Click fraud rises should be a concern for the advertising industry
Click fraud rises should be a concern for anyone involved in digital marketing with Juniper Research predicting nearly $1b will be lost to ad fraud by the end of 2024.
This loss of around $85b is estimated to be 22% of all ad spend and Juniper Research is predicting it will continue to rise, reaching around $170b by 2028.
With advertising spend reaching a record high of $225 billion in the US during 2023 according to latest figures released by the Interactive Advertising Bureau (IAB) in partnership with PwC and e&m, prioritising cyber-security and ad fraud mitigation methods must be a priority for all business owners.
This does not just concern the US either, with the latest Advertising Association/WARC Expenditure Report also shows that the UK’s ad market recorded a 6.1% increase in investment to a total of £36.6bn during the same period, criminals are also targeting closer to home.
Why is ad fraud such a concern?
With the growing digitisation of processes, including those in advertising, comes a growing risk of fraud.
Today when more and more ads are traded programmatically, fraud detection processes are not yet fully developed, and so the bulk of advertising ends up being served to bots instead of potential customers.
Figures released by Statista in 2019 from a study evaluating the state of ad fraud worldwide, found that the average global ad traffic that was deemed invalid accounted for 10.8% of total digital ad traffic that year.
More than 30% of ad traffic in China was invalid, while the second largest region based on bot traffic share was North America, at 3.3%.
$16.59 billion is forecasted to be wasted on Google Ads in 2024 because of invalid traffic and another $54.78 billion set to be lost on non-Google channels such as Meta, LinkedIn, TikTok, and X (formerly Twitter).
Ad fraud, and click fraud rises in particular, impacts all businesses that use digital advertising because it diminishes the Return on Ad Spend (ROAS) when ads are either spoofed by fraudsters or interacted with by non-human bots.
This has a knock-on effect of making advertising and marketing campaigns less effective, muddies any data analytics being gathered and adds to the workload of marketing managers and digital advertising execs who can’t be sure their campaigns are being seen by genuine customers or potential new clients.
How does click fraud happen?
The main difference between click fraud and ad fraud lies in their respective targets.
Ad fraud exclusively targets paid online ads, whereas click fraud extends its reach to include organic content, such as links on social media platforms or within apps. Click fraud is the act of clicking on online content, including organic or paid ads online, with malicious or vindictive intent.
This can happen on a display ad or a sponsored search result, on links published on social media channels, or on fake traffic clicks on your website.
The most common reasons to get fake clicks on your PPC ad campaign are:
- Vindictive competitors or customers who want to negatively impact your online presence or brand reputation in general;
- Organised fraudulent developers who have created a way to get paid for clicking your ads, usually using fake publisher inventory;
- Malware apps or software created to collect the payout from ads (often with some help from bots);
- Paid-to-click apps that pay users to click or watch ads in exchange for a small reward.
Due to the complexity of ad fraud, all parties within the advertising ecosystem, including ad networks, attribution platforms, publishers and even Internet users are susceptible to fraudulent attacks, with all these occurrences resulting in a reduction of Return On Ad Spend (ROAS) for advertisers.
With the digital advertising market expected to grow around 105% in the next five years, this significantly increases the scope and potential for ad fraud to occur, meaning more ad spend is being syphoned out through criminal activity.
Juniper Research estimates that 17% of all online clickthroughs carried out via desktop were illegitimate and fraudulent traffic is expected to grow to more than 65bn clickthroughs by 2028.
Real world examples
In 2018, a massive ad-fraud operation that hijacked nearly two million devices and involved 5,000 counterfeit websites was dismantled by the FBI, Google and bot-detection firm White Ops (now Human).
The scheme, known as “3ve” (pronounced “Eve”) was described by the take-down team as a “very complex, ever-shifting maze.” 3ve operated on a massive scale: at its peak, it controlled more than one million IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe.
Using malware packages Boaxxe and Kovter, 3ve infected PCs and were then spread by booby-trapped emails and drive-by downloads, hijacking devices that would generate fake clicks on ads and making its operators hefty sums of money from duped advertising networks.
Matthew Hardeman, a networking engineer who analysed 3ve for an article on Ars Technica at the time, called the hijacking a troubling lesson in just how susceptible the Internet’s global routing system is to fraud and malice.
He wrote: “This is the first Border Gateway Protocol (BGP) hijack of note in which a relatively small actor or set of actors succeeded in hijacking substantial amounts of IP space in a rolling fashion successfully without burning all their upstreams.
“They did this by excellent operating skill and knowledge. Essentially, they’ve demonstrated that even a small actor or individual with appropriate knowledge and operation experience can, in today’s climate, execute a hijack that withstands initial scrutiny and complaint from the proper IP address holders.”
Human was also involved previously in taking down the Russian Methbot cybercrime operation that was estimated at causing losses for online video advertisers ranging from $3 to $5 million per day.
Methbot used 571,904 dedicated IPs, many falsely registered as US ISPs, and deployed between 800 and 1,200 dedicated servers in datacentres in the Netherlands and the US.
At the time, it was the largest and most profitable ad fraud network established, before it was discovered in late 2016.
What can you do to identify click fraud rises?
While it’s almost impossible to prevent click fraud rises, it is possible to identify, and reduce, the risks to your business.
Here are some of the things you can keep an eye on which might give you an early indicator there’s something wrong with your ad campaigns or your PPC activities that could be attributed to click fraud:
High Bounce Rates – A reasonable bounce rate on a Google PPC ad is around 40-50%. Anything higher than 60-70% means you need to take a look and check for any obvious clues something’s not working.
Know Your Site Traffic & Costs – If you constantly monitor your site traffic, you will be able to identify unusual spikes or a rise in traffic from a part of the world you don’t normally do business with. If you know the average cost of your PPC campaigns, anything which moves outside of that average can be a sign you’re getting fake bot clicks.
Identify Your IP Addresses – Use tracking tools, including WordPress plugins, for IP address logging so you can identify which have visited your site. Check your website logs to see if the same IP address pops up over a specified time. Obscure IP addresses or ones which visit too many times to be a normal pattern, can be a red flag. Use Google Ads inbuilt ability to block up to 500 IP addresses per campaign if you notice anything unusual.
Block Suspicious URLs And Domains – You can use Google Analytics 4 to wholesale blacklist suspicious domains using the “List Unwanted Referrals” feature found under Data Streams in the Property column of the Admin section.
Click Fraud Prevention Software – this provides additional layers of security protection which helps your business fight against malicious bots and click fraud. AI-powered, patented Ad Fraud Prevention from Veracity Trust Network is constantly learning about new threats and adapting its algorithms.
When a suspect IP address, device, or VPN is identified, it’s then added to the list of blocked sources. It blocks fake traffic, increases conversions and produces data you can actually trust.
Ad Fraud Prevention’s customisable dashboard puts real data, reports and notifications at your fingertips, ready for scheduled exporting and analysis.
Talk to us and find out how we can help you fight click fraud rises.