Ad Fraud: What You Need To Know

There’s fraud for everything these days, digital advertisements included. Though ad fraud has technically been around since the existence of online advertising, momentum is picking up with the introduction of real-time bidding. 

Real-time bidding (RTB), which several website publishers choose to facilitate through an automated ad exchange or supply-side platform, refers to the sale of advertisements via a real-time auction. These auctions happen as quickly as a web page loads. Because RTB has so many components and a few holes here and there, it’s easy to sneak in and take advantage of the process. 

Ad exchanges ideally have plenty of security to prevent malicious attacks during the process, but sometimes it just doesn’t matter. A fraudster is going to find their way in. What better way than to create a fake ID? More than a fake ID—a fake audience, traffic, clicks, you name it. These scammers are good—but not so good that you can’t catch them and avoid them. 

Who Is Susceptible to Ad Fraud?

Publishers and advertisers alike are susceptible to ad fraud. While some ad fraud will target publisher web pages and ad units, others will heavily focus on messing with advertising coding and budgeting. But, no matter who the target of ad fraud is, both publishers and advertisers pay the price. 

If you have ad fraud in the form of malware or adware on your website, yeah, that’s going to mess up your webpage. In addition, it can tarnish your relationship with advertising agencies. As a web publisher, you need to take proper security measures for your site’s health and the privacy and safety of your visitors.

The Legal Status of Ad Fraud

Anything that is a malicious attack or involves stealing money should be illegal, shouldn’t it? Well, yes, but when it comes to ad fraud, the jury is half awake. Most countries don’t have laws making click fraud, which we’ll discuss later, and ad fraud illegal. The laws in place don’t address these frauds directly but rather cover informational technology or cybersecurity. This causes a lot of loopholes.

Still, if you live in the US and are at the end of a malicious attack, you could successfully engage in a legal battle against the scammer, hacker, fraudster—whatever you’d like to call them.The United States has the most successful record of settled click fraud lawsuits across the globe under the Computer Fraud and Abuse Act. Introduced in 1986, the act was the first federal action against computer hacking (which coincides with the technological advances of the stock market).

Most Common Forms of Ad Fraud

Sadly, one type of ad fraud just isn’t enough. The versatility of ad fraud is part of the reason why it happens so often. Despite the method, remember this: fraudsters are stealing your money. All fraud is bad fraud. That’s why they call it fraud. The forms we’ll cover are the most encountered forms of ad fraud you’ll find out there.

Bot Traffic

Unless you’ve been living under a digital rock, you’re probably aware of bot traffic. It’s an overarching term for any non-human traffic a website receives. It’s important to note here, despite the negative connotation, not all bots are bad. Some have pretty essential tasks, like GoogleBots. 

But for the sake of our topic, we’ll keep this to bad bots only. Specifically, the unauthorized web crawlers that makeup bot traffic. They can disrupt site analytics, view and click on ads, watch videos, and siphon money from advertising transactions. So, all that money you thought you had coming in is gone as agencies realize it was only bot traffic. Not to mention, you risk lessening the credibility of your site in the eyes of advertisers. Recent reports indicate that bot traffic makes up nearly a quarter of overall web traffic. This means you have some serious monitoring to do! 

Click Fraud

Let’s continue with another all too common type–click fraud. Click fraud is fraud committed using a bot or a click bot. Click bots do one thing (two technically): pretend to be a person and click on certain links—a lot. 

The biggest perpetrator of this form of ad fraud is web publishers themselves. Bet you didn’t see that one coming! Unfortunately, many try to scam the networks they work with for higher yield. But just because publishers try it doesn’t mean it’s successful. The reality is, you can’t beat the technology. Agencies and ad managers are aware these sorts of things happen and prepare to the fullest. Attempting to fool an ad company will only result in being removed from a network, losing ad monetization as a revenue stream, and possibly legal trouble. Be smarter than that–because they’re certainly smarter than your attempts. 

