Like any sphere in which large sums of money are moved, the world of online advertising is an attractive one to fraudsters. Indeed, the impersonal nature of the transactions, a complex and often-opaque supply chain, and a reliance on easily-fiddled metrics mean that ad fraud is one of the biggest challenges facing advertisers, publishers, and ad-tech enterprises alike today.
One of the most difficult challenges around digital ad fraud is that no one really knows exactly how big a problem it is, with estimates ranging from high…to higher…to stratospheric.
Ignore it at your peril. Or at least the cost of a significant chunk of your advertising budget.
What is ad fraud? In what contexts does it primarily occur? and what is the cost of digital ad fraud to businesses estimated to be? Read on to find out the answers to these questions, and see many more ad fraud statistics.
Table of contents
Key ad fraud statistics
- The total cost of ad fraud is debated: TrafficGuard/Juniper set it at $34 billion, predicting it will increase to $87 billion by 2022; most of this will be lost in the APAC region, with the current $19 billion set to rise to $56 billion
- The WFA predict ad fraud will become the biggest market for organised crime by 2025, worth $50 billion
- On the other hand, White Ops Inc. And the Assocation of National Advertisers state that only $6.5 billion was lost to ad fraud in 2017, down from $7.2 billion in 2016
- 21.3% of iOS app and 26.9% of Android app installs are fraudulent, according to Interceptd
- 28% of web traffic comes from non-human actors, says Adobe (thus setting the overall cost of ad fraud at $66 billion according to one commentator)
- Interceptd stats show that in Q4 2018, device farms accounted for 25% of ad fraud, incent abuse for 20%, bots/emulators for 18%, SDK spoofing for 13%, click spamming for 9%, click injection for 8%, and other sources for 7%;
- MarTech Advisor peg levels for the same quarter at 57% click injection, 24% click spam, 11% SDK spoofing, and 8% fake users/bots; levels vary across the year in both estimations
- TrafficGuard/Juniper stats show that of $25.8 billion lost to the three most-prevalent forms of ad frauds, app install farms/SDK spoofing account for 42%, click injection for 30%, and click spam for 27%
- SDK spoofing can siphon off 80% of ad budgets, warns MarTech advisor’s Michael Paxman
- In 2017, digital advertisers lost $39 million per day say TrafficGuard/Juniper Research; $17 million of this came from APAC advertisers
- TrafficGuard/Juniper estimate that advertisers who run campaigns without protection stand to lose 26% of their investment to fraud
- 80% of display ads are bought programmatically, says eMarketer
- A programmatic ad study from Guardian US found that 72% of video spend was going to unauthorised exchanges and SSPs
- TrafficGuard/Juniper also estimate that an advertisers displaying one million ads over a 24 hour period will pay for over 100,000 ads before detection
- TrafficGuard/Juniper estimate that one in 13 app installs are fraudulent globally
- A study by Forrester found 69% of brands spending $1 million per month reported that at least 20% of their budgets were being lost to digital ad fraud; 70% of these companies reported that they were actually planning to increase their advertising budget.
- A botnet operation called 3eve involved 1.7 million PCs infected by malware, 10,000 fake sites generating 3-12 billion daily bid requests, and 60,000 seller IDs with digital companies; in all, it managed to steal $29 million before being dismantled in November 2018
- In October 2018, Buzzfeed reported that $10 millon had been stolen from Google’s ad network
- $75 million of ad fraud using bundle ID spoofing was found to have been enabled through MegaCast – Chrome Player
- Machine learning could reduce ad fraud levels by $3.5 billion in 2022, rising from $2 billion today, say TrafficGuard/Juniper
- 42% of the world’s top 1,000 websites according to Alexa have signed up to ads.txt
- Fraud attempts are 25% lower for in-app advertising
- 52% of brands are concerned about fraud when using in-app ads, compared to 36% of agencies, report eMarketer
- 57% of brands are concerned about fraud for video ads, compared with 42% of agencies, according to the same source
- A different study reported by eMarketer found that 69% of agency professionals and 53% of brand professionals were concerned about fraud
- In response to the rising cost of ad fraud, in January 2018, Procter & Gamble announced it was planning to save $750 million by cutting its ad budget, and halving the number of agencies (from 2,500 to 1,250); this was to be followed by a further $400 million cut
- In 2017, JPMorgan Chase reducted the number of sites it advertised on from 400,000 to 10,000
High-profile examples of ad fraud
A massive botnet operation called 3ve was dismantled in November 2018. The stats related to this operation will be, quite frankly, frightening to digital advertisers (though it should be noted this is an extreme example, being one of the biggest such operations ever discovered).
