Like any sphere of economy in which large sums of money are moved, the world of online advertising is an attractive one to fraudsters. Indeed, the impersonal nature of the transactions, a complex and often-opaque supply chain, and a reliance on easily-fiddled metrics mean that ad fraud, is one of the biggest challenges facing advertisers, publishers, and ad-tech enterprises alike today. To make things even worse, mobile ad fraud brings new level of sophistication on the fraudsters’ side to avoid countermeasures and continue to drain advertisers’ budget with fraudulent mobile traffic.
One of the most difficult challenges around mobile ad fraud is that no one really knows exactly how big a problem is, with estimates ranging from high…to higher… to stratospheric to…nuts.
Ignore it at your peril. Or at least the cost of a significant chunk of your advertising budget.
What is ad fraud and mobile fraud as the latest permutation of the problem? In what contexts does it primarily occur? What is the cost of digital ad fraud to businesses estimated to be? Read on to find out the answers to these questions, and learn many more ad fraud statistics.
Key ad fraud statistics
- The total cost of ad fraud in 2022 – $81 billion, predicted to increase to $100 billion by 2023
- The biggest hit is the APAC region – $75 billion in 2022
- According to Interceptd, 31% of iOS app and 25% of Android app installs are fraudulent
- According to Adobe, in 2018 fraud web traffic was 28% of the total or $66 billion of the total ad spent
- Fraud attempts are 25% lower for in-app advertising than on the web
- In 2018 App Install Farms contributed 42% of total ad fraud, Click Spam & Ad Stacking – 27% and Click Injection – 30%.
- TrafficGuard/Juniper estimate that one in 13 app installs are fraudulent globally
These are just the most important data points that describe the current state of digital ad fraud, both on the web and mobile. Further on we’ll be presenting memorable examples of ad fraud, estimates for ad fraud cost, impact by region, app category and mobile OS, ad fraud detection, countermeasures and more.
High-profile examples of ad fraud
A massive botnet operation called 3ve was dismantled in November 2018. The stats that reveals details of this operation will be, quite frankly, frightening to digital advertisers (though it should be noted this is an extreme example, being one of the biggest such operations ever discovered).
It consisted of three operations, says the WFA: hijacked IP addresses, counterfeit sites, and inventory and data centre traffic. 1.7 million PCs were infected by malware, 10,000 fake sites were generating 3-12 billion daily bid requests (impersonating legitimate publishers), and over 60,000 seller IDs with digital companies to enable fraudsters to receive ad placements and be paid accordingly.
Google reported in a whitepaper that the network had been hard to detect, as it deployed tactics such as counter ad fraud manipulation and evasion, and the ability to change its codebase after spikes in usage. It is thought that 3ve cost businesses a whopping $29 million in ad spend. Along with Methbot (ran by the same fraudsters), the Russian defendants were accused of defrauding businesses out of $36 million in all. None of the ads involved in this fraud ring were ever viewed by a human being.
A whitepaper published by Google reveals that the biggest names are by no means invulnerable from online ad fraud. Indeed, in October 2018, Buzzfeed News also revealed the existence of a massive ad fraud scheme which managed to steal nearly $10 million from Google’s ad networks. This operation used more than 125 Android apps and websites, which tracked and mimicked human behaviour in order to evade detection.
Massive amounts of digital ad fraud can be carried out through a single conduit. For example, Pixelate reported in June 2018 that an app named MegaCast – Chrome Player served as a front for an operation through which as much as $75 million worth of ad fraud was enabled. This utilized an increasingly-prevalent form of mobile ad fraud: app laundering which relies heavily on bundle ID spoofing. Pixelate found that if a device was on for 24 hours it would ‘serve’ 1,400 impressions, a 6:4 mixture of display to video.
Potential cost of ad fraud carried out through Megacast – Chrome Player per device ($)
Notably, in the aforementioned report from Buzzfeed, it was noted that after fraudulent schemes came to light it was very hard for journalists to get hold of specific numbers from actors along the supply chain. This meant it was very difficult to investigate the movement of money. Why this secrecy? Such companies presumably operate in fear of being found negligent, or in extreme cases, complicit. Some sources believe the actual amount stolen in above mentioned may well be as high as hundreds of millions of dollars in reality.
