A Beginner’s Guide to Advertising Fraud.

Imagine that you are a business that has just set aside millions of dollars for a digital advertising campaign. You love the ideas presented by the creative agency, the media plan is set and good to go and funds have been released. Now the campaign is running and you are starting to get hits and likes. You are starting to record impressions and you are elated. Suddenly you realise, quite a large percentage of those impressions are not real. They are bots. This is referred to as AdFraud.

AdFraud can be described as any activity that deliberately prevents the delivery of advertising assets to the intended audience at the right place usually with the aim of generating illicit revenue. Ad fraud occurs between 0.4% — 11% depending on the level of campaign optimization and its damage is predicted to be worth $26 billion in 2020 and over $30 billion by 2022, says a 2019 report by Cheq, a cybersecurity firm.

Advertisers spend so many hours developing media plans in the hope of buying genuine impressions only to realise their campaigns are racking up impressions which are being served to bots and not the intended human audience. Yes, it’s a waste of time and financial resources — sadly this can affect the quality of future plans made by oblivious advertisers.

According to a survey by IAS, 42.8% of all respondents agreed that ad fraud will continue to be the main priority. Advertising fraud (Ad fraud) has been a pain in the back for the advertising community over the years.

It, however, doesn’t look like it’s going to end soon especially because the perpetrators devise new means to trick the system every day and partly because there isn’t any significant legal consequence for the hackers in so many countries in the world relative to other cybercrimes. This makes this a lucrative criminal activity with low risk!

As digital ad technology presents marketers with numerous opportunities, the industry becomes very susceptible to fraudulent activities especially as brands and marketers begin to spend a larger chunk of their marketing budget on digital channels. E-marketer predicted that the digital ad spend will hit more than half a trillion dollars by 2023.

Ad fraud, which started with simple fake impressions, has proliferated through sophisticated technology and sometimes strategic partnership to include fake clicks, video views, conversions and even app download.

There are different categories of ad fraud mostly depending on the mechanism employed to manipulate campaign delivery and performance. To follow an approach by Xingquan Zhu and Co in their book, Fraud Prevention in Online Digital Advertising, one can categorize ad fraud based on the intent i.e whether fraud is used to target Ad placements, Ad traffic, or Ad user actions.

Ad Placement Fraud.

This is commonly found in mobile apps. The main objective of this type of fraud is to place advertisers ads on websites or mobile devices where they aren’t meant to appear in order to increase the number of clicks or impressions served. This is done by directly manipulating the content on such publishers’ platforms. Some of the methods used to implement this type of fraud include;

Stacking / Stuffing: Stuffing is used to describe the delivery of contents that are not visible to the human eyes but are however recorded by an ad server either by setting the visibility of the content to none of by showing the banner in a single 1*1 pixel frame. This can include keywords or pixel stuffing. Stacking on the other hand places ad banners on top of each other in single ad placement, meaning only the topmost content is visible — Advertisers thus pay for ads that are not visible on the website.

Fake Website/ Spoofing: Fraudsters sometimes create fake websites with irrelevant or stolen content to serve as an advertising hub. They realise revenue by being part of ad networks or exchanges that serve ads on such websites. They sometimes create websites that impersonate a reputable domain and serve low-quality impressions to deceive traffic as premium — This is known as website spoofing.

Location spoofing and app-name spoofing are other common forms of mobile fraud.

Another method used here is Ad injections which directly manipulate web browsers to replace the ad on the webpage or introduce an ad where none existed. This is usually aided by malicious apps or plugins that users might have unknowingly downloaded.

Traffic Fraud

This is the most common type of ad fraud because advertisers spend a lot on brand campaigns which reward publishers based on the number of views on their advertising banner. Traffic fraud can either be an Impression Fraud that directs fake traffics to a web page or Click Fraud which generates fake or irrelevant clicks on your marketing campaigns. This type of fraud can be implemented using two approaches;

Bots- This is the first thing that comes to mind in advertising fraud parlance. Automated computer programmes known as ro’bot’ are used to carry out different types of ad fraud from impression fraud, to click, to video views and conversion fraud. Even when not all bots are undesirable such as search engine bots that index content for search engines, bots have been used in unethical ways to carry out malicious activities.

Attacks by bots can be orchestrated by a single bot or a more sophisticated league of bots distributed as bot-nets. Unsuspecting users who have installed software from unverified sources or have opened malicious links are the major carriers of bots (being part of bot-nets) that receive commands from a central server. The bots, therefore, access websites that buy traffic in the background without the user's knowledge. Some common botnets according to IAS include Poweliks, Proxy8 and Avireen.

Click Farm — Contrary to bot activities that are initiated by computer programmes, click farm, on the other hand, are actions initiated by human beings with fraudulent intent. In this case, the fraudsters hire people to visit a particular website to increase the number of impressions the ads receive or in other cases click an ad repeatedly to increase the number of clicks coming from the website and subsequently increase their revenue. This is particularly common in regions where labour is cheap.

Action Fraud

While some campaigns are mainly for creating brand awareness and reward publishers on CPM terms, there are other campaigns whose main goal is to drive conversion for a business. A conversion is said to occur when a user takes a specific action on a website — usually, a purchase for a retail website, simple activities such as app install, newsletter subscription, form completion, file download can also count as a conversion. In this type of ad, advertisers often pay and publishers get rewarded only when a conversion happens. Fraudsters thus attempt to falsify conversion, fake attribution or make false claims to conversions in order to generate revenue.

Conversion fraud can be carried out by Lead bots designed to take a specific action on a website such as clicking a link to download a pdf file or by human labourers hired to complete a more complicated conversion action; Lead Farm.

Device Farm is a common type of ad fraud popularly associated with mobile app install, this technique involves the use of multiple mobile devices to install apps from the app store. The phone ID is then reset to enable them to repeat the cycle limited time — this is particularly bad as it gives a false cue about a bad product to the designer.

Cookies stuffing is also another common method of implementing ad fraud for CPA based campaigns. Cookies are generally lines of cooking attached to a web browser once you visit a website, they are often used for tracking and attribution purposes. Fraudsters can, however, stuff the user browser with cookies that disrupt the attribution system and allow them to inappropriately claim the reward for an organic or paid conversion from an infected browser.

While this article is primarily aimed at giving a basic understanding of advertising fraud to the reader, it is imperative to address the ways advertisers can prevent a bunch of their budget going to fraudsters. In order to prevent/detect ad fraud, advertisers are generally advised to:

1. Engage 3rd party verification such ad MOAT, IAS and DoubleVerify
2. Blacklist identified fraudulent website — An investigation through your reporting dashboard should reveal this
3. Whitelist websites where you want your ads to appear
4. Embrace Private Marketplace
5. Use only trusted DSP — You can establish this by asking pertinent questions such as If they have Pre-bid options and post-bid reporting if they can use only the Ads.txt file

Have you experienced adfraud first-hand? share your experience in the comment section.

Please give this article a clap if you enjoyed reading it so it can be beneficial to more people like you.

References

IAS (the drum ad fraud whitepaper)

Fraud Prevention in Online Digital Advertising — Springer International Pub

Fraud Prevention in Online Digital Advertising — Xingquan Zhu and Co