Ad Fraud: What it is, How it Works, & 13 Common Types

What is ad fraud?

Ad fraud involves falsifying the number of times an online advertisement is clicked on or displayed. As clicks increase, the advertiser’s revenue increases and the publisher is rewarded with an advertising fee. This type of fraud can be perpetuated by competitors or fraudulent publishers using automated bot traffic to click on ads.

Digital marketers use online advertising to get their customers’ attention. Forecasters expect that advertisers will spend over half a trillion dollars on digital ads in 2022. With this much money at stake, it’s not surprising that fraudsters want to get in on the action.

Between fake clicks and a lack of transparency over digital advertising networks, scammers spoof high-value websites and use bots to mimic visitor clicks, siphoning money from ad budgets.

To prevent ad fraud, companies need to make sure that they have a baseline of “normal” user behavior so that they can identify anything abnormal that indicates that the clicks are from malicious bots. Since malicious actors target web and mobile ads, monitoring for bot traffic is a way that advertisers, marketers, and publishers can prevent fake clicks that cost them money.

About Ad Fraud

Scammers trick advertising platforms with fraudulent traffic, clicks, impressions, conversions, and other data events, preventing websites from delivering content to real users. The fraudsters reap financial gain because the advertisers pay even though the ads never reach the intended audience. Further, it can negatively impact brand reputation.

Since ad fraud generates activity that doesn’t come from a real user, it’s also called invalid traffic (IVT). Two types of IVT exist:

• General invalid traffic (GIVT): identifiable through regular filtration activities, like lists or other standard checks.
• Sophisticated invalid traffic (SIVT): only identifiable using advanced analytics, multi-point collaboration, and/or human intervention.

Ad fraud tactics include:

1. Domain Spoofing
2. Click Fraud
3. Cookie Stuffing
4. Click Injection
5. Pixel Stuffing
6. Ad Stacking
7. Ad Injection
8. Geo Masking
9. Bots/Nonhuman Traffic

Ad fraud is hard to detect because it may not have an immediate, obvious financial impact. You might just think that your ad campaign is successful, continuing to spend more money on it. In reality, you’re getting fake leads and not reaching potential customers.

Meanwhile, the criminals continue to reap the benefits. According to one report that analyzed global data events between July 1 and December 31, 2021, fraud levels increased by 1.4% for display and 1.3% for video ads. As digital advertising spend continues to increase, ad fraud will likely continue to rise as well.

Who is at risk of ad fraud?

While online advertising fraud can impact any business using digital ads as part of their marketing program, fraudsters typically target the following industries:

• Financial Services
• Legal
• Retail/E-Commerce

However, scammers can use any expensive or competitive keyword as part of their campaigns.

Common Types of Ad Fraud

You use online advertising campaigns to reach your ideal customer, but online advertising fraud undermines these goals. Understanding common fraudulent activity mitigates reputation and financial risks.

