How to survive online

Fraud, bots and the plan to fight back

Jared Lindzon April 25, 2016

Every time Veronica Holmes launches an online marketing campaign, she has to remain vigilant, regularly scanning reports for any patterns that seem out of the ordinary or too good to be true.

Feature art by Juan Carlos Salon

Feature art by Juan Carlos Salon

“We are always monitoring the location of the users that are seeing the ads and clicking on them. We’re looking for patterns that seem unusual. Also, many advertisers track what happens after the clicks, so we immediately investigate where behaviour is not suggestive of an engaged user,” says Holmes, the general manager of Juice Mobile Canada. She’s describing the hunt for the little monsters made of code that lurk online, hiding among human web surfers, simulating ad interactions and leeching money out of advertisers without generating any potential for a sale. Hunting them down is a team effort. It takes individuals working within campaigns and analysts taking the broader view over massive amounts of data. “I think you need to be able to see both the trees and the forest in this case so you can pick out trends.”

This level of vigilance, explains Holmes, is nothing out of the ordinary. Fraud has become such a regular part of doing business in the online ad industry that marketers who have not yet spotted it are simply not looking hard enough.

“I don’t think you’re going to find someone in the ad business in Canada who hasn’t experienced fraud,” she says. “What would be terrible is if they haven’t done anything about it.”

While wasted ad dollars were considered a cost of doing business long before the internet age (when less-measured media dominated and advertisers spent blindly against big ratings), online advertising has proven a riskier medium. Online advertisers lose billions of dollars to intentional, malicious and fraudulent activity.

According to an annual study developed by Whiteops in partnership with the Association of National Advertisers (ANA), global losses resulting from fraud are poised to jump from $6.3 billion in 2015 to an estimated $7.2 billion in 2016, an increase of approximately 15%. At the same time, however, digital ad spending is also poised to grow 17.2%, to nearly $160 billion, according to the Interpublic Group’s Magna Global.

“Fraud is especially high in programmatic buying,” says Bill Duggan, the group vice-president of the ANA. “Programmatic display ads had 14% more bots than the study average. Programmatic video ads had 73% more bots.”

In spite of the increase in bot traffic, there is reason to believe that advertisers are gaining ground on fraudsters in the online advertising arms race. For one thing, advancements in technology have allowed marketers to be more precise in their ad buys, and ultimately better at ensuring that their advertisements don’t land on the wrong websites, which was a prominent issue as little as three years ago.

“The advances in this business are like light speed,” says Kim Riedell, the senior vice-president of product and marketing for Digilant, a programmatic media-buying platform. “There is stuff we couldn’t do a year ago that we can do now, and they’ll be stuff in another week or two weeks that we couldn’t do a month ago.”

In the first half of 2013, Integral Ad Science found that 22% of bid requests were made on sites exhibiting suspicious activity. In its final quarterly report of 2015, however, instances of ad fraud had dropped to 10.5% in the U.S.

“It’s a big problem when you think that 10.5% of the digital media budgets for marketers worldwide represents billions of dollars,” says Ian Wallin, vice-president of sales for Integral Ad Science. “But it’s getting better, not because fraudsters aren’t trying to game the system, but there are now solutions in place, and there’s much more visibility to the end marketers than there was three years ago.”


Towards a More Transparent Future

As long as there has been an online ad market, there has been fraud. As ad dollars began moving from traditional to digital platforms in staggering quantities, it became an ever-more-alluring target for the little monsters.

“Double-digit growth for an industry will hide a lot of the blemishes,” says Mike Zaneis, the CEO of the IAB’s Trustworthy Accountability Group (TAG). The group came together in 2015 to create a self-regulated, cross-industry verification program. Though still in its infancy, the it hopes to increase transparency in the advertising industry through a registration and authentication program for trusted partners. The ultimate goal, says Zaneis, is to create a new global standard across the entire supply chain.

Zaneis says the advertising industry could and should learn from the financial industry, which was a common target for fraudsters before its implementation of high tech digital security systems. “The financial services sector made a massive investment, billions of dollars, in data security. The criminals got tired of being thwarted and looked around for the next easy mark,” he says. “Unfortunately, the digital ad industry was a very easy target. We need to be a less willing victim.

“Almost 50 companies have gone through our registration process, implementing payment IDs across the marketplace,” he says, adding that partners include a number of Fortune 500 companies. “We are fundamentally changing the industry in a number of ways. It’s exciting. It doesn’t happen very often, but it’s exciting when it does.”

Is it Time to Start Tracking Different Metrics?

One of the key reasons why ad fraud continues to persist in the digital space is because ad spending is based on non-human interactions. While impressions and clicks often result from human web browsing, they ultimately depend on machine-to-machine interactions, and thus open the door to sophisticated bots and fraudulent activity.

“I do not understand why anyone in their right mind would do a CPM campaign in 2016. It’s ludicrous,” says Samuel Scott, the director of marketing and communications for, a log management platform. “You’re almost literally flushing your money down the toilet. Instead, I would focus my budget on [cost-per-click], but even CPC campaigns have significant issues with click fraud and other types, but it’s a little bit safer.”

Scott, who regularly delivers presentations on the topic of digital ad fraud against the digital marketing industry, believes that instead of paying a fraction of a penny for an easily counterfeited digital interaction, marketers should instead tie their ad spends directly to resulting sales.