Only a tiny proportion of companies contacted by Buzzfeed stated any intention to return money. This issue, experts say, is endemic, with something of a tacit acceptance that a certain amount of money will be lost to fraud.
US Senator Mark Warner (vice chair of the US Senate Intelligence Committee) sent a letter to the Federal Trade Commission in October 2018, raising his concerns over high levels of digital ad fraud, in the wake of Buzzfeed’s exposé. In this letter he accused Google and other major platforms of inaction and even wilful blindness to the scale of ad fraud, while continuing to happily pocket the revenue.
Google removed 30 apps from the Play Store in the wake of Buzzfeed’s article.
Anti-fraud consultant and research Dr Augustine Fou posits in an interview with Forbes that it would not be in the interests of ad agencies for ad fraud to be resolved. Cutting out the problem would have the effect of vastly reducing the amount of “available” inventory.
It would also be difficult for marketers who have been working under the impression that there is a good deal more impressions out there for the taking than is actually the case. It would take a wholescale rethink, in which our understanding of what constitutes as good numbers would have to recalibrated. This might make for painful reading for marketers, given click-though rates in reality would be somewhere in the realm of 0.1%. KPIs the world over would have to be roundly revised downwards.
Or, we might simply measure different results, though Fou warns that bots can also fake conversions…
The more recent example of an online ad fraud is the 2021 case of LeoTerra – the server-side ad insertion online fraud scheme. In a nutshell, the ad fraud scheme was about spoofing, at its peak, 20+ million connected TVs per day to deceive advertisers to believe they were provided with a CTV ad inventory on a massive scale. To put it in perspective, in 2020 the same scheme was generating 20x less volume of spoofed CTVs, which is to say this kind of ad fraud scheme has been growing rapidly.
Top Ad Fraud Prevention Tools
- Performcb - #1 Performance Marketing Network Worldwide
- Appska - The best flow of target users for your app!
- AppsFlyer - Mobile marketing attribution and analytics
- Adjust - Mobile Measurement Partner
- Singular - The unified marketing analytics platform
Cost of ad fraud
Estimates of the total scale and cost of ad fraud vary hugely, due to the complexity of ascertaining the volume of invalid traffic/downloads.
Back in 2016, the World Federation of Advertisers predicted that, within a decade, ad fraud and other fake internet traffic schemes would become the second-biggest market for organized crime after the drugs trade. By extrapolating the level of growth at the time of the study, a conservative estimate would have the level standing at $50 billion by 2025: equal to 10% of the total predicted value of the digital ad market.
In 2018, Adobe found that potentially 28% of web traffic came from bots or other non-human actors in an investigation of thousands of client websites. Based on this finding, one commentator estimated that the total cost of ad fraud might be as high as $66 billion.
This scale of this increase can be attributed to the fact that digital ad fraud is relatively easy to perpetrate and delivers high returns, in combination with the relatively weak position which law enforcement agencies currently occupy when it comes to policing the internet.
According to stats from Juniper Research, produced for a whitepaper published by ad fraud detection company TrafficGuard, it is estimated that, globally, one in 13 app installs in 2018 was not from genuine users (7.7%).
The same source estimates that advertisers which display a million ads over a 24 hour-period will are likely to pay for more than 100,000 fraudulent ads before any issue is detected.
According to a TrafficGuard whitepaper, fraudulent activity cost digital advertisers $39 million per day over the course of 2017.
Calling on stats from Juniper Research, which break down the cost of ad fraud utilizing common tactics, App Install Farms/SDK Spoofing are responsible for the greatest share, at 42%. This is followed by Click Spam & Ad Stacking fraud (27.3%) and Click Injection (30.33%).
The total cost of these ad fraud tactics comes to $25.8 billion according to this analysis.
Proportional wasted ad spend owing to common fraud tactics in 2018 (%)
These three common online ad fraud tactics are on the rise, reaching this year $20 billion for App Install Farms / SDK Spoofing, $35 billion for Click Spam & Ad Stacking and stunning $65 billion for Click Injection.
Projected increase in cost from common ad fraud tactics ($billion)
In 2019, eMarketer reported its estimates of the total cost varied from $6.5 billion to as high as $19 billion. It could well be worse; even the highest end of this scale seems to be on the conservative side by some measures.