1. Cookie Stuffing
   Cookies are small bits of code that track user behavior, providing insight into your ad campaigns’ success. They can tell you whether the effort led to a conversion where someone made a purchase or give you feedback about users’ interests.
   Fraudsters can use cookie stuffing in two different ways:
   • Inserting a cookie from a different website than the one the user originally visited to change the attribution and payment model
   • Placing cookies on a bot so that it looks like the keyword is getting more impressions, ultimately costing more and making the scammers more money
2. Click Fraud/Bot Fraud
   Usually executed by bots, click fraud targets pay-per-click (PPC) ads trick the ad platform into believing that human users are interacting with the content, making a post or website more popular. Companies then spend more money to place ads on the website, but they’re really paying the fraudsters.
   For publishers who make money from ads, this might not appear to matter since they’re getting paid anyway. However, if advertisers find out, they may decide to pull their ads.
3. Click Spamming/Click Flooding
   This variant specifically targets mobile apps and websites. While the website or app works normally for the user, it executes clicks in the background. Users never even know that they’ve interacted with in-app ads because they never saw it.
4. Click Injection
   Click injections are a more sophisticated type of click spamming. These target Android apps, enabling scammers to detect when a user downloads apps to earn credit for the installs. While the app installs are real, the fake ad engagement means that advertisers will continue to spend money on the fraudulent advertising partner.
5. Domain Spoofing
   With domain spoofing, fraudsters impersonate a high-value domain that’s more valuable and worth more money. While the impressions and user are real, the low-quality website isn’t worth the money spent. Some types of domain spoofing include:
   • Cross-Domain Embedding
   • Custom Browsers
   • Human Browsers
6. Pixel Stuffing
   When scammers use pixel stuffing, they serve multiple as in a single pixel frame, making the advertisements invisible to users. Even if the ads are delivered, the users don’t actually see them so the advertiser gets no value from them.
7. Ad Injection
   This type of impression online ad fraud inserts new ads or replaces current ones while someone is on the internet. Sometimes one ad is inserted on top of existing ones. Sometimes they replace them entirely or make them show up on pages that weren’t supposed to have ads. Often, the process includes delivering malware to the user when they install a browser, extension, or app.
8. Ad Stacking
   With this mobile ad fraud variant, scammers “hide” advertisements. Multiple ads are layered on top of each other with only one visible to users. This is another case where the impressions may be real for all ads in the stack, but users won’t see the content, meaning the advertiser doesn’t get value.
9. Geo Masking/Location Fraud
   Part of using ad networks is getting the right content to the right people. For many marketers, this means hitting a target geographic location. With geo masking, fraudsters send false location data so that the ad serves outside the targeted demographic.
10. User Agent Spoofing
    Scammers manipulate the header that is in the web page request to obfuscate information about the user’s browser. Many times, fraudsters use this tactic to hide bots.
11. SDK Spoofing
    Connected to network interception attacks, SDK spoofing happens when a fraudster breaks the SSL encryption to learn what URL calls represent in-app action so that they can generate fake installs.
12. Install Farms
    Using either bots or emulator programs, scammers use real devices that click on advertisements or install applications. This makes it look like real users are installing the software when in reality no one is seeing the advertisements.
13. Forced Redirect Ads
    Beyond stealing revenue, malicious actors can use online ad fraud to deliver malware by embedding a malicious ad or iframe on a webpage. This redirects them to another site that contains malware or spyware, attempting to steal personally identifiable information.

How can you prevent advertising fraud?

Preventing ad fraud enables publishers to continue generating revenue while ensuring that they protect their reputations. Digital ad fraud steals revenue by reducing the value of ads and can lead to ad networks or demand partners blocking your website. Publishers need to have robust ad fraud detection and marketing fraud prevention to protect their revenue, reputations, and business models.

Research Ad Networks

The first step to mitigating ad fraud risk is to know your business partners. You should look for an ad network that has a transparent and strict platform, including fraud detection and prevention capabilities.

Monitor Traffic

You should have a baseline for what “normal” traffic looks like. By monitoring traffic, you can identify abnormal activity like:

• Sudden traffic spikes.
• Higher than industry standard click-through rates (CTR).
• Outlier geographic regions.

Check Conversion Rates

Monitoring conversion rates can help you detect digital ad fraud. Low conversion during peak traffic may indicate a problem. If you’re working with a mobile app, a low average click-to-install time (CTIT) could be a sign of install hijacking. On the other end of the spectrum, a very high CTIT might indicate click spam.

Target Audience Precisely

The more precisely you target your audience, the faster you can detect abnormal activity. For example, if you know that you only want customers in Germany, you can more easily identify ad fraudsters trying to use a different geographic location.

Use ads.txt Files

The ads.txt file outlines the ad networks, exchanges, and Sell Side Platforms (SSP) that can re-sell inventory. Your partners should also have valid sellers.json fils that verify where inventory came from and the impressions they purchase.