Sonia Cerreno, president of IAB Canada, agrees, adding that more human-based metrics make it more difficult for fraudsters to game the system.

“As we move into cost-per-acquisition and cost-per-lead models—those more integrated KPIs that are more robust and meaningful—you get into less pressure on the clicks,” she says. “It becomes less attractive to get into the game of fraud.”

The Cost of Fraud Prevention

Even with the successful implementation of TAG and other fraud prevention tactics, Zaneis and others accept that there will always be some level of fraud in the digital marketing space. As it continues to bleed billions from the marketing industry, some have begun to question which stakeholder should be responsible for preventing and ultimately paying for losses.

“It used to be the onus of stopping fraud was on the buy-side, and now you’re starting to see that push more towards the sell-side,” says Riedell, citing the mobile programmatic online advertising platform App Nexus’ decision to cleanse its network of fraudulent users as an example. “That’s a good thing for the industry, because it becomes very expensive for the buy-side to have to pay for fraud tools and all that when the expectation is that we shouldn’t be.”

Quality control, however, is not without its price. The resulting fraud-free market will likely have less ad real estate to go around, be more tightly controlled and, ultimately, be more expensive to work in,

“The market is starting to correct itself in that way. You can’t expect to have 100% viewable traffic, 100% validity, be 100% in-target, apply all these layers of assurances without expecting to pay a higher CPM, because it’s a matter of scarcity,” says Carreno. “It’s really important for us as an industry to communicate that there is a cost correction that is happening in the marketplace as a result of this cleanup job that we’re all doing together.”


The ways in which marketers are being defrauded is constantly evolving. While the industry has gotten better at identifying and preventing fraudulent activity in recent years, a number of threats still persist.

S1Bot Traffic
One of the most common types of digital advertising fraud is perpetrated through automated traffic that attempts to appear human. These automated “bots” are responsible for countless fake impressions that marketers end up paying for.

While the industry has gotten better at identifying non-human web traffic, bots are becoming more sophisticated. They can now spoof cookies and other user ID information in order to appear like human traffic, adding more impressions without human eyeballs.

Publisher Fraud
Though consolidation has weeded out less-reputable players, some publishers still try to exploit marketers. “Some publishers might shrink down ad units to a one-by-one pixel size and place hundreds on a single page, so every time that page is requested, hundreds of impressions are generated, even though nobody will see those ads,” said Scott. “Another type is stacking ad units on top of each other, so whenever a bot or a human goes to a webpage, they will only see the ad on the very top, but all the ad units beneath them are still loading.”

Click Fraud Malware
S2There have been a number of viruses that turn unsuspecting internet users into accomplices of click-fraud. One of the more recent examples of this type of malware is a virus called MIUREF, “a piece of malware that affected laptops and desktops with the sole intention of being a fake web user, finding high-value ads and being able to click on those,” said Mark Nunnikhoven, the vice-president of cloud research for Trend Micro, a software security provider. “Clicking on URLs or interacting with pages is becoming a generic functionality [of malware programs].” These viruses operate behind the scenes, defrauding advertisers without the users’ knowledge.

URL Spoofing
URL spoofing or masking occurs when a marketer purchases premium digital real estate only to have their ads placed elsewhere. As a result, advertisers end up paying higher fees for lower quality real estate. “You think you’re buying, let’s say,, a high quality news site. But when you actually bid for that in a programmatic way, a fraudster can bait-and-switch you over to a less desirable site,” said Wallin, of Integral Ad Science.


S4Fraudsters are getting more sophisticated, but so too is the marketing industry, which now provides a number of solutions to prevent digital ad fraud.

Ask the Right Questions
Marketers can protect themselves from becoming victims of fraud by asking potential partners the right questions before launching a campaign. According to the ANA’s Duggan, these include:

• What policies do you have in place to combat fraud?

• Do you buy any sourced traffic from other sites?

• If so, from whom?

Duggan also recommends being wary of ad buys that include audience extensions. “Audience extension means a publisher puts its content on another publisher’s web site. And, like sourced traffic, that can result in higher rates of fraud.”

Work Together
S3The greatest threat to online marketing fraudsters is transparency across the industry. The TAG program, for example, is built on the premise that having a single, top-down approach to identifying and combatting ad fraud globally is the best defence for all stakeholders.

“It needs to be a global solution, because fraudsters are working like chameleons, changing from country to country to maintain their operations,” said Carreno.From an IAB Canada and IAB global perspective, the big takeaway is that we need to tackle it globally.”

Use Third-Party Monitoring
“Monitor all traffic with a consistent tool,” advises Duggan. “We recommend relentless monitoring to get the best value out of your ad investment. Use monitoring and bot detection to reveal the bots in retargeting campaigns, weed bots out of audience metrics, and protect higher-value inventory that may have increased fraud exposure.”

Read the Fine Print
Before signing on the dotted line, marketers should ensure that the contract’s terms and conditions include language on non-human traffic. That language should clearly state that the marketer will only pay for human impressions.

Understand the Supply Chain
Before engaging in an online ad campaign, it is important to understand the risks, especially in the programmatic supply chain. “Advertisers should ask about the role of each player in the process, know the partners of their partners, and then ask for inventory transparency to know where their programmatic advertising is running,” says Duggan. “You wouldn’t blindly run your advertising in offline media, such as television or print, without knowing the specific networks or publications that carry your advertising. Why accept anything less in programmatic buying?”

Illustrations by Juan Carlos Salon