According to eMarketer, in 2022 programmatic display advertising, a whopping $15 billion business, covers 90% of all digital ads. This, of course, makes the threat of digital ad fraud ever more pressing – with complex and opaque supply chains between buyer and seller.
Finally, putting together the estimates for digital ad fraud for the last several years and a year in a future, we see that up until 2021 there was, roughly speaking, $10 billion increase year-over-year and then it begins to double, adding about $20 billion this year and the estimate for 2023 is projected to be on the same track, reaching a $100 billion mark.
Estimated cost of digital ad fraud worldwide from 2018 to 2023 ($billion)
Ad fraud context
Ad fraud by region
The problem of digital ad fraud is particularly pronounced in the APAC region, in which the cost is estimated to be $17 million per day. Rapidly increasing penetration means that the question of mobile ad fraud is a particularly pertinent one in the region.
The cost of ad fraud is predicted to increase in all regions over the next few years, with APAC will continue to be the hardest hit, with losses more than doubling from $33 billion to $75 billion.
Estimated cost of ad fraud by region ($billion)
In 2019 TrafficGuard, digital ad verification and fraud prevention platform joined forces with Jupiter Research again to build a comprehensive picture of percentage of digital ad fraud of total ad spend in different regions. The following graph demonstrates how much money were spent per digital user annually versus and how much of that figure was lost due to the ad fraud. And again – China, the biggest part of the APAC region, was leading the pack with $11 million of losses due to digital fraud for every $63 million spent on digital advertising per user per year, which was a whopping 17%.
In the United States $62 million out of $407 million advertising spend per user was wasted due to digital ad fraud, which presented 15% of the total spend.
Average ad spend versus fraud, by region ($million)
Source: TrafficGuard & Jupiter Research
On the opposite end of the spectrum was Africa and Middle East where annual digital ad fraud per user was “only” $1 million out of $19 million spent on digital advertising, a mere 5%.
Ad fraud by app category and mobile OS
Mobile Ad Fraud Detection and Prevention company Interceptd find in their 2019 Mobile Ad Fraud Report that Android suffers from a slightly higher level of digital ad fraud than iOS, with 31% of app traffic fraudulent, compared to 25%.
Android ad fraud
The same report also finds that some app categories are more vulnerable to fraud than other. On Android, finance tops the list, with over a third of installs fraudulent, followed by shopping, gaming, and social media.
Ad fraud by app category: Android (%)
Mobile ad fraud related to Android finance apps is dominated by bots/emulators, which are responsible for over a third of ad fraud in this category, and click injection, which accounts for a further quarter. SDK spoofing remains fairly low.
Android finance app ad fraud types (%)
SDK spoofing seems to be absent from the shopping category. Here, click spamming (22%) and device farms (21%) are the biggest problems. Interestingly – and worryingly for those looking to tackle the full gamut of problems – undefined ‘other’ forms are also responsible for 22% of ad fraud on Android shopping apps.
Android shopping app ad fraud types (%)
Gaming is the first category in which we see the hot button issue of SDK spoofing claim responsibility for the greatest share of ad fraud, at 24%. Device farming and incent abuse also register highly, at 19% apiece.
Android gaming app ad fraud types (%)
Social apps are, however, the most blighted by SDK spoofing, with a whopping 38% of ad fraud coming from this source. Click injection, at 21%, also registers highly.
Android social app ad fraud types (%)
iOS ad fraud
On iOS, finance comes in third, with shopping the unfortunate leader, with online ad fraud accounting for a third of installs, followed by gaming. Travel completes the top-four.