It consisted of three operations, says the WFA: hijacked IP addresses, counterfeit sites, and inventory and data centre traffic. 1.7 million PCs were infected by malware, 10,000 fake sites were generating 3-12 billion daily bid requests (impersonating legitimate publishers), and over 60,000 seller IDs with digital companies to enable fraudsters to receive ad placements and be paid accordingly.
Google reported in a whitepaper that the network had been hard to detect, as it deployed tactics such as counter ad fraud manipulation and evasion, and the ability to change its codebase after spikes in usage. It is thought that 3ve cost businesses a whopping $29 million in ad spend. Along with Methbot (ran by the same fraudsters), the Russian defendants were accused of defrauding businesses out of $36 million in all. None of the ads involved in this fraud ring were ever viewed by a human being.
Google’s creation of a whitepaper reveals that the biggest names are by no means invulnerable from online ad fraud. Indeed, in October 2018, Buzzfeed News also revealed the existence of a massive ad fraud scheme which managed to steal nearly $10 million from Google’s ad networks. This operation used more than 125 Android apps and websites, which tracked and mimicked human behaviour in order to evade detection.
Massive amounts of digital ad fraud can be carried out through a single conduit. For example, Pixelate reported in June 2018 that an app named MegaCast – Chrome Player served as a front for an operation through which as much as $75 million worth of ad fraud was enabled. This utilised an increasingly-prevalent form of mobile ad fraud: app laundering which relies heavily on bundle ID spoofing. Pixelate found that if a device was on for 24 hours it would ‘serve’ 1,400 impressions, a 6:4 mixture of display to video.
Potential cost of ad fraud carried out through Megacast – Chrome Player
Notably, in the aforementioned report from Buzzfeed, it was noted that after fraudulent schemes came to light it was very hard for journalists to get hold of specific numbers from actors along the supply chain. This meant it was very difficult to investigate the movement of money. Why this secrecy? Such companies presumably operate in fear of being found negligent, or in extreme cases, complicit. Some sources believe the actual amount stolen in above mentioned may well be as high as hundreds of millions of dollars in reality.
Only a tiny proportion of companies contacted by Buzzfeed stated any intention to return money. This issue, experts say, is endemic, with something of a tacit acceptance that a certain amount of money will be lost to fraud.
US Senator Mark Warner (vice chair of the US Senate Intelligence Committee) sent a letter to the Federal Trade Commission in October 2018, raising his concerns over high levels of digital ad fraud, in the wake of Buzzfeed’s exposé. In this letter he accused Google and other major platforms of inaction and even wilful blindness to the scale of ad fraud, while continuing to happily pocket the revenue.
Google removed 30 apps from the Play Store in the wake of Buzzfeed’s article.
Anti-fraud consultant and research Dr Augustine Fou posits in an interview with Forbes that it would not be in the interests of ad agencies for ad fraud to be resolved. Cutting out the problem would have the effect of vastly reducing the amount of available inventory.
It would also be difficult for marketers who have been working under the impression that there is a good deal more impressions out there for the taking than is actually the case. It would take a wholescale rethink, in which our understanding of what constitutes as good numbers would have to recalibrated. This might make for painful reading for marketers, given click-though rates in reality would be somewhere in the realm of 0.1%. KPIs the world over would have to be roundly revised downwards.
Top Ad Fraud Prevention Tools
- ADEX - Ad Fraud Detection Tools, Ad Servers, Mobile Ad Network, Mobile DSP, Social Ads, SSP
- AppsFlyer - Mobile marketing attribution and analytics
- Performcb - #1 Performance Marketing Network Worldwide
Cost of ad fraud
Estimates of the total scale and cost of ad fraud vary hugely, due to the complexity of ascertaining the volume of invalid traffic/downloads. eMarketer reports that current estimates of the total cost vary from $6.5 billion to as high as $19 billion. It could well be worse; even the highest end of this scale seems to be on the conservative side by some measures.
