Ad fraud: how billions are stolen every year

Late last month, Google cracked down on Judy, a malware present in 40 seemingly innocent Play Store apps, which would automatically display and click on ads through a hidden browser, unnoticed by the user. Before being removed from the store, Judy apps had been downloaded 36 million times, and were believed to generate more than $300,000 per month of fraudulent ad revenue. 

Not an isolated event

Despite impressive numbers, the above-mentioned figures are only a very small part of a puzzle whose proportions border on dazzling. In his most recent 50-page report, Dr. Augustine Fou, an MIT PhD graduate and ad fraud specialist, lists a few key numbers on the phenomena:

-31 billion USD: that’s the estimated size of ad fraud in 2016, in the US alone. To put things in perspective, that’s 50% more than payment card fraud or counterfeit goods over a similar period.
-25% per year: the growth rate of ad fraud over the last two years
-80-99%: the profit margin of selling fake ads
-3 to 5 million USD per day: this was the income of Methbot, a high-end botfarm targeting the video advertising industry
 

Real money for fake views

Ad fraud mainly targets ad impressions and clicks. Why? Because hackers go after the big money. When combined, these two channels make up for 91% of global ad spend.

Both types of fraud rely on a similar strategy: because there are so many sites on the internet, and most of them are inclined to sell ad space, manually managing the sale of display or click-through ads is virtually impossible. As a result, bidding or purchasing advertisement space now happens through automated services.

Fraudsters join these networks to offer their fake ad spaces, which end up being unknowingly purchased by “honest” businesses. They have no idea that the views and clicks received are actually all performed by robots. 

The results? A significant decrease in ad revenue, through oversupply of low quality ads driving the price of advertisement down, and through cookied bots stealing ad views from honest sites. On a macroeconomic level, this fraud also causes general mistrust in regards to digital advertisement.

What can media publishers do about this?

Since the bots used in ad fraud are not actual security risks for users or sites, they haven’t been subject to much attention from security services. Ad providers have mostly been reacting to fraud by blacklisting malevolent sites, rather than actively targeting them.

As underlined in the Independent’s Steve Dempsey discussion with Dr. Fou, publishers can aim to increase their ad revenue by differentiating themselves from regular ad space sellers, and focusing on quality -i.e. human- views sold at a premium. This may be done by reducing the amount of user tracking allowed on their site (something Apple and Google both plan to enforce sooner than later), or proactively blocking non-human traffic. But it is easier said than done.

At the end of the day, the best solution for publishers may be to stick with their best income source. Subscription-based digital media sale is on the rise, and is expected to keep gaining momentum. With ad fraud not going away anytime soon, publishers should keep relying on the payment method they’ve been successfully using for over a century.