Ad fraud by app category: iOS (%)
Device farming is the most common type of mobile ad fraud in the shopping category, responsible for 37% of digital ad fraud. Bots/emulators lay claim to nearly a quarter, while SDK spoofing comes up to 18%.
iOS shopping app ad fraud types (%)
Those looking to address ad fraud for iOS gaming apps would do well to be alive to bots/emulators (26%), SDK spoofing (24%), and device farms (22%).
iOS gaming app ad fraud types (%)
Device farms (31%) and SDK spoofing (19%) are also a big issue for iOS finance apps. Click spamming, at 21% makes up the big three in this category.
iOS finance app ad fraud types (%)
Once again, device farming (26%) and SDK spoofing present a challenge in the travel category, albeit with the latter this time presenting the greatest challenge.
iOS travel app ad fraud types (%)
Ad fraud detection companies and other countermeasures
Ad fraud creates a number of risks for advertising companies. Some of these risks can be somewhat mitigated by reporting and single-level blocking, say TrafficGuard. Things like short-term wasted media spend and poor investments can be tackled to an extent through reporting, while single-level blocking can partially reduce the impact of the threat of litigation or diminishing campaign optimization.
As we might expect, multi-level blocking is the only way to fully mitigate the full suite of risks associated with ad fraud, serving to block invalid traffic as it is detected.
Much hope was placed in industry-led Ads.txt – a system which allows publishers to list companies authorised to sell their adverts via a simple txt files. Buyers are then able to check the list to see if the company from whom they are buying is legit.
Ad fraud is, however, an ongoing game of cat and mouse between fraudsters and advertisers/ad fraud detection companies. And soon enough, schemes circumventing Ads.txt came to light, involving copied websites, botnets generating fake page views, and approved resellers. This scheme could have cost advertisers between $70-80 million had it continued to go undetected, reports the Wall Street Journal.
Ads.txt had been adopted by 1.9 million websites by Q3, 2019, 48% up from the same quarter in the preceding year.
Ads.txt adoption on the web (million websites)
On the mobile side, looking at the Pixalate data from March to September 2019, we see a dramatic jump in the number of mobile apps that implemented mobile ads.txt equivalent in August of that year – from 23,000 to 68,000 within a month time frame.
Ads.txt adoption on mobile (thousand apps)
The next step in the race? An upgraded version of Ads.txt called Ads.cert, which will attempt to resolve the issues of Ads.txt by using cryptographically-stamped digital signatures to validate the source of impressions. As of this article writing in May 2022, IAB tech lab has been working on Ads.cert 2.0 to increase further level of authenticity in online advertising. The Ads.cert is the umbrella for several protocols that are meant to counteract rising levels of a fraud in digital advertising.
Ad fraud advice
Of course, there is whole industry of ad fraud detection companies, who can offer various services to help reduce the scourge of digital ad fraud. In a nutshell, the advice splits between technical solutions and better business practices which imply improved communication between advertisers and publishers.
As well as working with ad fraud detection companies, there is a range of measures that can be taken by businesses. A compilation of such potential solutions proposed by agency experts to mitigate the high cost of ad fraud was published by Forbes.
Working with DSPs who offer guarantees of fraud-free service can also be a good way to make sure that the cost of fraud that is detected is not incurred by clients, for example. Trying to minimize the number of companies worked with can help reduce risk also, particularly given the complexity of the supply chain and prevalence of programmatic ad fraud. On which note, companies are also advised to choose a programmatic tech stack which incorporates fraud solutions such as prebid filtering for IVT.
Companies are advised to implement internal policies and processes in order to help cut the cost of fraud, as well as closely monitoring results and looking for obvious anomalies. Steps should be taken to increase transparency and data sharing in what can be a rather opaque field.
In the face of what unfortunately looks to be an inescapable challenge for the ad industry, one other solution would be to change the pertinent metric, looking at performance rather than clicks.
When it comes to SDK spoofing, Michael Paxman of MarTech Advisor warns that there is no such thing as a spoof-proof SDK. There are ways, however, in which one can lower the risk posed by this particular form of ad fraud: cryptographic SDK signatures. These can make the process of spoofing difficult and costly enough to hopefully disincentivize it.
Entrepreneur.com also advises building language insertion orders, as these require that publishers identify all third-party sources of traffic. It also advises testing traffic sources, citing a programmatic ad fraud-test run by Guardian US in 2018. This test revealed that 72% of video spend was going to unauthorised exchanges and SSPs. In this case, use of ads.txt proved effective – with all ads.txt buying revenue going to Guardian US.
Direct communication between publisher and advertiser, preferably between real, identifiable people, can also help to reduce risk – echoing the sentiment above about reducing the number of actors involved in any given transaction.