Monitor Competitors

To make sure that plagiarized content isn’t being used as part of digital ad fraud, you can set up alerts for exact matches. Sometimes, affiliates will compete on the same keywords, engaging in click fraud to drive business. In other cases, scraper bots will steal content so that the fraudsters can republish it on other sites.

Review Infrastructure Costs and Performance

When fraudsters use bots, they can slow down your website. This means you end up purchasing more bandwidth so you can maintain the speed needed to rank for SEO. Monitoring your infrastructure costs and website performance can help you detect bot traffic because it can lead to unpredictable peaks and service interruptions.

Monitor for Spoofed Domains

To protect against fraudsters trying to make a fake version of your site, you can do searches that add or delete characters from your URL. For example, instead of ThisIsMySite you could search for Th1sIsMySite.

Collect Data From End-User Devices

Mobile ad fraud detection and prevention is different from desktop. To protect against things like SDK spoofing, you should be looking for client-side signals like events linked to:

• Touch Events
• Typing Speed
• Sensor Signals

Review Signature Signals

You can collect this information for yourself and your users. By monitoring this data, you can gain visibility into whether interactions are consistent with human behavior. Some signatures to review include:

• HTTP fingerprints: HTTP headers.
• TLS fingerprints: Metadata extracted during the TLS handshake.
• Browser fingerprints: Data about browser, device, and operating systems.
• Mobile fingerprints: Device and operating system information.

Have People Test Your Site

You may not always be able to detect things like ad injections and forced redirects. If you have someone use your website, you can get feedback about their ad experience to see if they have any problems.

Research the State of Ad Fraud

Fraudsters change their methods, especially when they’re using technology like bots. Following industry organizations gives you the most up-to-date research so you can protect yourself.

Block Risky IP Addresses

If you detect a risky IP address from your reports, you should block them from accessing your website in the future.

Use a Bot Management System

No matter how hard you work, malicious bots will always outpace manual management processes. With a bot management system, you can use artificial intelligence (AI) and machine learning (ML) to differentiate bots from human activity on your site.

Use Anti-Malvertising Software

Anti-malvertising software and plugins can detect digital signatures associated with malicious code. This can give you real-time protection against malware like the kind used in forced redirects.

How does DataDome detect and prevent digital ad fraud?

With DataDome’s smart bot blocking solution, you can monitor 100% of your bot traffic in real-time. We analyze all requests to your website and can detect in less than 2 milliseconds whether a visitor is a human or a bot. By default, we block bad bots, but you can also fine-tune the response with your own custom rules. You can deploy our bot protection software in minutes on any web infrastructure to use our server-side modules and client-side SDKs, giving you a way to protect Android and iOS apps.

Our new solution, Ad Protect, focuses specifically on all forms of ad fraud, identifying fraudulent clicks so you can protect your ad campaigns and improve ROI. Ad Protect provides detailed, unbiased reports of campaign traffic, classifying illegitimate automated traffic so you can make better decisions about your ad spend.

Ad Fraud FAQs

What is meant by advertising fraud?

Advertising fraud, also called ad fraud, occurs when fraudsters attempt trick advertising platforms with invalid traffic (IVT), clicks, impressions conversions and other data events. This prevents real users from interacting with the content. Instead of reaching their intended audience, the advertisers pay the fraudsters for this fake traffic.

How does ad fraud occur?

Ad fraud uses invalid traffic (IVT), meaning actions that doesn’t come from a real user. Two types of IVT exist:

• General invalid traffic (GIVT): identifiable through regular filtration activities, like lists or other standard checks
• Sophisticated invalid traffic (SIVT): only identifiable using advanced analytics, multi-point collaboration, and/or human intervention

Ad fraudsters often use bots to engage in types of ad fraud like:

• Click spamming
• Geo masking
• Install farming
• SDK spooofing

Is ad fraud a problem?

Ad fraud is a problem for the advertising industry and legitimat publishers because it decreases inventory, reduces revenue, and negatively impacts brand reputation.