Online Fraud and the Sneaky Places It Hides

In part one of our online advertising fraud series, we learned that advertisers waste over $6 billion a year in fraudulent advertising spend. Fraudulent accounts are abundant, and with good reasons: there are no rules, no consequences, and no regulations for their actions.

67%25 of online bot traffic is from a residential IP address

With 67% of online bot traffic originating from residential IP addresses, it’s more likely than not that you, too, have been affected by advertising fraud. In part two of this series, we’ll take a look at where we find ad fraud, and why each form of fraud is so popular with fraudsters.

Search Ad Fraud or Click Fraud (CPC)

Arguably one of the largest subsets of online advertising fraud is search ad fraud, or click fraud. It takes place when a person or bot mimics a legitimate user, generating a click without having any interest in the result of that click.

Click fraud is usually prevalent in pay per click programs, where advertisers pay for click performance, with the end goal of converting those clicks. When a bot is present, however, the clicks generally don’t convert and add no value to the advertising.

Nevertheless, these bots cost advertisers 20% of their pay per click budget each year.

This type of fraud has become particularly popular because it can infiltrate the smallest of publishers, and the largest of brands. In a recent report by the Association of National Advertisers (ANA), 52% of the traffic from premium publishers, who were previously believed to be unaffected by fraud, was found to be fraudulent. That number is often even higher for smaller publishers.

The use of a third party traffic scoring system helps mitigate the damage caused by click fraud by filtering out the fraudulent clicks. But this issue will remain abundant until all third-party systems can agree on what’s considered a “fraudulent traffic signal” and what’s not.

Impression Ad Fraud (CPM/CPV)

One of the fastest growing segments of fraud is in the display sector. Advertisers pay for these ads by the view, or by the number of impressions left with a viewer. But what if the ad is never actually viewed.

The debate on viewability stems from this issue. Can the user see your ad or video? And if so, how long must they look at it before it’s considered ‘viewed?’ While the Media Rating Council (MRC) has adopted standards for viewability, this simply established guidelines for how the fraudsters can circumvent the system. Some examples include:

How Fraudsters Beat Impression Ad Fraud - Video Fraud, Ad Retargeting, Fake Sites, Paid Impression Fraud, and Hidden Ad Impression

  • Video Fraud. Often stacked, layered, or invisible (e.g. one pixel by one pixel), it’s lucrative, with payouts often upwards of ten-times that of a banner ad.
  • Paid Impression Fraud. Advertisers pay for additional traffic to their website, but get traffic from known bots. These may go undetected without the use of a third-party traffic scoring solution.
  • Ad Retargeting. Bots replicate highly engaged user behaviors, like someone looking for a refrigerator for their home. The ad retargeting company, who’s a bot, picks up on these engaged users, and serves them retargeted refrigerator ads. They make money off the impression, which was never viewed by an actual engaged user.
  • Hidden Ad Impressions. For example, small ads can be hidden within a larger ad. Not only does the larger ad show as a viewable impression, but the smaller ad running inside it will, too.
  • Fake Sites. These sites are built for the sole purpose of serving ads and have no content that a user would actually want to see.

Domain Spoofing

In addition to duplicating the content of your site, fraudsters can also take over your URLs. With a reputable or premium brand, these URLs likely already appear on a whitelist, taking half of the battle out of the fraudsters’ hands.

By simply introducing a line of code, they’re able to make advertisers think their fake websites are worthy, reputable entities. Since premium brands are held in high regard and often appear on whitelists with ease, a larger bid generally comes along with the elite status.

Content Fraud

A website’s content helps a brand form trusting relationships with its customers. For fraudsters, it’s quite the opposite: the content opens an opportunity to capitalize on a brand’s established trust and steal their traffic.

A recent study of content fraud showed at least 1 in 5 sites are affected by site scraping. Fraudsters scrape entire sites in an effort to get advertising on their own site. Since they get paid for the advertising on their site, it benefits them to serve a site that looks legitimate to increase user engagement.

If you suspect your site has been targeted in part or in whole, there are resources available to help you have the infringing content removed (as long as it’s not considered fair use).

Cookie Stuffing or Affiliate Fraud (CPA)

A popular form of fraud with affiliates, this one goes seemingly undetected. With cookie stuffing, a user views a website and receives a third-party cookie — not from the site they viewed, but from an entirely different site. It’s been dubbed affiliate fraud since affiliates are usually paid when their cookie is associated with the user’s purchase.

Example of an affiliate purchase via a search ad

This has been popular with fraudsters simply because it takes time to really detect and capture. Even eBay had to work with the FBI to put two of its top affiliate marketers in prison in 2013. While this is an extreme case (the two earned $28 million and $7 million in commissions in just a few years) it goes to show that even the largest brands need help taking down fraud, even if they already suspect it’s happening.

Conversion or Lead Fraud (CPL)

Until 2010, online form fill-outs were believed to be foolproof and undoubtedly human. But this thought changed when Ben Edelman, a Harvard Business School professor, discovered a new form of fraud that actually resulted in real conversions. Edelman proved that fraudsters had written sophisticated software to not only fill out the forms, but to look like a genuine real customer that would spend money with advertisers. The bot could then perform ad fraud without arousing much suspicion, since sales were being made in the process.

This once robust form of fraud has been minimized substantially with the use of CAPTCHA forms, which thus far, remain difficult for non-humans to complete.

Ad Injections or Adware Fraud

Sometimes ads are injected in places where they shouldn’t be. We saw a bizarre example of this in the spring of 2014, when a Target ad was caught dead in the center of the Walmart website.

Ad injections are advertisements that get inserted into an advertiser’s site without approval from the advertiser. This often happens when a user downloads an app or browser extension that’s bundled with a software that injects unwanted ads into the user experience.

Most advertisers will vehemently disagree with this practice, as it negatively impacts their brand. Would really allow Target, their competitor, to advertise on their site?

Unlike the other forms of fraud, ad injections aren’t limited to just online advertising. AT&T has recently been accused of intercepting Wi-Fi and injecting it with ads, essentially monetizing its Wi-Fi access. This comes on the heels of Google ‘tightening-up’ its Chrome extension policy to be more narrow in how they’re used.

Ad fraud won’t go away so long as people are advertising online and users are looking for information at their fingertips. The best we can do, until there is a cohesive, industry-wide solution, is put solutions in place to help keep the fraudsters at bay.