5 Common Types of Ad Fraud

by Matt Gillis, on May 26, 2020 10:45:00 AM

Ad fraud is a growing problem, with some estimates showing it could cost advertisers as much as $100 billion by 2023.1


However, ad fraud isn’t just one thing: it comprises a wide variety of activities that are perpetrated by bad actors to steal revenues from legitimate businesses. And these activities are constantly evolving and growing more sophisticated in an attempt to circumvent detection.

The impact of ad fraud isn’t limited to diverting revenue from legitimate businesses, however. Ad fraud can interrupt the user experience, leading to lost opportunities to communicate with customers. Customers with a bad user experience may either choose not to reengage with your brand or spread the word (often via social media) that your site is unsafe – leading to an erosion of brand reputation that can be difficult to recover from.

Gaining a better understanding of the types of ad fraud, and the ways that digital advertising can be exploited for profit can help a company to create a strategy and find the correct tools to detect and prevent it.

Learn more about what is malvertising and how to protect your business.

Common Types of Ad Fraud

1. Bots

A bot is a segment of computer code that performs an automatic action on a website, mimicking human behavior. Bots include click bots, which are programmed to generate revenue by clicking on ads or links on a website. Businesses are charged for each click that is generated, without knowing that the clicks were from bots rather than potential customers. Advertising spend is wasted, and data analytics are skewed.

When bots are distributed across a number of devices that have been compromised with bots and related malware, it is called a botnet. According to recent estimates2, over 75% of ad fraud comes from botnets, using residential IP addresses, and imitating user behaviors. The advantage of botnets is twofold. Accessing residential IP addresses masks the fact that traffic is non-human, making them difficult to detect and track.

The impact of bots can be enormous: for example, a single botnet attack by a group known as 3ve3 infected 1.7 million computers, counterfeited over 10,000 websites, and generated billions of fake ad sales requests per day.

2. Ad Stacking

Ad stacking is an ad fraud technique where ads are layered on top of one another. Only the top ad is visible – but if a user clicks on the top ad, the click is registered for all the ads in the stack. This is similar to click bots, in that businesses are fraudulently charged for an ad click. But in this case, the clicks are generated by an actual person – just not a person that has viewed the ad in question.

Approximately 27% of wasted ad spend is the result of click spam and ad stacking: totaling approximately $7 billion per year, according to some estimates.4 Like bots and botnets, ad stacking diverts ad revenues and skews data, which can lead to poor decision-making and even more wasted resources.

3. Domain Spoofing

With domain spoofing ad fraud, bad actors create a low-quality version of a high-quality website. On the surface, the site appears to be a reputable website; but in reality, ads are being displayed on a substandard site; diverting ad revenue from the actual site as well as delivering malware to users.

In 2016, the Methbot domain spoofing attack generated more than $30 million for fraudsters who were imitating premium websites.5 According to the Federal Trade Commission, 94% of companies currently in operation are victims of domain spoofing in one form or another.

Related Article: Decoding the malicious behavior of bad actors in malvertising

4. Click Farms

A click farm is a form of ad fraud where a large number of people are paid to click on ads, interact with a website, even sign up for newsletters before moving on to the next site. Click farms are used to manipulate algorithms, promote products, and divert ad revenues.

Fraudulent clicks can be used to manipulate website clicks, inflating the value of ad space on the site; or they can be used to drain a competitor’s ad budget with useless PPC activity. Because click farm fraud is actually completed by humans, it can be more difficult to detect than a bot or malware.

5. Ad Injection

Ad injection involves inserting ads to a publisher’s web page without permission. These ads either divert authentic ad traffic and revenues or install malware on the user’s device. Research from Google6 found that 75% of Chrome extensions were injecting ads and malware and that multiple browsers (Chrome, Firefox, Safari, Internet Explorer) were all unknowingly facilitating ad injection.

Moreover, Google found that ad injectors negatively impact users: their experience on the website, their privacy, and the security of their data. Not only does ad injection attempt to redirect users to a different website, but it can also be used to monitor a user’s browser activities and report those activities for targeted advertising and segmentation.

Protecting Businesses Against Ad Fraud

Ad fraud is big business, generating millions of dollars for bad actors in the advertising ecosystem. Many companies attempt to detect and prevent fraud with home-grown, manual solutions: but these are neither effective nor scalable. As ad fraud grows more prevalent and more sophisticated, companies must look to effective, adaptive, scalable detection and prevention solutions.

Get the eBook: Choosing A Future-Proofed Anti-Malvertising Solution

Ad Fraud Prevention with Behavioral Analysis

Rather than taking a reactive approach to ad fraud prevention, anti-malvertising solutions that analyze the behavior of the ads can determine if they exhibit characteristics of malicious ads.

clean.io is an anti-malvertising solution that analyzes JavaScript on web pages in real-time, looking for specific behaviors that are deemed nefarious to stop bad actors from executing, while allowing each auction to complete and each ad to render correctly.

In doing so, bad actors end up paying for ads that gain no engagement because the malicious JavaScript does not execute. This makes malvertising unprofitable for the bad actor, discouraging them from targeting your business.

Whether your site or app is actively being attacked by ad fraud or you want to have a solution in place for preventative measures, clean.io’s exceptionally easy-to-implement anti-malvertising platform is available to protect digital advertising revenue and visitor user experiences.

Try clean.io free for 14-days to see why major publishers trust our platform as the simplest, smartest, and most effective anti-malvertising solution available.

New call-to-action


Topics:Ad Fraud 101

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates