How Ad Fraud Is Committed Daily

Free IP lookup API to uncover fraud, bots, and high risk users.

With digital ad fraud accounting for 18.31% of global advertising spending, marketers must be on constant guard and actively combat its impact. This is no small task. Several methods are used in the five main types of ad fraud, each of which needs to be accounted for in fraud prevention measures.

The variety and targeting of ads that digital advertising provides can only occur because of a complex technical chain involving users, devices, software, publishers, ad delivery networks, ad exchanges, DSPs, SSPs and more. All of which have their own vulnerabilities that malicious actors can exploit. The main differences between types of ad fraud lie in which part of the chain is being used a weak link.

Digital ad fraud, the act of illegitimately manipulating advertising analytics for gain, falls into five broad categories:

  • Click fraud: Artificially inflating click metrics using automated scripts, bot networks, click farms or other methods. Includes both basic automated clicking and sophisticated systems that mimic human behavior patterns to evade detection.
  • Impression fraud: Creating fake ad views through methods like ad stacking, pixel stuffing, domain spoofing or other exploits. It often involves hiding ads where users can’t see them or misrepresenting low-quality inventory as premium placements.
  • Lead fraud: Using bots, stolen data, or fake forms to generate seemingly valid but worthless leads. Automated form filling with synthetic identities or repurposed personal information to claim affiliate commissions is common.
  • Install fraud: Manipulating software or app attribution systems to claim credit for app installations that either never happened or were generated artificially. Includes techniques like click injection, SDK spoofing, and fake device IDs.
  • Sales fraud: Manufacturing fake purchases using stolen payment credentials, exploiting referral systems, or creating phantom transactions. Often combined with sophisticated methods to bypass fraud detection and verification systems.

Understanding all types of ad fraud is the first step in reducing the risk of wasting nearly one-fifth of your marketing budget.

Learn More About Our Products

Click Fraud

Incentivizing clicks makes sense for marketers, the value of a pair of eyeballs engaged with your ad is high and the more engagement an ad gets the better the return on ad spend is. Unfortunately, click fraud is the most common type of ad fraud because it provides scammers with the most reward for the least effort. The money to be gained by scamming a CPC ad well exceeds the cost of doing so.

Click fraud can be accomplished in one of three ways:

  • Manually: People make the fraudulent click
  • Bots: Automated programs click
  • Technical: Code is used to deceive analytics

Within these three broad strategies are specific tactics that scammers use to exploit CPC budgets.

Click Farms

In parts of the world where labor costs are low, scammers pay employees to click on ads to generate CPC revenue. This fake engagement relies on paying minimal wages and masking user locations to appear to come from legitimate geographies. These facilities can generate thousands of clicks an hour and prey on the disparity between cost-per-click campaigns and local poverty levels.

How it’s done: 

  1. Scammers obtain the devices to carry out the fraud
  2. Hire workers to commit click fraud
  3. IP and device masking software is used to make the clicks seem legitimate
  4. Facilities run 24/7 with multiple shifts

Analytics can only report the data provided, so click-fraudsters manipulate the data itself. To appear more legitimate, data on the location and the device the click came from is altered. This is done using one or a combination of tools like VPNs, proxy servers, device or software settings, and Tor networks.

Manual Fraudulent Clicking

While more limited than click farms or other methods, individual actors can deliberately generate false clicks. Competitors, disgruntled customers, scam affiliates, and publishers can all engage in click fraud to boost their profits or waste your ad budget. There is no defined methodology for this, and no system exploits are used.

Traffic Bot Farms

Scammers write programs that mimic human browsing behavior appearing to the network as though they are legitimate users. Programmers code bot behavior, connect it to a database that defines inputs to determine the behavior and then connect it to an API to interact with networks. This has been exacerbated with scammers using machine learning to learn how to better mimic user behavior.

How it’s done:

  1. Traffic bot is created, connected to the database and API
  2. Machine learning is used to recreate realistic click patterns
  3. Bots hit networks and simulate mouse movements, scrolling and clicking
  4. Fake clicks are generated for CPC campaigns

The key for traffic bots is to generate believable fake traffic that goes unnoticed by marketers without a fraud detection system in place. Traffic bots can operate on a massive scale and like many forms of click fraud will use IP masking or IP location spoofing.

Malware Botnets

A malware botnet is a more sophisticated form of traffic bot because the traffic originates from legitimate IP addresses and known devices. This is done by tricking users into downloading software that seems innocuous but contains code that allows hackers to control the device silently in the background. Clicks can then be generated by activating the malicious bot and generate clicks when the user isn’t actively browsing.