Back in 2016, the World Federation of Advertisers predicted that, within a decade, ad fraud and other fake internet traffic schemes would become the second-biggest market for organised crime after the drugs trade. By extrapolating the level of growth at the time of the study, a conservative estimate would have the level standing at $50 billion by 2025: equal to 10% of the total predicted value of the digital ad market.
This scale of this increase comes from the fact that digital ad fraud is relatively easy to perpetrate and delivers high returns, in combination with the relatively weak position which law enforcement agencies currently occupy when it comes to policing the internet.
Adobe found that potentially 28% of web traffic came from bots or other non-human actors in an investigation of thousands of client websites. Based on this finding, one commentator estimated that the total cost of ad fraud might be as high as $66 billion.
According to stats from Juniper Research, produced for a whitepaper published by ad fraud detection company TrafficGuard , it is estimated that, globally, one in 13 app installs in 2018 was not from genuine users (7.7%).
The same source estimates that advertisers which display a million ads over a 24 hour-period will are likely to pay for more than 100,000 fraudulent ads before any issue is detected.
According to a TrafficGuard whitepaper, fraudulent activity cost digital advertisers $39 million per day over the course of 2017.
Calling on stats from Juniper Research, which break down the cost of ad fraud utilising common tactics, app install farms/SDK spoofing are responsible for the greatest share, at 42%. This is followed by click injection fraud (30.3%) and click injection (27.3%).
The total cost of these ad fraud tactics comes to $25.8 billion according to this analysis.
These three common online ad fraud tactics are set to increase in coming years, with the total cost of ad fraud anticipated to reach $65 billion
The landscape is predicted change somewhat, with click injection fraud becoming the costliest among this malicious trio.
Projected increase in cost from common ad fraud tactics
SDK spoofing can siphon off up to 80% of ad budgets, warns MarTech Advisor’s Michael Paxman.
eMarketer predict that 80% of display ads will bought programmatically over the course of 2019. This, of course, makes the threat of digital ad fraud ever more pressing – with complex and opaque supply chains between buyer and seller. It is estimated that programmatic ad fraud levels stand at 17% in the US.
Ad fraud context
Ad fraud by region
This problem of digital ad fraud is particularly pronounced in the APAC region, in which the cost is estimated to be $17 million per day. Rapidly increasing penetration means that the question of mobile ad fraud is a particularly pertinent one in the region.
The cost of ad fraud is predicted to increase in all regions over the next few years, with the global figure rising to $87 billion from $34 billion. It seems that APAC will continue to be the hardest hit, with losses nearly tripling from $19 billion to $56 billion.
Estimated cost of ad fraud by region
China is by far the most affected country; evidence suggests that this will remain the case. Juniper Research predict that the cost of online ad fraud in China alone will amount to some $19 billion in 2022.
In the US, the picture may be a little better. White Ops Inc. And the Association of National Advertisers found that $6.5 billion was wasted on ads served to fraudulent traffic in 2017, compared to $7.2 billion in 2016.
eMarketer predicted that £1.3 billion ($1.7 billion) of campaign spend would be lost to ad fraud in the UK. This would come to around 10% of a total UK ad spend of £13.2 billion ($17 billion).
Ad fraud by app category and device
Interceptd find in their 2018 Mobile Ad Fraud Report that Android suffers from a slightly higher level of digital ad fraud than iOS, with 26.9% of app traffic fraudulent, compared to 21.3%.
Android ad fraud
The same report also finds that some app categories are more vulnerable to fraud than other. On Android, finance tops the list, with over a third of installs fraudulent, followed by shopping, gaming, and social media.
Ad fraud by app category: Android
Mobile ad fraud related to Android finance apps is dominated by bots/emulators, which are responsible for over a third of ad fraud in this category, and click injection, which accounts for a further quarter. SDK spoofing remains fairly low.
Android finance app ad fraud types
SDK spoofing seems to be absent from the shopping category. Here, click spamming (22%) and device farms (21%) are the biggest problems. Interestingly – and worryingly for those looking to tackle the full gamut of problems – undefined ‘other’ forms are also responsible for 22% of ad fraud on Android shopping apps.
