Ad Fraud Prevention: How Ad Tech Safeguards Your Advertising Budget
Digital marketing has been around since the 1990s and has only grown in popularity over the years. With $567.5 billion spent in 2022, it has become one of the most successful and widespread mediums in the world, and it is hard to find an advertiser that doesn’t utilize online marketing in its campaigns.
Unsurprisingly, as digital marketing has become more prevalent, it has been accompanied by online advertising fraud. This activity relies on security holes, inattentive marketers, and social engineering to either gain an edge over competitors or just create fraudulent revenue. As old as the industry itself, ad fraud is one of the top concerns for any marketer — and for a good reason, too. According to MarTech, online fraud led to over $35 billion in losses in 2020 and is projected to grow even bigger in 2024.
However, the situation is not completely hopeless. The struggle between marketers and perpetrators is a constant arms race; for every emerging type of ad fraud, there appears to be a way to counteract it. In this post, we want to go over the most notorious fraud schemes and methods to keep your ad budget as safe as possible.
But to do that, let’s first discuss what exactly ad fraud is and how it generally works.
Learning Your Enemy: What Is Ad Fraud?
At its most basic level, ad fraud is a combination of ways to deceive advertising platforms and make fake activity look real. Since advertisements rely on data events like impressions, clicks, or conversions, any way to generate either of those without real user input can be considered ad fraud. This is undertaken mainly through bots and other automated means that generate invalid traffic en masse to profit off the maximum amount of ads and networks at once.
If the attacked advertising platform does not react in time, their ads will simply not reach the intended audience, and the owner of the bot network will gain profit from every successful fake input, making this niche very lucrative for tech-savvy fraudsters.
There are two types of invalid traffic, and it is important to distinguish them:
– GIVT, or General Invalid Traffic. It is usually non-malicious and is created by entities like search engine spiders indexing the network or antivirus crawlers on customers’ devices. They can still accidentally trigger ads not protected by standard checklists, but they are usually universally accepted since their main task is not to defraud platforms.
– SIVT, or Sophisticated Invalid Traffic. Created with defrauding activities in mind, these bots and media operators try to bypass security measures and imitate human behavior to make advertisers pay rewards for never-real traffic.
With that in mind, let’s go over the most popular ad fraud types and ways to counteract them.
Studying Your Enemy: Types Of Ad Fraud
Fraud schemes can generally be sorted into two categories: bot-driven and human-driven.
The first type relies on automating fraudulent processes and is usually easier for advertisers to notice and neutralize. The second type includes more sophisticated and intricate approaches to manipulating advertising platforms on a higher level; examples may include man-in-the-middle attacks or geo-spoofing.
Click Fraud
What it is: This is considered the most widespread digital ad fraud on the Internet, with over 36% of display ad clicks invalid in 2021. Click fraud utilizes bots to generate clicks on your ads, and if your ad pays per click, it can quickly become a fund sinkhole. The most notorious giveaway of this tactic is an immense boost in CTR without any improvement in conversions whatsoever.
While it is mainly bot-operated, fraudsters can also employ click farms that consist of a team of human operators that perform these clicks manually, making it harder for anti-fraud software to notice.
Ways to prevent: Since this method works on a very basic level, any decent click fraud prevention software will suffice, with the biggest ad tech platforms having their own safeguards as well. However, if you wish to protect yourself even more, you can manually analyze your ad statistics and campaign activities to determine where fraudulent clicks might come from. Then, set up either IP exclusions or targeting adjustments; the latter is especially useful against click farms, usually located in specific countries.
Finally, remarketing campaigns are also a good idea, since these ads will only show to people who are interested in your products.
Click Injections
What it is: Click injections can be called the next step in the evolution of click fraud. These are done exclusively through Android devices, so the scheme does not affect advertisers not utilizing apps with this ad format.
