Every fraud is an intentionally deceptive action carried out for unfair gains. In the ad tech industry, fraudsters deceiving the system to siphon ad dollars from the supply chain is called ad fraud.
For instance, showing ads to bots while the advertisers are thinking that the ads are being seen by real humans is ad fraud. But before getting into the types of ad fraud, as a publisher, you need to understand why it matters to you.
Why Should You Care?
When we observe the situation, it looks like ad fraud has nothing to do with publishers. After all, it is the advertiser who is losing money. But ad fraud is equally problematic for publishers as well.
Revenue Theft: Some ad fraud techniques like ad injection and domain spoofing can steal the revenue that you could generate from the traffic that is, in fact, coming to your site.
Deflation: By creating fake inventory, the fraudsters increase the number of available inventory in the market. As the rule of demand and supply says, the higher the supply, the lower the price. Additionally, the money that the advertisers wasted on the fraudster could have been spent on a real audience on the genuine publishers’ site. This tends to direct them to walled gardens as advertisers can see better ROI.
Blacklisting: If ad networks and demand partners (SSPs/Ad exchanges) see invalid activity (fake impressions or clicks) stemming from your site, though you aren’t involved in any fraudulent activity, your site can be blacklisted. If it is blacklisted, you wouldn’t be able to sell any of your remnant impressions at all.
Now that we have understood that ad fraud is harmful to publishers as well, let us see the types of ad fraud for a deeper understanding.
Types of Ad Fraud
Domain Spoofing happens when fraudsters represent themselves as premium publishers in the ad-buying process. The buyers believe that their ads are being delivered on premium sites, say Nytimes.com, whereas, in reality, the ads are reaching some other unknown site with lots of low-quality (or bot) traffic.
How big is domain spoofing? Financial Times once found that it is losing $1.3 million every month due to spoofed domains. News UK lost $950,000 per month.
An example of domain spoofing is the 404bot that we discussed in one of our weekly roundups. The bot takes the user to a page that impersonates the 404 pages of the publisher’s site. This page shows the 404 error accompanied by ads. In reality, the page does not belong to the publisher at all, but the user’s address bar shows the correct domain because the domain is spoofed at the browser level.
Cookie Stuffing takes place when a fraudulent third party stealthily drops cookies on a user’s browser. The cookies contain false information that the user reached the affiliate advertiser through the fraudster’s affiliate link. So when the user makes a purchase on the advertiser’s site in the future, the fraudster claims the commission for it.
An example of cookie stuffing is the case when eBay was duped with a $35 million fraud.
How to prevent cookie stuffing?
Sometimes fake ad blockers and other browser extensions work as cookie stuffers You have to educate the users about the problem as well. Ask them to remove the extension that isn’t from a trustworthy resource.
But how can you possibly know that the users have illegitimate plugins installed? Get feedback from the users about the ads and user experience randomly — Ask questions like how many ads are they [users] seeing on the page? How can we improve the ad experience? etc. If they report contradictory numbers, you’ll have a hunch to act on.
If you are using WordPress plugins, then do proper research about any plugins that you are planning to install. Malicious WordPress plugins can stuff cookies to your visitors’ browsers. If you are signing up for a new service or a partner, read the terms & conditions, data usage, etc. completely.
As the name suggests, the fraudsters inject ads into the site without the publisher’s knowledge. It is done mostly with the help of malicious adware plug-ins and apps. The injected ads can appear over the website’s existing ads or in places where there are no ads at all. The money for the impressions and clicks of the injected ads goes to the fraudster. Even behemoths like Google and Facebook are fighting with ad injection.
How big is the ad injection problem? Google says that more than 5% of its users are getting ads injected while web browsing.
Here is an example of a YouTube video downloader plug-in that injected ads on Youtube.
Image source: Adweek
How to prevent ad injection?
The preventions of ad injections are also similar to the preventions of cookie stuffing. Make necessary arrangements to deal with malicious ad blockers and use plugins carefully. As said above, you can also conduct small surveys among your users related to the user experience and ads they are seeing on the website to investigate if users are experiencing anything unusual on the site.
If you are aware of any browsers or apps that inject ads from the user’s side then block those clients from accessing your website.
Bots are nothing but computer programs that are scripted to mimic a user. Programs can be scripted to open the browser and visit websites. Since the websites see them as internet users, they are capable of generating page views, ad impressions, and even clicks on the ads. Therefore the fraudsters can create low-quality websites and serve the ads on these websites in front of the bots. Not only this but such bots can also even be targeted to genuine publishers’ websites to temper their reputation.
How big is the bot traffic problem? As we discussed at the beginning of this article, bot traffic is a major reason behind the deflating value of the inventory of genuine publishers. A report by White Ops says that 20% of all the websites on the internet have nothing but bot visitors.
Here is an example of a bot engaging with the ads on the Wall Street Journal.
How to prevent bot traffic?
Bot traffic is easy to spot. Signs like sudden surge in traffic, high bounce rate, very less session duration, etc. show the presence of bot traffic. You can also analyze heatmaps and screen recordings of sessions through tools like Hotjar to look for anomalies.
If you find such unusual traffic on your website. Create an invisible link from your homepage. Human users won’t be able to see it but bots will click on them. You can also block the link with robot.txt. Now, any bot that is reaching the linked page despite the robot.txt file is definitely a malicious bot. Start collecting the logs of all the visits on the page and start blocking the bots.
To block all the IP addresses, log in to the cPanel of your website, you will find the IP blocking tools inside the security-related tab.
Click farms work just like bots but the only difference is that the clicks are made by real humans instead of bots. Since the behavior of bots is easily recognizable, some fraudsters employ real humans to click on ads, download apps, browse websites to increase ad impressions, etc.
Publishers should be aware of click farms because there are many websites out there that offer to send traffic to your website in exchange for money. These websites offer the so-called “Adsense Safe” traffic from click farms so that publishers can make more money. But publishers should keep in mind that they make money only when the advertiser makes money. Such traffic is of no use for the advertiser therefore eventually, you will hurt your revenue in the long run.
How big is the Click Farm problem? Due to the involvement of real human users, it is very difficult to know whether a website visit is made by a genuinely interested user or a click farm user. However, a report by South China Morning Post says, “Up to 90 percent of the views of some of China’s most popular video sites are fake”.
Remember the Silicon Valley episode where lots of people were using Pied Piper from a massive hall full of computers? That was a click farm!
Forced Redirect Ads
A forced redirect occurs when a malicious ad or iframe embed is placed on the web page that the user wishes to access. This malicious ad or iframe then redirects the user to another webpage that contains further malicious code such as malware or spyware. This is commonly used in conjunction with clickjacking to trick users into giving up personal information.
Preventing Ad Frauds
There is no ‘one size fits all’ solution for ad frauds. Different ad frauds use different techniques and therefore they require different solutions. There are various ad fraud detection companies that can help publishers thwarting off the problem. Try to deal with it yourself and talk to your partners. We also have compiled a list of the best ad fraud detection companies so that you don’t have to look further.
Being cautious while working with third parties, keeping an eye on traffic anomalies, and using ads.txt, are some steps that you can take from your side as preventive measures.
The ad fraud problem is quite big. It is estimated that nearly $100 billion will be lost in ad fraud by 2023. No matter whether you are an advertiser or a publisher, you should be proactive when it comes to ad fraud. You need to remain aware that the problem exists, otherwise unawareness can cost you a lot. Have any questions? Let us know in the comments.