cookie stuffing wastes advertiser spend and hurts honest affiliate publishers by stealing credit for leads and sales.
Pixel stuffing is a type of impression fraud designed to exploit advertising campaigns that use the cost-per-mille (CPM) model. It works by creating tiny, 1 X 1 pixel placements and stuffing one or more ads into the placement, which are all invisible to the human eye.
By pixel stuffing, fraudsters can display dozens or more ads onto a single webpage and get credit for serving those impressions. These campaigns don’t really generate any results for advertisers since none of the ads are ever seen by actual users. Pixel stuffing is usually associated with low-quality sites and inventory, however, even high-quality publishers can have their inventory compromised by third parties without being aware of it.
Ad stacking works in a similar fashion to cookie stuffing, except instead of using a 1 X 1 pixel placement, the ad units are literally stacked on top of each other. This way, a fraudster may stack 5 ads on top of each other and claim credit for all those 5 impressions being served, however, the user only gets to view one ad that is visible on top of the stack.
Ad injection is a form of malvertising where fraudsters use compromised browser extensions, plugins, and other types of malware to either insert ads where they shouldn’t appear or replace the existing ads set up by the publisher with a different set of ads. When those ads are monetized using CPC or CPM models, the bad actors pocket the ad revenue that is generated, even though they don’t own any legitimate inventory.
One of the biggest challenges with ad injection attacks is that the affected organizations may not immediately know that they are being targeted. Many commonly used security tools focus on server-side monitoring, while ad injections work on the client-side. By the time publishers realize that they are under attack by looking at revenue metrics—they’ve already lost some revenue.
It’s no secret that traffic in some countries is more valuable than in other countries and CPMs can vary widely based on the specific traffic geo. Fraudsters can exploit this by hiding where their traffic is coming from and then selling non-valuable traffic to advertisers for premium prices.
Advertisers are directly affected by geo masking because as with many categories of ad fraud, they end up paying for something they perceive to be valuable, but the results don’t follow. Sometimes legitimate publishers also acquire traffic from third parties, and in those scenarios, they are equally susceptible to being sold traffic from low-value geos.
According to the Trustworthy Accountability Group (TAG), bot traffic aka invalid traffic, is any traffic that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in the measurement. One of the reasons why ad traffic may be deemed invalid is that it is a result of non-human traffic (spiders, bots, etc.), or activity designed to produce fraudulent traffic.
Invalid traffic is broadly classified into two categories: General Invalid Traffic (GIVT), which includes search crawlers, traffic from known data centers linked to invalid activity, and irregular patterns such as duplicate clicks. And Sophisticated Invalid Traffic (SVIT), where fraudsters make an extra effort to mask their behavior as legitimate, some examples include incentivized clicks, misleading user interface, and fraudulent browser automation.
How to prevent ad fraud
Because ad fraud comes in many forms, there is no single tactic that will be enough to sufficiently protect your inventory. The key to prevention is ensuring you have safety checks in place for early detection of anomalous behavior and proactively working with a trusted ad quality vendor.
- Maintain an ads.txt file: Make sure you have an ads.txt file in place to explicitly declare the ad networks, exchanges, and SSPs who are authorized to re-sell your inventory, in addition to following industry best practices about ads.txt upkeep. Also make sure that your monetization partner is hosting a valid Sellers.json file, which allows advertisers to verify the provenance of the inventory and impressions that they are purchasing.
- Keep an eye out for copyright theft: To ensure that no one is trying to profit using content plagiarized from your site, consider setting up exact match Google alerts or use a service like Copyscape to monitor instances of your content across the web. If someone is violating your copyright, send them a DMCA takedown notice.
- Set up custom alerts: Many types of ad fraud are difficult to detect by observing on-page behavior. In such cases, you’ll want to keep an eye on your traffic and revenue metrics for any sudden fluctuations. Most analytics tools, including Google Analytics, allow admin users to create custom alerts based on metrics like sessions, pageviews, bounce rates, etc.
- Solicit user feedback: Certain types of ad fraud, such as ad injections and forced redirects, may be difficult to detect for site owners, but are easily observable by users. Give your users an easy way to provide feedback about the page experience and ad experience on your site.
- Partner with a trusted vendor: A specialized problem needs a specialized solution. There are a lot ad tech vendors that integrate on both the buy and sell-side of ad tech and help publishers and advertisers monitor traffic quality, ad quality, and combat malware. Find a vendor who can give you the technology and timely advice to stay clear of ad fraud.
- Inspect third-party plugins and scripts: Publishers need to use a variety of third-party CMS plugins, extensions, and scripts to run advertising, analytics, and extend the functionality of their site. Assets provided by developers that you don’t know or trust can be a vector for ad fraud and user data harvesting. Make sure that you inspect the code before using it and verifying that it is only doing what it is supposed to.
- Stay informed about ad fraud: Industry groups such as Interactive Advertising Bureau (IAB) and Trustworthy Accountability Group (TAG) do a lot of work on defining standards, stakeholder education, and certifications to help legitimate entities in the publishing ecosystem better protect themselves against ad fraud. Make sure you follow them.