What is Digital Ad Fraud in online advertising and how to identify it

What is Digital Ad Fraud in online advertising and how to identify it?

"Ad Fraud", is an advertising scam. It is an ad impression that, by design, does not bring any added value to the advertiser and has one main goal – to defraud the advertising budget.

Frauds have been present in digital advertising since the 1990s and have become more and more advanced with the development of technology. They can be made both manually and automatically. Scam automation involves the use of bots, or technology programmed to perform a specific action. E.g. "search for a 300×250 element and make a click" or "fill out an online form with a specific string".

In 2014, Mercedes fell victim to a scam in which as much as 57% of one campaign was broadcast to bots. In 2016, White Ops, a company dedicated to protecting the digital advertising space, uncovered scams using "MethBot". They were bots imitating user behavior – they watched and even clicked on advertising videos. It is estimated that the "MethBot" was earning between $3 million and $5 million per day. In 2017, AdForm detected a similar phishing scam based on "domain spoofing" called "HyphBot". In 2018, Google and White Ops, in cooperation with the FBI, unmasked the biggest ad fraud in history to date. A system of related entities "3ve" defrauded advertisers of more than $29 million. Bot fraud can be detected by paying attention to anomalies in the form of unnaturally high ratios or repeated patterns. For example, bots will perform a click at one specific point in the ad format (e.g. upper right corner), while users will perform clicks randomly.

The most common and spectacular types of advertising fraud:

1. Domain spoofing

"Domain Spoofing" scams are quite advanced and also difficult to detect. "Spoofing" in direct translation means stretching or impersonation. It involves impersonating fictitious sites with the domains of premium publishers.

The first type of "Domain Spoofing" involves accidentally installing malware on users' computers. The software applies ads to websites that the user is browsing at the time. The scammer offers on the bidding advertising space of a site that looks like a premium site by substituting in the bid request the declared address of the site. The prices offered on ad exchanges (Ad Exchange) are competitive and look like a super deal. Ultimately, however, the budgets go to the scammers, bypassing the real publisher.

The second variation of "Domain Spoofing" involves modifying codes in tags that identify the domain viewed by the user. Scammers remove the tag code and replace it with their own code, which allows impersonation of any premium site of choice.

IAB fighting this practice has introduced standards – "Ads txt" and Ads.cert (with RTB protocol 3.0), which is designed to limit such scams. There are still ad exchanges (Ad Exchange) in the programmatic market that allow publishers, which do not implement the standard "Ads txt" and Ads.cert.

2. Ad injection

Perpetrators of such scams offer users an "extra plugin". Usually a browser toolbar or browser extension. However, there is software in the toolbar or in the extension that uploads its own ads to unsuspecting sites. Ads do not bring revenue to the site itself, but to the software developer. Such a practice causes pages to load much slower, and the ads can potentially damage both the advertiser's and publisher's reputation.

"Malware" works in a similar way to bots, only that in this case the malware opens a „pop-under” window, visible to the user as long as the user does not close it. Of course, the malware runs in the background, without the user's knowledge. For the most part, the ads are well hidden and the volume of the video sound is automatically turned down to zero. To avoid arousing suspicion, the rest of the computer sounds for other programs remain the same. Even after users restart their computers, the adware can automatically play ads, even if the user has not reopened the site or application.

In this case, fraudsters hack into the content management system of a particular publisher (CMS e.g. WordPress, Joomla etc.) and create their own sites based on them. They then place these sites on ad exchanges (Ad Exchange) with a code that defines the premium publisher. Advertiser buying such space pays scammers instead of the publisher of his choice.

4. External traffic

Sometimes publishers dishonestly generate more traffic to their sites. Most often, this happens in order to achieve a certain number of ad impressions or to increase the site's reach. To complete the order, publishers buy traffic from sites they think are similar to theirs. The risk is that third-party sites may have a high fraud rate – usually generated through bots or broadcast advertising to a completely different target audience than assumed.