They work by having users install an innocent-looking app, which then waits for other apps to be installed on their devices. When users open their new app for the first time, a broadcast is sent to the attribution provider. That very broadcast is modified by a malicious application to make it look like the genuine app has been installed through a click on a specific ad. The click, of course, never happened in reality, but the fraudster will get credit for the installation nonetheless.
Ways to prevent: Apart from anti-fraud tools specialized in preventing click injections, marketers can also analyze their data to detect this type of fraud. The most important data point here is CTIT or click-to-install time; if it is very low, this could indicate click-injection fraud. Still, sophisticated scam apps can circumvent even this by changing data patterns.
The most foolproof way is to choose your marketing partners wisely. For example, a large number of app installs for a low price is a very bright red flag. Thoroughly review marketing companies before entrusting them with your funds.
Domain Spoofing
What it is: Usually preferred by malicious publishers, this fraud relies on advertisers’ lack of attention to detail. Here, fraudsters’ main task is to create a legitimate-looking copy of a popular domain and sell advertising space there to unknowing marketers. For this trick, scammers try to copy highly sought-after websites to sell traffic as expensively as possible.
Basic approaches revolve around adding an extra letter to a famous domain or replacing a letter with a similar Unicode character. More advanced techniques may include cross-domain embedding, which is harder to notice.
Ways to prevent: Being attentive is your best bet when it comes to domain spoofing. Carefully check the legitimacy of each and every domain you are trying to advertise on to avoid being tricked. Experienced marketers also make use of ads.txt, a publicly accessible record of authorized digital sellers. While not fully impenetrable, it can greatly assist you in tackling ad fraud.
Ad Injection
What it is: A fraud that is performed on the client’s side, ad injection seeks to either replace the existing ads on your website with fraudsters’ own or display competitor ads alongside original ones.
Unlike most other techniques, this one is harder to track and prevent since everything is happening on the client side. Ad injection is usually the result of either untrustworthy browser plug-ins, malware, or, in rare cases, exploiting a website’s vulnerability.
Ways to prevent: In this case, knowing is already half the battle. This programmatic ad fraud heavily relies on bypassing server-side security tools and the inability of advertisers to track it down. Anomalies in revenue metrics may be a good sign of ad injection.
Fortunately, there is no need to wait for this attack to occur; your website can implement allowlists that will display content only from authorized networks. This way, even if your customers’ browsers are infiltrated by some sort of malware, your platform will not suffer from it.
Ad Stacking and Pixel Stuffing
What it is: While technically different, both ad frauds rely on generating unfair revenue through cost-per-mille while not actually showing the ads to customers. They are similar in both nature and ways to counteract them.
Ad stacking works by placing several different ads in the same space on a page. By doing this, fraudsters only show one ad to the customer while gaining CPM for every ad placed on the page.
Pixel stuffing takes advantage of the size of an ad. It stuffs advertisers’ ads into 1×1 pixels; while ads are technically shown on a page, customers will never notice them, let alone click them. As with ad stacking, malicious actors will still gain CPM revenue.
Ways to prevent: Anti-fraud software is your best bet here since both of these tactics are easily discovered programmatically.
If you prefer manual alternatives, you can actively monitor your campaign statistics; for example, simultaneous clicks on several ads from the same device are a good marker for ad stacking.
Of course, verifying marketing partners and ad servers is also the most surefire way to avoid this type of fraud from the very start. A proper ad server should have anti-fraud systems that prevent such basic, underhanded schemes.
Geo Masking
What it is: In the age of programmatic advertising, marketers utilize geo-targeted campaigns to ensure that their ads will be shown to the audience with the most potential. Advertisers are willing to pay extra for their product to be shown to people in certain countries, and fraudsters take advantage of it.
By spoofing the IP addresses of their website users, malevolent actors make low-quality traffic look like premium traffic, charging advertisers accordingly. Campaigns will show valuable traffic coming in, but conversions will collapse.
Ways to prevent: Advertisers can only rely on anti-fraud solutions and IP verification in cases like this. Apart from suspiciously low conversion metrics, this type of fraud is very hard to notice manually, and affected marketers should invest in software that prevents this from happening.