How it’s done:

  1. Users unknowingly download a piece of software with malware botnet code
  2. Code sits on the device waiting for instructions
  3. Scammers activate code to perform click fraud

As malware botnets proliferate, hackers can coordinate clicks across thousands of devices at once, all appearing to come from a real user with a known device on a recognized IP address.

Cookie Stuffing

Cookies are used to track user behavior across networks so by manipulating a user’s cookies scammers can falsify the origins of a click. Cookie stuffing is a deceptive practice that places third-party cookies on user sessions to take credit for clicks in a CPC campaign and is used for both click and impression fraud. Aside from diverting money to scammers, this is particularly damaging for optimizing CPC campaigns because the data used to do so is flawed.

How it’s done:

  1. Malicious scripts are secretly activated through a user’s click, extension, javascript, iframe or other mechanism
  2. Cookies are forced onto the user’s browser without consent
  3. Cookies get recognized as legitimate and CPC credit is given

Hundreds of cookies can be stuffed onto a browser in a single session, bypassing traditional user tracking methods to steal credit for a click.

Click Stuffing

Click stuffing is a simple scam that combines real user interactions with code that distorts the reality of those interactions. When a user makes a single click a script is launched in the background that turns that one click into several clicks. To CPC campaigns, it looks as though there have been multiple legitimate clicks, to the user they get the same experience as though they clicked only once.

How it’s done:

  1. Code is placed on the site (by the site owner or by exploit)
  2. User interacts as normal, clicks on a link
  3. Code is triggered to automatically generate dozens of click interactions

Click stuffing can be delayed so it can look like a user made multiple clicks at different points in time, this manipulates cookies and user history for the purposes of attribution across a longer span of time.

Clickjacking

Clickjacking occurs when a user is fooled into making an unintentional click that costs CPC dollars. This is done through deceptive design such as mislabeling links or overlaying several invisible elements to capture a click. Users are frustrated because their click doesn’t take them where they want to go while CPC marketers get their budgets squandered on clicks from uninterested, frustrated users.

How it’s done:

  1. A deceptive design element is added to a page (mislabeling links or invisible layers)
  2. User unknowingly clicks
  3. User is sent to a CPC page instead

Clickjacking can be done by fraudulent publishers or by scammers without the knowledge of a website.

RTB (Real-Time Bidding) Click Fraud

Real-time-bidding click fraud is unique to other forms because it exploits the technology that delivers the ads, not the users, publishers and marketers. A powerful tool, RTB, allows advertisers to set up bid parameters to compete against other advertisers for the same space. RTB click fraud manipulates the price of ads within the platform to make advertisers pay more for a click, driving up the revenue.

How it’s done:

  1. Artificial bid pressure on the cost of a click is created (bots, platform exploits, etc.)
  2. Advertisers bid on higher prices for CPC
  3. CPC payouts increase making click fraud more profitable

RTB fraud will be used with a combination of other click fraud methods to get the full benefit of first increasing CPC and then reaping the higher click-bounty rewards.

Impression Fraud 

Impression fraud occurs when fake views are generated for digital ads, inflating view counts and wasting ad spend while distorting campaign data. The pixel used to register an impression on an online ad is fired and recorded by the analytics, but the ad wasn’t displayed to a real user. Impression fraud is not as widespread as click fraud because the payout for impressions provides lower margins for scammers. Most impressions are paid out in CPM (cost per one thousand views) so falsifying impressions must be done at a larger scale.  
Many of the tactics used to commit impression fraud are similar to click fraud schemes and will be done in conjunction with other types of online fraud. If you’re sophisticated enough to pull off click fraud, you’ll be willing and able to commit impression fraud, as the methodology is similar. 

Ad Stacking 

Ad stacking is the impression fraud version of clickjacking because like clickjacking it relies on misleading design to register credit for advertising that didn’t occur. In ad stacking, multiple ads are layered on top of one another with only one being visible to the user. To advertisers, it appears as if all the ads were shown to users though they only saw one, counting the visit toward CPM metrics. This is done by finding exploits in the system that tracks ad impressions and designing the website to take advantage of them.  

Pixel Stuffing 

Similar to ad stacking, credit for ad impressions is taken for a real site visit but without showing the user the ad. Instead of layering invisible ads on top of one another, pixel stuffing involves shrinking the ad to the size of a pixel so it’s technically on the page but no longer a functional ad. To the user, the ad is effectively invisible but to the tracking analytics, it looks like a user visited a page and saw the ad.  