Ad Hijacking

Ad hijacking is similar to clickjacking in that a scammer takes control of the server and alters code in their favor. In this case, the scammer will access the advertisement’s code and replace it with the code for their advertisement. Although this occurs on the network side of things, you’re affected as the middleman displaying these ads. Replaced ads can have harmful or offensive content that drives away traffic. For this reason, it’s essential to work with quality ad networks and exchanges.

Domain Spoofing

Okay, this one is a bit complicated. Generally speaking, impression laundering, also known as Domain Spoofing, is when someone makes an impression—something you see on a website—seem like it appears on a site different from the one it’s actually appearing on. An advertiser will buy ads from a publisher, several of which receive hosting from a fraudulent or illicit website (ones that are difficult to monetize, despite high traffic rates). But instead of the advertiser seeing this, they only see legitimate websites. In short, the ad gets placed on the illicit website, and publishers miss out. 

Additionally, this type ropes website owners in because scammers mimic the URLs of premium publishers to trick advertisers. As a result, domain spoofing undermines the trustworthiness and reputation of publishers and devalues quality inventory.

Basic Preventative Measures

Ad fraud isn’t going anywhere, and web publishers are going to have to learn to live with it. The bots are getting smarter, so are the people behind them, and vulnerabilities in code naturally exist where hackers go searching for it. But you have options to fight back against it.

  • Don’t Purchase Traffic: Buying traffic can easily lead to an increase in bot traffic, and it’s also deceiving to networks. They will discover a scam, and you will lose any real effort you put in.
  • Signature-Based Prevention: Using a set of patterns, the signature-based measure monitors activity and determines whether or not it is suspicious. If it is suspicious, it will shut off the activity before it gets out of control.
  • Credential-Based Prevention: The credential-based method analyzes the content’s reverse crawling, tagging, and content. If something is off between the site’s requirements for impressions, it’ll consider it fraudulent activity.
  • Honeypot-Based Prevention: As mentioned in the Click Fraud section, inserting a honeypot field in the HTML can lure scammers and ultimately blow their cover.
  • Anomaly-Based Prevention: Effective for clickbots and click farm attacks, this method looks at the historical data and points out any anomalies. These anomalies, or differences, are then seen as suspicious activity.

The first two methods, signature and credential, are forms of authentications. Authentications, like captchas, require that a person or thing prove its identity—like asking it for its ID card. The difference between these and a prevention method like looking for anomalies is that the signature-based method uses a preprogrammed list of compromise indicators (IOCs). This list includes known malicious IP addresses. Anomalies look at behavior and require that you establish a baseline of what is “normal” web operation. The honeypot method covers any vulnerabilities in code and is a bit more aggressive.

By using all of these methods, you place a security guard at every door, so to speak. The more you can protect yourself with different measures, the better off you’ll be at preventing an attack on your web page and bids.

Uh Oh, I Have Ad Fraud!

If you discover ad fraud on your website, block the fraudulent IP address and make sure your security and firewall are up-to-date. Depending on the type of ad fraud you’re experiencing, you may need to find professional help to clear out any malware or adware installed on your computer.

The Bottom Line

Ad fraud can really disrupt the success of your web page. Outside of the four basic ways you can prevent it, keep in mind that you should only use trusted, high-quality ad networks and sources. Add filters to your HTML to fill in any holes. Consider using ad fraud detection software. Keep an eye out for changes in data, campaign numbers, and visitors’ IP addresses.

And finally, above all, you should be looking to your ad platform or provider. If they work with out-of-date servers and subpar tech, you’re likely to become an ad fraud statistic. At Newor Media, we have a solid frontline of security companies and tech to prevent ad fraud. We only work with premium networks that can meet such a standard, meaning no malvertising or redirects on your end. When a suspicion or problem does arise, our account reps work to resolve any issues quickly.

Mimi Leonard

Senior Account Manager, Publisher Development: Newor Media

Mimi is a data, SaaS and digital media expert with over 15 years of experience in Ad Tech. She works with our Publishers to grow revenue using data insights to optimize revenue.