Ad Fraud and Viewability in Digital Advertising

The growth of digital advertising has created significant revenue opportunities for publishers and advertisers alike — but it has also given rise to costly, sophisticated fraud. This guide covers how ad fraud works, what it costs, where it shows up across channels, and how the industry defends against it. It also explains ad viewability: why it matters, how it's measured, and why it remains stubbornly difficult to track accurately.

Ad Fraud

Ad fraud in digital advertising is a multi-billion dollar problem. There are many types, but they all work by misrepresenting advertising metrics — impressions, clicks, and conversions — for monetary gain.

The Cost of Ad Fraud

Numerous studies show that ad fraud costs the digital advertising industry between US $26 billion and US $42 billion a year. To put that in perspective, global digital ad spend in 2019 was estimated at US $333.25 billion.

Here are some figures from recent studies:

$26 billion: CHEQ, an ad fraud solution, estimated that ad fraud could cost the online advertising industry US $26 billion in 2020.

$42 billion to $100 billion: Juniper Research estimates ad fraud cost advertisers US $42 billion in 2019, with that figure projected to reach US $100 billion by 2023.

10% to 30%: The World Federation of Advertisers estimates that 10% to 30% of advertising is not seen by consumers because of ad fraud and problems with ad viewability.

Determining the true scale of ad fraud is difficult for several reasons:

• Fraudulent activity is often very hard to detect due to the sophistication of the techniques involved.
• The technology built to protect advertisers is constantly engaged in a cat-and-mouse competition with fraudsters.
• Most ad fraud goes undetected, and many companies choose not to publicly disclose that they've been affected by it.

All of these factors mean the actual impact of ad fraud is likely higher than reported figures suggest.

There are a number of structural reasons why the problem is so large:

Fraudsters follow the money. Ad fraud moves from one lucrative area to another as ad spend grows. Emerging channels like mobile in-app and OTT/CTV (covered below) tend to attract heightened fraudulent activity.

Digital advertising is less regulated than financial industries, making it easier for fraudsters to operate without facing serious consequences.

The digital advertising ecosystem is fragmented and complex, which makes it easier to conceal fraudulent activity across the supply chain.

The Main Types of Ad Fraud

What makes online ad fraud so challenging is that there are multiple ways to steal money from advertisers and publishers, with new methods being developed continually.

The most common techniques include the following.

Invisible and Hidden Ads

With this technique, ads are invisible or hidden on websites, but an impression is still recorded.

There are several ways this can be executed:

• Displaying an ad in a 1×1 pixel iframe.
• Displaying ads outside the viewport area.
• Displaying multiple re-sized ads.
• Loading several ads into a single ad slot via an iframe, so that only one is actually visible to the user. This is commonly known as ad stacking.

This is distinct from non-viewable impressions (discussed below), where ads are legitimately displayed on a page but simply never seen because users don't scroll far enough to reach them.

Domain Spoofing

Domain spoofing involves a fraudulent website disguising itself as a legitimate — often premium — website. Some fraudulent AdTech platforms can also carry out domain spoofing.

Brands pay high CPMs to reach audiences on premium sites, so by impersonating one of those sites, fraudsters divert ad revenue that should have gone to genuine publishers.

Ad Injection

Also known as hijacked ads, this type of fraud injects ads into unsuspecting websites, typically via malicious browser plugins or mobile apps.

Ad injection can be carried out in several ways:

• Compromising the user's computer to change the DNS resolver — for example, resolving the ad.doubleclick.com domain to an IP address controlled by the attacker, thereby serving different ads.
• Compromising the publisher's website or the user's computer to modify HTML content on the fly — for example, replacing ad tags placed by the publisher with tags controlled by the attacker.
• Compromising the user's proxy server or router (or the ISP's router) to spoof the DNS server or alter HTML content in transit.

Click Injection

Click injection, also known as hijacked clicks, is similar to ad injection but targets clicks rather than ad placements. Fraudsters make money by collecting revenue for both the click and the resulting conversion.

Instead of a commission going to a legitimate publisher or mobile app, it goes to the fraudster — because their fake click is recorded as the last-touch attribution point before the conversion.