Cookie Stuffing
What it is: Targeted exclusively at affiliate marketers and ad formats, cookie stuffing attributes lead to fraudsters who did not actually help generate them.
On a simple level, this technique works in the following ways:
- A customer visits a website that drops a third-party cookie into their browser.
- This customer makes a purchase on a website targeted by that cookie.
- The merchant checks for affiliate links to see if the customer came from one of their affiliates.
- The stuffed cookie bypasses this check, and its attributes lead to the fraudster.
- The merchant pays the fraudster for a non-existent lead.
This fraud not only provides unfair revenue to the fraudster but also affects genuine affiliates by taking money away from them, making this scheme doubly dangerous for marketers.
Ways to prevent: Fortunately, Google will end the era of third-party cookies at the end of 2024, making this fraud way harder to accomplish. Still, it is a long way off, and marketers should make use of ad fraud detection tools until then.
For smaller campaigns and businesses, a manual approach is possible as well. Monitoring abnormalities in conversion rates and personally vetoing your affiliates is a step in the right direction.
Defeating Your Enemy: General Security Measures
With so many malicious tactics, digital marketers have to constantly be on the lookout. Sure, countermeasures exist against each and every type of ad fraud, but it will quickly become near to impossible to perform dozens of checks regularly to keep your funds safe.
Fortunately, there are universal security measures that each advertiser should use before proceeding with their ad campaign.
Let’s go over the most effective methods to mitigate losses from fraud in advertising.
Ad Fraud Protection Software
The convenience and functionality of protection software can not be stressed enough. If marketers run more than one small-scale ad campaign, they should think about investing in ad fraud prevention solutions as soon as possible.
To begin with, it wipes out the most basic ad fraud schemes like pixel stuffing, ad stacking, and click spamming. All of these can be monitored and disposed of manually, but that quickly takes a toll on the valuable time of advertisers and stops them from focusing on other important things. With programmatic fraud detection, they can make sure that their campaigns are protected from the most annoying and cheap attacks.
Secondly, at the very least, protection software mitigates damage from the more sophisticated frauds; if it can’t deal with fraudsters automatically, the software will swiftly notify the advertiser about anomalies in CTR, conversions, and other statistics. This eliminates the need to monitor every minuscule change in data and lessens the burden on the marketer.
In the modern digital marketing world, ad fraud protection software is an indispensable asset that will undoubtedly pay off in the future.
Domain whitelisting
The most notorious perpetrators of ad fraud are low-quality websites that want to get as many ads on their pages as possible. To avoid having your ads affected by ad fraud, it is best to create a list of trusted domains where your ads will be safe and sound.
It protects your funds and ensures the safety of your brand’s reputation. If your ads are regularly displayed on untrustworthy websites, customers are less likely to put their trust in your company and product. By whitelisting domains, you are killing two birds with one stone.
Check Your Partners And Suppliers
Your security is only as strong as its weakest link. Even if you employ ad fraud prevention software, keep an eye out for emerging frauds, and perform exhaustive security checks, your partners’ measures may lack the same approach.
Choose your suppliers wisely, and when you do, question them regularly about their means of protection against malvertising, bots, and invalid traffic. If their platform gets infiltrated by malicious actors, your brand and funds will also be at risk; better safe than sorry.
Staying Alert Is Winning The Battle
As long as digital marketing expands, new types of ad fraud will certainly emerge. The best move here is to stay proactive; most underhanded tactics are easily overwhelmed just by the marketer being aware of their metrics and campaigns at all times.
Fortunately, there are countless tools to make that happen, from built-in firewalls and canaries to protection software and movements by media giants like Google. To come out on top with your funds secured, make use of everything the advertising world has come up with. Performing manual checks is good, but automating them is better. And if it is already done, it is time to think on a macro level and evaluate your partnerships.
As long as marketers keep constantly improving their security, fraudsters will have a hard time bypassing the ever-growing fences.