5. Hidden page views

This method of performing "fraud" involves placing many small ad slots, usually 1×1 px in size, on a single web page and displaying ads in spaces that are not visible to the user. Another option is to stack multiple layers of ads (one on top of the other), of which only one ad is visible. Others are hidden from user attention.

6. Fake sites

Fraudsters create sites with only advertising slots. Such sites do not contain any content, so they are not intentionally visited by users. The page views of such sites, and thus the ads that appear on them, are generated by bots or artificially or accidentally redirected users. One page view will equal dozens of views of different creatives, often from the same advertiser. Such single sites, usually do not generate a lot of traffic (to avoid arousing suspicion), but the scam involves the creation of a network of many fake sites sold at the same time on various advertising exchanges (Ad Exchange), which can already generate considerable amounts of money.

7. Keywords

Targeting online ads can use keywords. Scammers choose the most expensive and popular keywords. They then create their own websites and populate them with content taking into account these keywords, the so-called "new cookies". "keyword stuffing". The whole process is automated, so that pages are generated at a very fast pace. Marketers choose specific keywords to buy ad space on fake sites, and scammers' bots additionally click on ads in an effort to avoid arousing suspicion.

8. Data for remarketing

Bots can be programmed to mimic different types of users (e.g. users working in a particular industry or actively searching for a particular product). The bot visits relevant websites and behaves as the user would. Spends time on articles, clicks on links, returns to specific pages, but does not make an action e.g. purchase. Such actions create potentially very valuable cookies. When a remarketing campaign is launched on such "users," the marketer hopes to close the sale, which doesn't happen, however, because on the other side are bots. Nevertheless, the company selling data in the form of fake "cookies" realizes profits.


In addition to scams in which forms are filled out manually with random data or people filling out the form are incentivized with a "reward" for filling it out, scammers are increasingly using bots. Forms can be filled on a massive scale with a specific string of characters. Bots can also perform more advanced actions – e.g. install and open the application.

10. Cookie Stuffing (or otherwise Cookie Dropping)

Affiliate networks recruit publishers who will bring about the desired action through users of their sites. This could be the already mentioned filling out an application download form or making a sale. The cookie stuffing procedure involves artificially stuffing cookies into users' browsers. The new files replace all other cookies in the browser of a given computer, and if a given user makes a purchase, the scammer comes forward to claim the commission they have not earned. The last such case on the Polish market was detected in October 2018.

The examples of Internet fraud described above touch on only a portion of today's most popular ways for "fraudsters" to fraudulently generate profits.

What can be done to guard against problems?

First of all, you should focus on data analysis and campaign performance monitoring. Vigilance should be aroused if anomalies appear in the reports, media ratios are "too" optimistic or certain patterns are noticed (e.g. relating to depth of visit or bounce rate). It is then worth checking where the suspicious traffic comes from, how it is distributed over time, which formats are the most "clickable" and what happens to the redirected traffic on websites.

It is very important to work with trusted partners who make sure to use proven Ad Exchange and buy selected advertising space when running advertising campaigns. Careful checking of the purchased space, and shortening the chain of suppliers of advertising space, should be the basis of the work of good Trading Desks.

Standards introduced by IAB (ads.txt, ads.cert) should be strictly adhered to. It is also worth noting whether the entities with which we cooperate have signed the Code of Good Practices for Programmatic Advertising.

It is also a good practice for Trading Desks to create and complete "black lists" on an ongoing basis and to work closely with Traders, Analysts or Traffic. It is also important to pay attention to the coding of the web pages and creation sets you have, which will allow you to properly infer and detect potential anomalies. It is also good practice to use available technology that uses a set of algorithms to detect potential frauds. We can use the technology embedded in DSP systems or use the solutions of the so called "DSP". 3rd party providers (e.g. MOAT, IAS, Comscore, Meetrics or DoubleVerify).

Krzysztof Dumbal, Programmatic & Digital Investment Director, Havas Media Group

About This Site

This may be a good place to introduce yourself and your site or include some credits.

Find Us

123 Main Street
New York, NY 10001

Monday–Friday: 9:00AM–5:00PM
Saturday & Sunday: 11:00AM–3:00PM