General and sophisticated invalid traffic
General Invalid Traffic GIVT consists of traffic identified through routine means of filtration executed through the application of lists or with other standardised parameter checks. Sophisticated Invalid Traffic SIVT consists of more difficult-to-detect situations that require advanced analytics, multi-point corroboration/coordination, significant human intervention, etc. to analyse and identify.Few readersKnown data-centre traffic
Known data-centre traffic is 'determined to be a consistent source of non-human traffic, not including routing artefacts of legitimate users or virtual machine legitimate browsing.' Classification General Invalid Traffic (GIVT) Tapper Indicator High volumes of traffic from a single location High volumes of traffic from VPNs or anonymous proxiesFew readersCookie stuffing
A type of affiliate marketing fraud, cookie stuffing or cookie dropping is the practice of surreptitiously attaching multiple third-party cookies to a user after they visit a website or click on a link. The additional cookies are tied to websites that are unrelated to the website/link originally visited by the user. If the user ends up visiting these websites and converting, tracked by the cookie, the bad actor gets the credit. The reason why cookie stuffing is considered illegitimate is thatFew readersBots and spiders or other crawlers
Bots and spiders or other crawlers represent non-human activity on the web. In some circumstances, these bots, spiders, or other crawlers are legitimate - e.g. "good" - but they are still non-human nonetheless. While these bots, spiders, or other crawlers are good, they may trigger ad impressions under certain circumstances and must be filtered out in order to protect performance data. Classification General Invalid Traffic (GIVT) Tapper Indicators Identified by its user agent as aFew readersBots
Short for robot, a bot is an automated software program designed to carry out specific tasks over the internet, such as crawling websites and indexing content for search engines. However, in the context of ad fraud, we are usually talking about the ‘bad’ bots that are programmed to emulate human behaviour. These vary in levels of sophistication and can do anything from clicking and viewing ads to watching videos, installing apps and even adding products to the shopping cart.Few readersApp install farms
App Install Farms use banks of physical devices to actually click on ads, download apps to devices, and then open them to trigger install events. The device ID is sometimes reset between app installs, making each install from the same device look like it is a new user. This tactic makes clicks look like real clicks on real devices because they are, BUT... the users aren't real so there is no real engagement and no ROI for the advertiser. AKA: Device ID Reset Fraud Objective: Generate aSome readersActivity-based filtration
A legitimate user displays certain behaviour different from an illegitimate user, for example, a legitimate user will not do the same, monotonous routine over and over again. They will not click abnormally fast, or make a click at exact 5-second intervals. Activity-based filtration is the measurement of user activity to flag transactions that are too fast, too repetitive, at precise intervals or are missing key pieces of data standards to valid traffic. Classification General Invalid TrafFew readersNon-browser user-agent headers or other forms of unknown browsers
A device that declares a User-agent header not normally associated with human activity.' Classification General Invalid Traffic (GIVT) Tapper Indicator user-agent is unknown or non-standardSome readersClick injection
The Android operating system broadcasts to all apps on the same device that a new app is being downloaded. Fraudsters develop seemingly legitimate apps and tools that use this broadcast to trigger clicks to the app store. The click will occur after the new app is downloaded, but before it is opened, making it look like the specific (ie. most recent) click that delivered the install, thus stealing attribution of that install. AKA: Organic Poaching, Install Theft, Misattribution Fraud ObjecFew readersClick spam
Click spam occurs when a large volume of clicks are faked on a mobile device, even though the user never clicked the ad. If the user or a user with a similar fingerprint later visits the target website and installs the app, the spammer receives credit for the install and is paid a commission. Due to the install actually being misattributed this is considered invalid. AKA: Click Flooding, Organic Poaching, Install Theft, Misattribution Fraud Objective: Steal attribution of an organic insSome readersPre-fetch or browser pre-rendered traffic
'A device that makes html or ad requests ahead of specific human-initiated navigation to the requested resources.' Classification General Invalid Traffic (GIVT) Tapper Indicator when a site-id has a low ratio click-to-install Fraud Tactics Click SpamFew readersCompliance fraud
Compliance Fraud occurs when traffic is deliberately sourced from outside of the advertiser’s target audience or using means prohibited by the advertiser. Usually, the objective of the fraudster, in this case, is to maximise their ROI by misrepresenting cheap traffic as premium traffic. For example, sending traffic from a tier 3 country to a campaign specifically targeting a tier 1 country. Technically the install is by a genuine user, but not the user the advertiser is targeting. ObjectiveSome readersBots and spiders or other crawlers masquerading as legitimate users
A browser, server or app that makes page load calls automatically without declaring themselves as a robot, instead declaring a valid regular browser or app user agent where there is no real human user.'Few readersSophisticated bot driven installs
Seemingly legitimate apps are downloaded by unsuspecting users that run install bots in the background. These sophisticated Bots mimic human behaviour to download, open, and in some cases, engage with apps without the knowledge of the host. The clicks are occurring on real devices and apps are actually downloaded but the install is of no value to the advertiser because it isn't being engaged with by a real user. AKA: SDK Spoofing Objective: Generate a fake install or fake engagement/retSome readersHijacked devices, user sessions, ad tags and ad creatives
'Any user's device (browser, phone, app or other system) that has been modified to call html or make ad requests that is not under the control of a user and made without the user's consent. These include: Hijacked device with a fully automated browser - a hijacked device where the device is a browser and the modification is that the browser is hidden from user view and engaged in making html or ad calls. Hijacked device with session hijacking - a hijacked device where a user is presentFew readersAd stacking