Cookie Stuffing

Cookie stuffing is used to steal money from CPA or affiliate marketing campaigns. Because cookies are commonly used to attribute conversions, fraudsters stuff a user's browser with cookies they've either created themselves or stolen from legitimate publishers. This allows them to receive affiliate commissions when a user completes a conversion — such as purchasing a product — on a publisher's site.

How Ad Fraud Is Carried Out

The techniques described above can be executed through several means:

Bot traffic: Non-human traffic generated by botnets consisting of compromised computers, cloud servers, and proxy servers. This is commonly referred to as sophisticated invalid traffic (SIVT).

Click farms and device farms: Collections of devices — laptops and mobile phones — used to generate fraudulent impressions, clicks, and conversions (such as app installs). These operations are sometimes run by humans and sometimes by software installed on the devices.

Methbot and 3ve

Among the many botnets and types of malware that have operated in the ad fraud space, Methbot and 3ve stand out as the most costly ever discovered. These were elaborate, sophisticated operations that stole an estimated US $36 million from advertisers between 2014 and 2018.

Ad fraud is rarely investigated by law enforcement, but in November 2018 the US Department of Justice issued a release announcing indictments of eight individuals in connection with the Methbot and 3ve schemes.

The investigation was the largest criminal proceeding related to ad fraud ever undertaken, and involved the FBI, the US Department of Homeland Security, and private companies including Google and White Ops.

Ad Fraud in Emerging Areas of Digital Advertising

Although ad fraud originated in the display advertising world, it has migrated into emerging channels such as mobile in-app and OTT/CTV.

Mobile In-App Ad Fraud

Many of the techniques used in web browsers carry over into mobile in-app environments. Several, however, are specific to mobile:

App or SDK spoofing: Similar to domain spoofing, this technique tricks advertisers into believing their ad will appear in a premium app when it will actually appear in a fraudulent one.

Ad stacking: Ads are layered on top of one another so the app generates more ad revenue, but only one ad is ever displayed to the user.

Click injection: Just as in web environments, fraudsters collect ad revenue and affiliate commissions for clicks they did not legitimately generate.

Hidden ads: Fraudsters run ads in the background of apps, creating the impression they are being displayed to users when they are not.

Malware: Malicious apps that carry out one or more of the above techniques to generate fraudulent ad revenue.

OTT and CTV

The over-the-top (OTT) and connected TV (CTV) industries are particularly susceptible to ad fraud. They are fast-growing channels with higher CPMs than many other formats, there is no direct connection between buyers and sellers, transparency is limited, and brands are allocating increasing budgets to them.

Pixalate, an ad fraud intelligence and marketing compliance company, uncovered two ad fraud schemes operating in the OTT/CTV environment, naming them DiCaprio and Monarch.

The DiCaprio scheme used techniques similar to those found in web browsers and mobile apps to fool advertisers into believing they were bidding on Roku device inventory. Fraudsters appear to have compromised the popular social networking app Grindr to send out ad requests via a script — which contained the name "DiCaprio" — that made the requests appear to originate from Roku apps on Roku devices. Advertisers bid on those requests believing their ads would reach Roku users, when in reality the ads ran in the background inside the Grindr app.

The Monarch scheme used a spoofing technique to make it appear that ads would be displayed on premium Roku apps, when they actually ended up on non-premium apps like screensavers. Unlike DiCaprio, which involved mobile devices, Monarch was contained to Roku apps and devices.

A third scheme, known as Icebucket and detected by bot-mitigation company White Ops, saw fraudsters impersonate more than 2 million people and generate 1.9 billion ad requests across OTT/CTV and mobile devices. The scheme used a botnet to produce artificial viewing activity on edge devices — primarily mobile and CTV.

How Advertisers and Publishers Can Defend Against Ad Fraud

Combating ad fraud is an ongoing process, but publishers, brands, agencies, and AdTech companies have practical tools available to reduce exposure.

1. Use Ad Fraud Detection Software

A number of cybersecurity and ad fraud detection companies provide tools that identify and block many of the techniques described above across different advertising channels. Many AdTech platforms also include ad fraud detection as a built-in feature.