Android shopping app ad fraud types
Gaming is the first category in which we see the hot button issue of SDK spoofing claim responsibility for the greatest share of ad fraud, at 24%. Device farming and incent abuse also register highly, at 19% apiece.
Android gaming app ad fraud types
Social apps are, however, the most blighted by SDK spoofing, with a whopping 38% of ad fraud coming from this source. Click injection, at 21%, also registers highly.
Android social app ad fraud types
iOS ad fraud
On iOS, finance comes in third, with shopping the unfortunate leader, with online ad fraud accounting for a third of installs, followed by gaming. Travel completes the top-four.
Ad fraud by app category: iOS
Device farming is the most common type of mobile ad fraud in the shopping category, responsible for 37% of digital ad fraud. Bots/emulators lay claim to nearly a quarter, while SDK spoofing comes up to 18%.
iOS shopping app ad fraud types
Those looking to address ad fraud for iOS gaming apps would do well to be alive to bots/emulators (26%), SDK spoofing (24%), and device farms (22%).
iOS gaming app ad fraud types
Device farms (31%) and SDK spoofing (19%) are also a big issue for iOS finance apps. Click spamming, at 21% makes up the big three in this category.
iOS finance app ad fraud types
Once again, device farming (26%) and SDK spoofing present a challenge in the travel category, albeit with the latter this time presenting the greatest challenge.
iOS travel app ad fraud types
Ad fraud detection companies and other countermeasures
Ad fraud creates a number of risks for advertising companies. Some of these risks can be somewhat mitigated by reporting and single-level blocking, say TrafficGuard. Things like short-term wasted media spend and poor investments can be tackled to an extent through reporting, while single-level blocking can partially reduce the impact of the threat of litigation or diminishing campaign optimisation.
As we might expect, multi-level blocking is the only way to fully mitigate the full suite of risks associated with ad fraud, serving to block invalid traffic as it is detected.
Levels of ad fraud prevention vs. risks
Much hope was placed in industry-led Ads.txt – a system which allows publishers to list companies authorised to sell their adverts via a simple txt files. Buyers are then able to check the list to see if the company from whom they are buying is legit.
Ad fraud is, however, an ongoing game of cat and mouse between fraudsters and advertisers/ad fraud detection companies. And soon enough, schemes circumventing Ads.txt came to light, involving copied websites, botnets generating fake page views, and approved resellers. This scheme could have cost advertisers between $70-80 million had it continued to go undetected, reports the Wall Street Journal.
Ads.txt had been adopted by 41% of Alexa’s top-1,000 websites as of January 2019, up from 34% the preceding year. The next step in the race? An upgraded version of Ads.txt called Ads.cert, which will attempt to resolve the issues of Ads.txt by using cryptographically-stamped digital signatures to validate the source of impressions. The WSJ reports that this is in beta testing (February 2019).
Ad fraud advice
Of course, there is whole industry of ad fraud detection companies, who can offer various services to help reduce the scourge of digital ad fraud.
As well as working with ad fraud detection companies, there are a range of measures that can be taken by businesses. A compilation of such potential solutions proposed by agency experts to mitigate the high cost of ad fraud was published by Forbes.
Working with DSPs who offer guarantees of fraud-free service can also be a good way to make sure that the cost of fraud that is detected is not incurred by clients, for example. Trying to minimise the number of companies worked with can help reduce risk also, particularly given the complexity of the supply chain and prevalence of programmatic ad fraud. On which note, companies are also advised to choose a programmatic tech stack which incorporates fraud solutions such as prebid filtering for IVT.
Companies are advised to implement internal policies and processes in order to help cut the cost of fraud, as well as closely monitoring results and looking for obvious anomalies. Moves should be made to increase transparency and data sharing in what can be a rather opaque field.
In the face of what unfortunately looks to be an inescapable challenge for the ad industry, one other solution would be to change the pertinent metric, looking at performance rather than clicks.
When it comes to SDK spoofing, Michael Paxman of MarTech Advisor warns that there is no such thing as a spoof-proof SDK. There are ways, however, in which one can lower the risk posed by this particular form of ad fraud: cryptographic SDK signatures. These can make the process of spoofing difficult and costly enough to hopefully disincentivise it.