In-app advertising and ad fraud rates
Scott Silverman, the former vice president and general manager of Marketplace at InMobi, currently Global Revenue at Vungle, advises that in-app advertising is safer in terms of mobile ad fraud than running web advertisements.
Reportedly, in-app advertising experienced 25% fewer fraud attempts than mobile web advertising over the second half of 2018. Online ad fraud involving bots and viruses designed to simulate human users occurred 74% less often in the same period.
In-app advertising is by no means fraud proof, however. A report in Buzzfeed revealed that, after complaints that a popular app (unnamed to allow a source to speak anonymously) was draining users’ batteries and using high amounts of data, it transpired that fraudsters were running video ads behind legitimate banner ads. These ads were not visible, but registered as being served and viewed.
Several apps, including many using Twitter’s MoPub platform, were affected by this scheme. An Israeli company with offices in New York called Aviview was implicated but denied any involvement claiming a third party exploited banner ads and codes created by one of its subsidiaries.
This phenomenon has been reported in the past. One high-profile example reported in March 2018 used McDonald’s ads as a cover up for a scheme, whereby fraudsters bought banner space posing as an agency, which was then resold as (much more expensive) video ads. The false McDonald’s ads made it look like only banners were being served, while the covered-up videos playing in the background were being registered as served.
Singapore and Bangalore-based Streamlyn were accused of being the fraudsters behind the scheme by a source speaking to Video Ad News. Several other companies were identified as being part of the chain that allowed the ads to be served in huge volumes (five million times in properties belonging to the source) – though simply being involved at some stage is no indication of guilt.
AI and blockchain ad fraud protection
While improving tech may increase the different ways in which digital ad fraud can be carried out, it also offers increasingly-advanced solutions to those aiming to prevent ad fraud. Machine learning could be key in ad fraud detection, says an ad fraud detection and protection company TrafficGuard, calling upon data from Juniper Research.
This finds that, in all, machine learning will reduce the impact of ad fraud by about $10 billion by this year, increasing from $2 billion in 2018. In APAC, this will stand at $3.5 billion – up from $0.6 billion in 2018.
Ad fraud money saved through machine learning solutions ($billions)
Big names like Facebook and Google are already calling on neural networks and machine learning to help in ad fraud detection and prevention. For companies which can’t fall back on their own proprietary AI research, third-party AI solutions are provided by various ad fraud detection companies. By the end of 2022, global advertising spending enabled and powered by the use of machine learning will reach $370 billion and by 2032 this figure will reach $1.3 trillion.
AI can detect suspicious behavior, filter IP addresses, and generally monitor traffic. Its increasing prevalence in combating ad fraud will come in tandem with general wider use in advertising – to target specific markets for example.
Blockchain has also been suggested as a potential solution to ad fraud, affording the complete transparency which has been so deeply compromised by programmatic ad fraud.
Various blockchain solutions to online ad fraud are proposed: One is to give users tokens when they opt-in to view ads on a platform which blocks third-party and programmatic ads. These can then be awarded to websites and publishers by users. Several prestigious media groups have expressed interest in this platform.
Other services simply offer transparent, validated data to allow marketers to accurately measure value delivered – predicated on the requirement to establish and enforce rigorous standards across the board. Or the use of public key cryptology to confirm identities of publishers, advertisers, and advertisers.
Brands and ad fraud: fears and responses
Research from eMarketer shows that brands are more wary of online ad fraud, when it comes to in-app advertising at least. 52% of brands said that fear of fraud was a concern, making it their leading worry. Agencies as a whole are significantly more sanguine, with 36% reporting this as a concern, putting it joint-last.
The case remains the same when it comes to video advertising, with 57% of brands registering it as a challenge. On video, it seems agencies are in closer alignment with brands, with 42% reporting that fear of fraud was a challenge. This takes it to number two in the list of concerns.
Challenges related to in-app advertising: brands vs. agencies (%)
|Fear of fraud||52||36||57||42|
|Viewability measurement challenges||42||28||44||44|
|Brand safety concerns||38||46||37||36|
|Concerns about effective targeting||25||38||32||38|
A study conducted by Integral Ad Science and referenced by eMarketer asked agencies and brand professionals what they considered to be strong threats to digital ad budgets in 2019. In this instance, agency professionals seemed to be more concerned about the impact of fraudulent impressions, with 69% reporting it as a concern, versus 53% of brand professionals (which we should note is still more than half).