Some of the main vendors in this space are shown below.

2. Adopt IAB Standards

Over recent years, the IAB has produced several standards designed to reduce ad fraud in web browsers and mobile apps. These include ads.txt, app-ads.txt, ads.cert, and sellers.json.

Authorized Digital Sellers (ads.txt)

Ads.txt targets domain spoofing and inventory arbitrage — the practice of buying impressions and reselling them at a markup through a third party. It addresses these issues by indicating who the authorized sellers and resellers of a publisher's inventory are.

To implement the standard, a publisher creates an ads.txt file listing all their programmatic partners (supply-side platforms, ad exchanges, ad networks, and so on), hosts it on their web server, and makes it accessible under their root domain.

Advertisers or AdTech companies can then use a crawler to collect ads.txt files across publishers.

Those files can then be cross-referenced against IDs in OpenRTB bid requests. A match gives buyers reasonable assurance they are purchasing inventory from a genuine publisher.

To check whether a publisher has an ads.txt file, simply append /ads.txt to their root domain — for example, businessinsider.com/ads.txt or cnn.com/ads.txt.

Here is what each field in an ads.txt entry represents:

AdTech partner — The AdTech platform, typically an SSP or ad exchange, that the publisher uses to sell inventory. Examples include google.com, appnexus.com, rubiconproject.com, and pubmatic.com.

Seller Account ID — The publisher's account ID with the respective AdTech vendor, used to verify the authenticity of inventory during RTB auctions.

Direct or Reseller — "Direct" means the publisher works directly with the AdTech vendor to sell its inventory. "Reseller" means the publisher has authorized another company to sell on its behalf — for example, SSP2 (reseller) selling through SSP1 (direct).

Certification Authority ID — An optional field that identifies the advertising system within a certification authority, such as the Trustworthy Accountability Group (TAG).

Inventory type — Some publishers include this optional field so they can track which type of inventory a given AdTech vendor sells (see cnn.com/ads.txt for examples). Because this field is preceded by a hash character (comment notation), it won't be captured by standard crawling scripts unless specifically configured to do so — and since it's primarily for the publisher's own reference, buyers generally don't need this information.

Authorized Digital Sellers for Apps (app-ads.txt)

App-ads.txt is the mobile app equivalent of ads.txt, with some differences in implementation.

App developers need to provide a developer website URL in their app store listings and publish an app-ads.txt file on that site. App stores are also encouraged to include three HTML <meta> tags on each app's store listing page to allow advertisers and AdTech companies to match the bundle_id and/or store_id appearing in bid requests.

Here is the IAB's example of those three HTML meta tags:

<meta name="appstore:developer_url" content="https://www.path.to/page" />
<meta name="appstore:bundle_id" content="com.example.myapp" />
<meta name="appstore:store_id" content="SKU12345" />

Advertisers and AdTech companies then need to crawl app listing pages to retrieve these tags, translate the developer URL to an app-ads.txt path, and crawl for and interpret the resulting app-ads.txt files.

Ads.cert

Ads.cert is considered a more secure complement to ads.txt. It increases transparency in programmatic ad buying by providing cryptographically signed bid requests, allowing media buyers to verify that the information in a bid request — the publisher's URL, the user's location, IP address, and device — has not been tampered with.

Here is how the process works, step by step:

• OpenSSL generates a pair of ECDSA keys based on the bid request on behalf of the publisher:
  • Public key — Secured but accessible, used by systems that validate bid requests against signatures. The public key file must be served via HTTP and/or HTTPS from the publisher's website under the relative path /ads.cert. The resource does not necessarily need to come from a file system.
  • Private key — Secret and inaccessible to outside systems, but accessible to the systems (e.g., an SSP) that generate and sign bid requests. Private keys follow a standard format recognized by compatible security packages.
• An encrypted signature based on the bid request is generated with the private key, attached to the bid request, and sent out on the publisher's behalf by the SSP — along with details about the available impression, the publisher's website or app, industry, language, and so on.
• The recipient of the bid request uses the public key to generate a second signature for the same bid request.
• The two signatures are compared. If they match — meaning both were generated from the same bid request using a matching key pair — the bid request is considered legitimate. Any alteration to the signed elements can be detected by the recipient or by other servers in the chain.

