Ad fraud is a type of crime in which thieves use computer technology to steal money from businesses. The businesses think they are buying advertising, but they are actually buying nothing.
Ad fraud is found mainly in online advertising (display ads and online video ads) but in recent years has become a growing problem in web-delivered TV (also known as Connected TV or CTV) advertising. A study by DoubleVerify reported that in 2021, fraud schemes in CTV surged by 70%.
The reason ad fraud has become pervasive is twofold. First, to a large degree advertisers no longer buy advertising directly from the people who run the advertising. And second, the system by which they buy advertising is largely incomprehensible.
One of the key attributes of online advertising that makes it uniquely susceptible to fraud is, in the words of the CEO of the Association of National Advertisers, its “mind-numbing complexity.” In fact, it is so complex it is indecipherable to almost everyone who participates in the system.
When we are talking about ad fraud we are not generally talking about fraud that is perpetrated on the public. We are talking about fraud that is going on within the advertising industry. In other words, an advertiser—let’s say Coca-Cola—is paying $100 to buy advertising but is only getting $50 worth of advertising because $50 is being scraped by middlemen, fraudsters, and others as the ad moves through many hands on its way from Coke to a website. As we will see, it is likely that most programmatic advertisers get far less than 50¢ in value from $1 spent.
I am not going to attempt to explain all the different types of fraud that exist because you have to be a computer scientist or software engineer to understand the terminology and activities that sit under the hood of online advertising to understand how some fraud types work. Let's just acknowledge that there are dozens of types of fraud. Here are brief descriptions of a few of them:
Domain Spoofing: Fraudsters attract ad dollars by creating websites that look identical to high-quality websites.
Cookie Stuffing: No, it’s not the white cream in an Oreo. Crooks drop cookies all over the place. When someone who’s had a cookie dropped on them goes to an affiliate website, the cookie dropper gets paid, for nothing.
Click Injection: Fraudsters trick you into installing malware on your computer. The malware goes all over the web clicking on things. Every time it clicks somewhere, someone gets paid.
Pixel Stuffing: It’s not a tiny Thanksgiving side dish. A crook builds invisible one pixel “ads”, spreads hundreds of them (or more) on a web page, the advertiser pays for all of them. Ad Stacking: Just like pixel stuffing, except the fraudster stacks ads one
on top of another. They can’t be seen, but the advertiser still pays.
Ad Injection: A fraudster substitutes his own ad for your ad but you
pay anyway.
Click Farms: Criminals program hundreds or thousands of computers
to do nothing but click on ads 24 hours a day for unscrupulous web “publishers.” Sometimes click farms use real people to sit and click all day, every day.
Click Hijacking: Fraudsters use malware to redirect clicks in an endless loop.
The way fraudsters take advantage of the vulnerability of the system is primarily by creating fake websites, fake audiences, and fake clicks. Criminals use software strings, called bots, to produce fake audiences, fake websites and fake clicks. In a report from web security company Barracuda Networks early in the 2020's there was more traffic on the web from malignant bots than there was from human beings.
One important fact to understand is that bots can be created out of thin air. This means that fake audiences, and fake clicks can be created out of nothing by someone sitting at a keyboard.
Exploiting the programmatic advertising system is remarkably simple. You can become a successful ad fraudster with almost no technical know-how. And if you have technical know-how, the sky’s the limit. According to Hewlett Packard Enterprises, ad fraud has both the highest potential for profitability and the lowest barrier to entry. This is a very bad combination.
In May of 2020 a reporter for CNBC set out to see how easy it is to become a card-carrying ad fraudster and attract paid advertising to a fully plagiarized website. With no particular tech skills she was able to scrape content from websites, plug the plagiarized content into an off-the-shelf website she found, get approved by ad networks, and attract legitimate advertisers like Kohl’s, Wayfair, and Overstock. If someone with no technical training can become a functioning fraudster in a couple of days, imagine what the sophisticated tech monsters are doing.
Of course there are companies that sell “security” against ad fraud by claiming to be able to identify fraudulent activity. The problem is, these protections are marginally useful. The bad guys always seem to be three steps ahead of the good guys. One researcher who wanted to test the efficacy of fraud detection software directed 100% fake traffic that he had created to a website he also created. Then he hired one of the leading fraud detection companies to give him a report on his traffic. They reported that 83% of the traffic was legitimate.
Later on you will read how billions of ad bids went to the wrong places without fraud detection companies noticing a thing.