Impression Bots 

Like with click fraud, bots can be used to “view” pages and register impressions counting toward the ad CPM. This can be done through bot farms or established botnets and will use the same ip masking tools and be programmed to mimic human behavior. Bots are commonly used with other impression ad scams like ad stacking and pixel stuffing to further inflate the numbers. 

Cookie Stuffing 

Advertisers use cookies to track users and like with click fraud, they can be manipulated to give false credit for impressions. Cookie stuffing occurs when sites inject third-party cookies on a browser that misrepresent the user’s history to take credit for impressions in the CPM model or when cookies are used to improperly track users and serve them ads. Both methods exploit weaknesses in browsers to inflate impression share of an ad.  

Domain Spoofing 

Domain spoofing is commonly used for consumer fraud, but it can be used for ad fraud with the same methodology. Fraudsters create domain names that closely resemble established publishers, display scraped or programmatic content and then deploy traffic bots to trick advertisers into believing it’s a legitimate site. Ads are shown to the bot audience and impressions are generated toward CPM campaigns.  

Ad Injection 

Ad injection involves placing ads on websites without the site owner’s permission, often by exploiting vulnerabilities in browsers or website code. This practice can compromise user experience and site integrity while generating fraudulent ad revenue for the scammer. Ad injections will often occur by exploiting known security vulnerabilities, so keeping browsers or software that runs your website up to date is a critical step in prevention. 

CTV Fraud 

Specific to streaming content, connected TV fraud (CTV) happens when commercial views are faked on a video platform. Impressions and engagement metrics are faked or unscrupulously obtained, appearing to advertisers that ads are being served. Methods of CTV fraud mirror other types of fraud, using bots or software exploits to get around detection.  

RTB Impression Fraud 

Real-time bidding (RTB) impression fraud exploits programmatic advertising platforms to artificially inflate the cost of impressions. Like with RTB click fraud, fraudsters seek to manipulate CPM cost by using other fraud tactics like bots or spoofing. This practice will increase overall CPM fraud revenue by driving up the price per thousand impressions.  

Lead fraud 

Lead fraud exploits cost-per-lead (CPL) advertising campaigns, where advertisers pay for potential customer leads like form submissions, phone calls, or information requests. Fraudsters employ various deceptive tactics: 

  • Bots & click farms: Fake leads are entered by bots or bad actors 
  • Stolen or recycled leads: Lead information is illegally attained or reused 
  • Misleading leads: People are tricked into submitting their information as a lead 

These fraudulent leads initially appear valid, causing advertisers to waste significant budgets on fake prospects while corrupting their marketing data and analytics. The fraud undermines campaign performance measurement and proper budget allocation. 

Install fraud 

Install fraud exploits mobile app advertising by generating fake downloads to steal cost-per-install (CPI) payouts. Common schemes include: 

  • Device farms: Workers in low-wage regions perform mass installations for less than commission cost, creating worthless downloads 
  • Emulator farms: Software simulates multiple devices to claim numerous fake installs simultaneously 
  • SDK spoofing: Hacked apps report false install data to redirect commissions 
  • Backdoor installs: Legitimate-seeming apps secretly download other apps without user consent 
  • Malicious software: Pre-installed malware claims credit for organic app installations 

These methods often include automated in-app actions to make fraudulent installs appear legitimate and evade detection. 

Sales Fraud

The most straightforward, non-technical form of ad fraud is sales fraud which simply involves lying and stealing. CPA (cost-per-acquisition) fraud targets sales commissions by creating fake transactions that appear genuine but are fraudulent. Common tactics include: 

  • Credit card fraud: Scammers use stolen card data to generate sales, knowing they’ll result in chargebacks while pocketing commissions 
  • Cookie stuffing: Hidden cookies are planted to falsely claim credit for sales they didn’t generate 
  • Deceptive marketing: Products are deliberately misrepresented to drive sales through false claims 
  • Malware attribution: Malicious software hijacks legitimate sales tracking to steal commission credit 

By the time merchants discover fraud through chargebacks and customer complaints, the fraudster has disappeared with their commissions, leaving businesses to handle financial losses and damaged customer relationships. 

Free IP lookup API to uncover fraud, bots, and high risk users.

Learn More About Our Products

Understanding IP risk scores is just one piece of the fraud prevention puzzle.
Take your security efforts further with Fraudlogix’s suite of solutions: