Winning the race against ad fraud

Businesses must treat ad fraud as another cyber threat, taking a risk management approach to the problem


people and a dog walking through a green subway tunnel with glowing billboards

Ad fraud is big business for criminals – and a growing problem for companies. 

Fraudsters adopt a range of scams (see below) aimed at cheating advertisers of their money, from selling ads on fake websites to concealing the true origins of “clicks”. According to Forbes, the average perpetrator makes anywhere from $5 million to $20 million a year, though it notes that “ad fraud costs are all over the map”. 

The cost isn’t just felt in the ad budget; loss of revenue can occur all along the chain.

“If $100,000 worth of ads is unseen, that could mean an overall loss in revenue of $1 million,” says Dr Roberto Cavazos, executive in residence in the Department of Information Systems and Decision Science at the University of Baltimore. Every dollar lost is potentially a multiple in lost sales, he says. 

“It even affects economic stability.”

If $100,000 worth of ads is unseen, that could mean an overall loss in revenue of $1 million

If the impact of ad fraud is difficult to estimate, imagine how hard it is to track and stop. According to Cavazos, we’re in a race between the criminals and the companies developing solutions against the threat, with the danger always evolving. Indeed, it’s hard to know which form of ad fraud is most concerning, he says, with the answer depending on an advertiser’s particular activities, among other factors. 

Tina Lakhani, head of ad tech at trade body the Internet Advertising Bureau (IAB) UK, agrees. She says there is a range of technologies available to help monitor and mitigate fraud. The challenge is “evaluating different technologies out there, knowing which ones to work with and where to start”.

The IAB has been creating industry standards for such technologies, along with bodies like the Trustworthy Accountability Group (TAG), helping assure buyers that their security providers have been independently audited.

Cavazos thinks there’s potential to include internet fraud within international agreements in digital security. However, it may be some time before the structure of the online ad industry evolves to be able to mount a stronger defence against the fraudsters, he says. 

To determine the appropriate solution for a particular company, Lakhani encourages marketing and technology leaders to talk to their vendors. “You have to take an informed view, so ask them direct questions about how they protect against specific areas. Collaborate with them to understand how their technologies work, what their methodologies are. They may be able to teach you about fraud tactics you hadn’t even been looking out for.” 

Technological solutions aren’t an option for everyone, Cavazos notes, particularly small to medium sized businesses or perhaps companies in developing nations. However, Lakhani stresses that many fraud mitigation vendors’ business models are based on a percentage of overall ad spend, rather than a flat fee or the number of frauds they attempt to detect. Still, she acknowledges a degree of frustration from companies who see fraud detection investments as a kind of “tech tax” or “leaky bucket”. 

Companies’ efforts to defend against online fraud should be viewed as a form of cybersecurity, Cavazos says. 

“Everyone imagines that’s someone in a hoodie trying to undermine the treasury. But what happens is a company spending a million dollars is [actually] getting $750,000,” while also taking a hit to brand recognition, potential sales and more, Cavazos says. 

Such solutions are important from a reputational perspective, Lakhani says, adding value in areas of concern for advertisers, such as verifying environments and the content ads appear against. 

“These are all important considerations, especially if you’re making a substantial investment in online advertising.”

Here are five key types of ad fraud tactic:

1. Domain spoofing

Estimated by anti-fraud company, Anura, to potentially cost advertisers $1 million a year, domain spoofing is when companies – and the ad tech or agencies they rely on – believe they are advertising on a legitimate website, when it’s actually fake or linked to a less favourable website. The fraudsters create a plausible URL to attract advertisers who would probably never choose to advertise with them, either because of small or non-target audiences or inappropriate content. At best it drains budget; at worst it aligns your brand with criminality or terrorism.

2. Ad stacking

Particularly common on mobile, ad stacking is a simple but effective way for fraudsters to boost their coffers. The consumer sees a single ad that they may click on. But beneath that ad can be many more; although unseen by the end user, they each trigger a charge. The ads have loaded correctly, and appear to have been clicked, skewing the advertiser’s cost per click or “cost per mille”, the amount the company pays per 1,000 views of the ad. These costs are only justified if a certain number of potential customers go on to buy. But of course, those who have never seen the ad won’t purchase, leaving the companies wondering why so many people are clicking but no-one is buying.

3. Ad click and bot fraud

This doubles down on the sort of fraud seen in domain spoofing, where advertisers mistakenly believe their ads are on a genuine site. By adding click fraud to the mix, scammers can increase their revenues further. Click fraud uses either low-paid humans in a “click farm” or bots to generate huge amounts of clicks on ads, which all use up ad budget that goes to the fraudster.

4. Click injection

More nefarious still, this attack sees cybercriminals put malware on users’ devices via downloads of “junk” apps (an example could be apps created for a single fad, such as face changer apps), which are cheap and easy to create. The malware generates clicks on ads – which could be run on platforms such as Facebook Network for example – which inflates spend and creates revenue for the developers. One company investigated two such junk apps that had generated 3,061 requests for an ad and 169 successful clicks on a mobile while it was in sleep mode for 24 hours. 

5. Geo masking

The world wide web is just that – worldwide. But companies might not want to sell to some countries for any number of reasons: shipping costs, for example, or appropriateness of product. Companies only want to pay for high-quality leads in countries they serve, so clicks from those countries usually come at a premium price. Geo masking hides the origin of clicks, making it look like they all come from a premium location, inflating the overall cost of ads without delivering serviceable customers.