Entrepreneur.com also advises building language insertion orders, as these require that publishers identify all third-party sources of traffic. It also advises testing traffic sources, citing a programmatic ad fraud-test run by Guardian US in 2018. This test revealed that 72% of video spend was going to unauthorised exchanges and SSPs. In this case, use of ads.txt proved effective – with all ads.txt buying revenue going to Guardian US.
Direct communication between publisher and advertiser, preferably between real, identifiable people, can also help to reduce risk – echoing the sentiment above about reducing the number of actors involved in any given transaction.
In-app advertising and ad fraud rates
Scott Silverman, the vice president and general manager of Marketplace at InMobi, advises that in-app advertising is safer in terms of mobile ad fraud than running web advertisements.
Reportedly, in-app advertising experienced 25% fewer fraud attempts than mobile web advertising over the second half of 2018. Online ad fraud involving bots and viruses designed to simulate human users occurred 74% less often in the same period.
In-app advertising is by no means fraud proof, however. A report in Buzzfeed revealed that, after complaints that a popular app (unnamed to allow a source to speak anonymously) was draining users’ batteries and using high amounts of data, it transpired that fraudsters were running video ads behind legitimate banner ads. These ads were not visible, but registered as being served and viewed.
Several apps, including many using Twitter’s MoPub platform, were affected by this scheme. An Israeli company with offices in New York called Aviview was implicated but denied any involvement claiming a third party exploited banner ads and codes created by one of its subsidiaries. An internal review had been commenced at the time of the article.
This phenomenon has been reported in the past. One high-profile example reported in March 2018 used McDonald’s ads as a cover up for a scheme, whereby fraudsters bought banner space posing as an agency, which was then resold as (much more expensive) video ads. The false McDonald’s ads made it look like only banners were being served, while the covered-up videos playing in the background were being registered as served.
Singapore and Bangalore-based Streamlyn were accused of being the fraudsters behind the scheme by a source speaking to Video Ad News. Several other companies were identified as being part of the chain that allowed the ads to be served in huge volumes (five million times in properties belonging to the source) – though simply being involved at some stage is no indication of guilt.
AI and blockchain ad fraud protection
While improving tech may increase the different ways in which digital ad fraud can be carried out, it also offers increasingly-advanced solutions to those aiming to prevent ad fraud. Machine learning could be key in ad fraud detection, says TrafficGuard, calling upon data from Juniper Research.
This finds that, in all, machine learning will reduce the impact of ad fraud by over $10 billion by 2022, increasing from $2 billion in 2018. In APAC, this will stand at $3.5 billion – up from $0.6 billion in 2018.
Ad fraud money saved through machine learning solutions
Big names like Facebook and Google are already calling on neural networks and machine learning to help in ad fraud detection and prevention. For companies which can’t fall back on their own proprietary AI research, third-party AI solutions are provided by various ad fraud detection companies.
AI can detect suspicious behaviour, filter IP addresses, and generally monitor traffic. Its increasing prevalence in combating ad fraud will come in tandem with general wider use in advertising – to target specific markets for example. Juniper Research predict that platforms using AI to segment markets will account for 74% of total advertising expenditure by 2022.
Blockchain has also been suggested as a potential solution to ad fraud, affording the complete transparency which has been so deeply compromised by programmatic ad fraud.
Various blockchain solutions to online ad fraud are proposed: One is to give users tokens when they opt-in to view ads on a platform which blocks third-party and programmatic ads. These can then be awarded to websites and publishers by users. Several prestigious media groups have expressed interest in this platform.
Other services simply offer transparent, validated data to allow marketers to accurately measure value delivered – predicated on the requirement to establish and enforce rigorous standards across the board. Or the use of public key cryptology to confirm identities of publishers, advertisers, and advertisers.
Brands and ad fraud: fears and responses
Research from eMarketer shows that brands are more wary of online ad fraud, when it comes to in-app advertising at least. 52% of brands said that fear of fraud was a concern, making it their leading worry. Agencies as a whole are significantly more sanguine, with 36% reporting this as a concern, putting it joint-last.