Ad Stacking occurs when a fraudster layers or stacks multiple ads on top of one another so that only the top ad is visible to the user. When the user clicks the ad, they unknowingly click all the ads underneath the intended ad. Like Click Spamming, when the click's fingerprint resembles that of an install, the install is credited to the partner that sent the fraudulent click. AKA: Ad Layering, ClickJacking, Organic Poaching, Install Theft, Misattribution Fraud Objective: Steal the attriSome readersHidden/stacked/covered or otherwise intentionally obfuscated ad serving
'When multiple ads are delivered to the same page or app but are intentionally hidden e.g. impossible for the user to see them - they are considered invalid ads.' |Few readersInvalid proxy traffic
Traffic that is routed through an intermediary proxy device or network where the ad is rendered in a user's device where there is a real human user. This includes: Proxy traffic that is anonymised Proxy traffic that is not anonymisedFew readersAd injection
Ad injection is the technique of surreptitiously inserting ads on a publisher’s website without their consent. This can be done by placing the ads over the originally shown ads, replacing the original ads altogether or by placing ads on websites that otherwise never show ads. Ad injection is typically perpetrated as a background task by a user-downloaded browser extension, plugin or app. Without the knowledge of the user, the software injects ads into the user’s browser as they visit websites. Few readersAuto-refresh
With auto-refreshing, every advertising space on a website can serve multiple ads within a single page view. The ads are refreshed after regular intervals and their refresh rates could be based on a range of things including time durations or user actions like scrolling, clicking on the screen or using site search, etc. Some publishers set low refresh intervals in an attempt to cram as many ads as possible in a single page view. Because the ad display duration is really short, the user might noFew readersAdware + Malware
'A device where a user is present and additional html or ad calls are made by the Adware independently of the content being requested by the user.' lowtimeclicktoinstallsiteid | anomalyclicktoinstalltimeFew readersIncentivised manipulations of measurements
'Fraudulent incentivised promotion of an entity without its knowledge or permission. Excludes cases where the entity paying for the incentive is the entity being promoted.' scoresiteidsubpartner | highratioclicktoinstallsiteid |Few readersDomain spoofing
Domain spoofing is a practice through which bad actors monetise the traffic from low-quality sites by manipulating the domains and making it appear to come from high-quality sources. To the advertisers, it appears that their ads are being shown on premium websites but in reality, traffic is coming via low-quality sources. For example, a pirated video website spoofing its domain to appear as The New York Times to sell its inventory at a premium price.Few readersFalsified viewable impression decisions
'Out-of-view ads that fake compliance to the MRC standards for viewability.'Few readersPixel Stuffing
Pixel stuffing happens when one or more ads of normal dimension, say 468 x 60, are compressed into a tiny 1×1 pixel frame on a publisher’s site. Every time a visitor lands on this website they will trigger an impression, even though the ad is virtually invisible to them. By reducing ads to only 1×1 pixel, bad actors can trigger impressions from a greater number of ads than they would legitimately be able to fit on a page.Few readersFalsely represented sites
'html or ad calls that attempt to represent another site or device or other attribute, other than the actual placement.' Abnormally high conversion rates |Some readersLocation fraud
Advertisers pay a premium for geo-location targeting to serve their ads in specific regions only, with traffic in some regions being more expensive than others. Location fraud involves manipulating users’ location information to match the advertiser’s targeting criterion. For example, for a campaign targeting users in a country with high CPMs, a bad actor may provide traffic from regions with low CPMs by manipulating the location to meet the campaign criteria and steal the higher CPM.Few readersCookie stuffing, recycling or harvesting
'The process by which a client is provided with cookies from other domains as if the user had visited those other domains.'Few readersUser-agent spoofing
A user agent is a string of data, including browser name, version, operating system and device type, that your browser sends to every website you connect with to help it customise the content display to your device. Because the user-agent offers a range of information on every website visitor, marketers often use the user-agent data to cross verify their ad traffic against their targeting criterion. For example, checking whether the device type is mobile to pass the traffic as valid for a mobilFew readersManipulation or falsification of location data
'Many advertisers use location-based data to enhance their targeting. Fraudsters use this to their advantage by faking location data in order to maximise their ROI.' Abnormally high conversion rates | excessiveratiotorsubpartnFew readersRetargeting fraud
Retargeting typically attracts higher CPMs than regular display advertising. This means if a bad actor is able to generate a fake engagement on retargeting campaigns, they can steal a higher payout. To do this, bad actors either generate fake clicks so when a user organically reengages they get the credit, or they use programmed bots to visit and engage with a website in a way that resembles the behaviour of a real and interested user. When the bots abandon carts or navigate away without converFew readersInvalid impressions
Impressions that do not meet certain ad serving quality or completeness criteria, or otherwise do not represent legitimate ad impressions that should be included in impression counts. Among the reasons why an ad impression may be deemed invalid is it is a result of non-human traffic (spiders, bots, etc.), or activity designed to produce fraudulent impressions. Fraudulent Impressions Impressions that result from an intentionally deceptive practice designed to manipulate legitimate ad servinFew readersDuplicate clicks
This threat is identified in Tapper reporting as Rate duplicate click GCLID. Duplicate clicks result when a Google Pay-Per-Click (PPC) user clicks 2 or more times on the same instance of an ad multiple times within a set time period defined by Google. The same ad is identified using the Google Click ID (GCLID). These duplicate clicks are generally, although not always, identified by Google and you will not be charged for them. ThFew readers