The main limitation of ads.cert is that it requires OpenRTB 3.0, which is not currently supported by the majority of AdTech platforms.

Sellers.json and the OpenRTB Supply Chain Object

Sellers.json allows media buyers to see all the sellers and resellers involved in a given bid request. In many ways, it is an extension of ads.txt: rather than simply listing authorized sellers and resellers, sellers.json identifies the final seller of a bid request.

The OpenRTB Supply Chain Object is part of sellers.json and provides a record of all direct sellers and resellers that have been involved in a bid request. By viewing all the entities — referred to as nodes — involved in bid requests, media buyers gain greater supply chain transparency, can assess whether those entities are partners they want to work with, and can see how many hands a bid passed through before reaching the publisher.

Ad Viewability

Ad viewability refers to whether an ad was actually seen by a human.

Non-viewable ads can result from fraud — for instance, a publisher using bots to generate impressions — but in most cases the cause is not malicious. An ad may simply be located at the bottom of a page that a user never scrolls to.

Ad viewability is one of the most persistent issues in online advertising. Some sources estimate that over half of all ads served are never actually viewed by a real user.

Most AdTech platforms are reasonably effective at determining whether an ad has been served and whether it has been clicked on, but measuring whether an ad was genuinely seen by a user is considerably harder.

The current industry standard from the IAB and the Media Rating Council (MRC) defines a viewable impression as follows:

Source: MRC Viewable Ad Impression Measurement Guidelines, Version 1.0 (Final) – June 30, 2014

For display ads: 50% of the ad's pixels must be within the web browser's viewport for a minimum of 1 second.

For video ads: 50% of the ad's pixels must be within the web browser's viewport for a minimum of 2 seconds.

Viewable Impressions

Impression trackers are used by both advertisers and publishers to count the number of impressions an ad receives. However, this only captures served impressions — it does not confirm that a real user actually saw the ad. Accurately measuring viewability therefore requires a separate layer of measurement on top of standard impression tracking.

Ads may be served but not viewed for a number of reasons:

• The ad took too long to load, leaving a blank space where it should have appeared.
• The user scrolled past, switched tabs, or changed windows before the ad could render.
• The user was running an ad-blocking plugin such as AdBlockPlus, uBlock, or Ghostery.
• Technical issues with the webpage or browser prevented the ad from displaying.

There are also numerous fraudulent long-tail sites that employ various tricks to register an ad impression even when the ad could never have been visible on the page.

What is a long-tail website? A long-tail website is a small publisher or individual blogger. These sites typically monetize through Google AdSense, and the inventory they offer is referred to as long-tail inventory.

The concept of the viewable impression is the industry's primary response to this challenge. The principle is straightforward:

An advertiser pays only for ad impressions that were actually seen by a user.

In practice, measurement is more complex than the definition suggests. Companies such as Google, DoubleVerify, IAS, and Moat provide ad viewability measurement software to help advertisers determine how many of their ads were genuinely viewed.

Summary

• Ad fraud costs the digital advertising industry between US $26 billion and US $42 billion annually, with projections reaching US $100 billion by 2023.
• The most common types of ad fraud in web browsers are: invisible and hidden ads, domain spoofing, ad injection, click injection, and cookie stuffing.
• Ad fraud is a significant problem in mobile in-app advertising and is increasingly prevalent in fast-growing channels like OTT/CTV.
• Practical defences include ad fraud detection software and adoption of IAB standards: ads.txt, app-ads.txt, ads.cert, and sellers.json.
• Ad viewability refers to whether an ad was actually seen by a human user. Some estimates suggest more than half of all served ads are never viewed.
• The IAB and MRC define a viewable impression as: 50% of a display ad's pixels in the viewport for at least 1 second; 50% of a video ad's pixels in the viewport for at least 2 seconds.
• Viewable impressions track ad impressions that meet those criteria and are confirmed to have been seen by a real user.