The case remains the same when it comes to video advertising, with 57% of brands registering it as a challenge. On video, it seems agencies are in closer alignment with brands, with 42% reporting that fear of fraud was a challenge. This takes it to number two in the list of concerns.
Challenges related to in-app advertising: brands vs. agenciesSource: eMarketer
A study conducted by Integral Ad Science and referenced by eMarketer asked agencies and brand professionals what they considered to be strong threats to digital ad budgets in 2019. In this instance, agency professionals seemed to be more concerned about the impact of fraudulent impressions, with 69% reporting it as a concern, versus 53% of brand professionals (which we should note is still more than half).
Agency professionals collectively did not feel anything threatened ad budgets to the same extent; seemingly in-house marketers are more worried by other threats. The survey results were published in late January 2019.
eMarketer believe that brands will become more alive to the threat posed by fraud.
Brands’ reactions to the increasing threat of fraud varies. A study by Forrester found 69% of brands spending $1 million per month reported that at least 20% of their budgets were being lost to digital ad fraud. In the face of this, however, 70% of these companies reported that they were actually planning to increase their advertising budget.
This is not universally the case by any means, however. In January 2018, Procter & Gamble announced it was planning to save $750 million by cutting its ad budget, and reducing the number of agencies with which it worked by 50% (from 2,500 to 1,250). This was to be followed by a further $400 million cut in the next phase.
A year previously, P&G chief marketing officer Marc Pritchard had warned the media buying and selling industry that it needed to clean up its act, demanding a “transparent, clean and productive media supply chain”. In 2017, JPMorgan Chase cut the number of sites on which it advertised from 400,000 to 5,000 (though this doubled to 10,000 by the end of the year). According to The New York Times, JPMorgan Chase claimed that the cull had no immediate effect on results.
Ad fraud expert Dr Augustine Fou advises other companies to consider following in the footsteps of P&G, cutting their budgets (albeit more gradually) and seeing what the real effect on the bottom line is.
It’s clear that the scale of digital ad fraud is far larger than many in the advertising world would or should ever be comfortable with.
Will the problem continue to get worse or will see, as some have speculated (and we all hope), an improvement?
Dr Augustine Fou, quoted above, believes that the only way that the issue of ad fraud will be resolved will be for the whole industry to collapse and begin again. This outcome is not only likely, he argues, but desirable – resulting in a new, more effective, less profligate approach to digital marketing.
This is naturally on the more dramatic side of things; those who remember the bursting of the dot com bubble, or even the financial crash of 2008, however, will presumably better know better than to rule it out.
Certainly, a largescale loss of trust in the industry seems eminently plausible. We haven’t yet seen a mass following of the example set by Procter & Gamble or JPMorgan Chase, but as buyers become savvier to the dangers of ad fraud, we could well see a tightening of focus, with advertisers and publishers alike seeking to foster more personal relationships. Perhaps this would ostensibly reduce the size of the market – but if large swathes of the available market consists of invalid traffic, then it is artificially bloated anyway.
This of course would have a fascinating effect – with actors from all points in the supply chain potentially affected. Those in the middle in particular look set to suffer if this became the case; this could have a potentially devastating effect on the ad-tech industry as a whole. While there’s not yet evidence that this is the case, those occupying this space would well to prepare. Looking at ways to address fraud, and to refocus efforts to achieve conversions over views would be apt preparation for a best-case outcome; having a pretty substantial Plan B would be apt preparation for the worst.
Notwithstanding any large-scale or wholescale changes in the way business is conducted, we might also look with some optimism to the future. Awareness has risen, which is the first step in addressing digital ad fraud. We are seeing improvements in artificial intelligence and the prospect of blockchain promises nothing short of a revolution in transparency.
While it may be an ongoing arms race, ad fraud detection companies are making a concerted effort to stay ahead. Whether it will be able to in perpetuity remains to be seen. Some are sceptical. But faced with the level of challenge with which we are, we must put our lot and our faith in these organisations to make an impact. Particularly with the global increase in mobile penetration, most concentrated in the Asia Pacific region.
The future, then, is uncertain – bar two things. One, the persistence of criminal elements attempting to abuse a system that is seemingly easily abused, to the tune of billions of dollars. Two, our collective need to address and tackle this ongoing issue.