Agency professionals collectively did not feel anything threatened ad budgets to the same extent; seemingly in-house marketers are more worried by other threats. The survey results were published in late January 2019.
eMarketer believe that brands will become more alive to the threat posed by fraud.
Threats to digital ad budgets, brands vs. agencies (%)
Brands’ reactions to the increasing threat of fraud varies. A study by Forrester found 69% of brands spending $1 million per month reported that at least 20% of their budgets were being lost to digital ad fraud. In the face of this, however, 70% of these companies reported that they were actually planning to increase their advertising budget.
This is not universally the case by any means, however. In January 2018, Procter & Gamble announced it was planning to save $750 million by cutting its ad budget, and reducing the number of agencies with which it worked by 50% (from 2,500 to 1,250). This was to be followed by a further $400 million cut in the next phase.
A year previously, P&G chief marketing officer Marc Pritchard had warned the media buying and selling industry that it needed to clean up its act, demanding a “transparent, clean and productive media supply chain”. In 2017, JPMorgan Chase cut the number of sites on which it advertised from 400,000 to 5,000 (though this doubled to 10,000 by the end of the year). According to The New York Times, JPMorgan Chase claimed that the cull had no immediate effect on results.
Ad fraud expert Dr Augustine Fou advises other companies to consider following in the footsteps of P&G, cutting their budgets (albeit more gradually) and seeing what the real effect on the bottom line is.
As of 2021, according to the leading mobile app analytics company AppsFlyer, app install fraud rates in leading verticals are the following: Food & Drink – 43%, Finance – 38%, Shopping – 17%, Entertainment – 15% and Gaming – 2%.
In 2019 Uber stopped running app install ad campaigns that cost the company $120 million, they saw no significant difference in the rate of generation of new app installs.
It’s clear that the scale of digital ad fraud is far larger than many in the advertising world would or should ever be comfortable with.
Will the problem continue to get worse or will see, as some have speculated (and we all hope), an improvement?
Dr Augustine Fou, quoted above, believes that the only way that the issue of ad fraud will be resolved will be for the whole industry to collapse and begin again. This outcome is not only likely, he argues, but desirable – resulting in a new, more effective, less profligate approach to digital marketing.
This is naturally on the more dramatic side of things; those who remember the bursting of the dot com bubble, or even the financial crash of 2008, however, will presumably better know better than to rule it out.
Certainly, a largescale loss of trust in the industry seems eminently plausible. We haven’t yet seen a mass following of the example set by Procter & Gamble or JPMorgan Chase, but as buyers become savvier to the dangers of ad fraud, we could well see a tightening of focus, with advertisers and publishers alike seeking to foster more personal relationships. Perhaps this would ostensibly reduce the size of the market – but if large swathes of the available market consists of invalid traffic, then it is artificially bloated anyway.
This of course would have a fascinating effect – with actors from all points in the supply chain potentially affected. Those in the middle in particular look set to suffer if this became the case; this could have a potentially devastating effect on the ad-tech industry as a whole. While there’s not yet evidence that this is the case, those occupying this space would well to prepare. Looking at ways to address fraud, and to refocus efforts to achieve conversions over views would be apt preparation for a best-case outcome; having a pretty substantial Plan B would be apt preparation for the worst.
Notwithstanding any large-scale or wholescale changes in the way business is conducted, we might also look with some optimism to the future. Awareness has risen, which is the first step in addressing digital ad fraud. We are seeing improvements in artificial intelligence and the prospect of blockchain promises nothing short of a revolution in transparency.
While it may be an ongoing arms race, ad fraud detection companies are making a concerted effort to stay ahead. Whether it will be able to in perpetuity remains to be seen. Some are sceptical. But faced with the level of challenge with which we are, we must put our lot and our faith in these organisations to make an impact. Particularly with the global increase in mobile penetration, most concentrated in the Asia Pacific region.
The future, then, is uncertain – bar two things. One, the persistence of criminal elements attempting to abuse a system that is seemingly easily abused, to the tune of billions of dollars. Two, our collective need to address and tackle this ongoing issue.