Invalid traffic

    Invalid traffic-Every year, I have to write a refresher about what digital ad fraud is

    and how it is


    It’s because for the last four years TAG (Trustworthy Accountability Group),

    a certification body created by industry trade associations ANA (Association of National Advertisers), IAB (Interactive Advertising Bureau), and 4A’s (American Association of Advertising Agencies),

    puts out a report claiming they “solved” fraud and that it is a low, low “1.05%” now.

    They claim that their self-attested “certifications” where companies complete paperwork, pay the fee, and swear they won’t do fraud get a “Certified Against Fraud” plaque, scarf,

    Black Hat SEO

    and cushion. But this article is not about how TAG’s shortcomings create a false sense of security;

    Invalid Traffic for website

    that’s already been covered extensively elsewhere [1], [2], [3], [4], and most people understand this already and are smart enough to not pay the TAG annual dues anymore. 

    (Those who say they know TAG is useless,

    but still paid the extortion “for optics purposes” should stop that right away.)

    TAG, 2020 Report

    Invalid traffic-This article is about publisher fraud — both the ways they cheat on websites and in apps and the ways they cheat with fake users and traffic.

    invalid traffic

    These are two different things. By focusing on IVT (invalid traffic) TAG and the fraud detection tech companies they cite are only looking at a third of the problem at best, and thus underestimating the fraud, often by a lot.

    While TAG repeatedly claims 1% invalid traffic (IVT), we continue to see 30 - 50% fraud in campaigns that include large portions of ads purchased through programmatic channels.

    Invalid traffic- Well-managed campaigns, however, keep fraud at bay, in the 1 - 5% range,

    precisely because they have the analytics to see the other forms of fraud that are not just IVT, and block the websites and mobile apps that are committing it from their campaigns. 

    traffic for website

    Invalid traffic-Let me explain further.1. Invalid Traffic, Fake Users

    This is the form of digital ad fraud that most people are familiar with. It’s because it’s been around the longest and is the most trivial. IVT is a nice acronym for bots,

    as is NHT (non-human traffic). G-IVT means general invalid traffic. These are the bots that tell you they are bots,

    like Googlebot (used to index webpages), bingbot, Facebook bot, etc.

    You don’t need any specialized detection tech to see these bots because they tell you themselves. S-IVT means “sophisticated” invalid traffic. These are the bots that deliberately disguise themselves, by lying about their name.

    Invalid traffic-They call themselves Chrome, Safari, Firefox, etc.

    even though they are software programs run in a data center for

    the purpose of loading webpages to generate ad impressions fraudulently. 

    These bots can be simply made with python, curl, php or other programming languages or they can be “headless” browsers that are remotely controlled by the thousands.


    They are called “headless” because even though they

    load the webpages,

    they don’t need to display anything on a screen for a human to see. These are developer tools that are

    used to test webpages.

    Invalid traffic-These bots in a data center can load millions

    or billions of ad impressions

    and not


    caught. Obviously, they are in an arms race with the detection companies. But the bots are always a step ahead. Over time, these data center bots add capabilities to disguise themselves better.

    invalid traffic?

    Invalid traffic-For example, they can use residential proxy services to “bounce the traffic” to make it appear they are coming from “residential” locations instead of “datacenters” so it’s much harder for detection tech to catch them.

    The bot detection companies are

    also afraid of being accused of “false positives”

    so if they are not sure about something,

    they let it through, as not “invalid.”

    But that doesn’t mean it’s valid — i.e. a human viewing a webpage. 

    black hat

    Publishers use bots of varying levels of sophistication to increase their own ad revenues and this is the 1/3rd that IVT detection and TAG is looking at. Below are the 2/3 they are missing.2. Website and On-Page Cheating

    Invalid traffic coming to the site is entirely different than forms of cheating that happen on the page. Publishers that cheat can multiply their fraudulent revenues by doing additional shady things on the site.

    Invalid traffic-For example, they can stick 100 ad impressions on each page, or 1,000. Seems strange, considering that would make for a bad user experience.

    But most of these sites don’t serve real human audiences anyway; they were created primarily to make money selling ad impressions — so-called long tail sites,

    millions of them in programmatic exchanges.

    Over the years, we’ve seen sites with hundreds of ads per page, ads stacked in the ad iframes, hidden in invisible iframes or windows, or dozens of iframes on the same page, etc. 

    invalid traffic for a website

    Invalid traffic-Why stop there? The site can reload the page every few seconds to get more ad impressions;

    they can also refresh each ad slot to get more impressions. Sites are doing pop-unders that continuously load ad impressions in the background without users’ knowledge. 

    Pages are redirecting to other pages or sites. Content discovery widgets on the page are loading entire webpages from other sites in the tiles. The list goes on.

    Twitter (screen shot)

    Sites can also use javascript code to alter viewability measurements of ads on the page. For example, Newsweek Media Group was a TAG Certified Against Fraud company and committing ad fraud at the same time.

    Invalid traffic-See: Newsweek Media Group Websites Ran Malicious Code That Experts Say Is Used To Commit Ad Fraud.

    Why wouldn’t all of this site-level cheating be detected by

    fraud detection technologies?

    Their tags are in the ads, and not on the webpages of these sites.

    Further, they are likely sampling — measuring 1 in 100 ad impressions or 1 in 1,000 to save costs. This means the detection is entirely missing the forms of

    Invalid traffic

    fraud being done by

    publishers on webpages.

    Invalid traffic-The detection tech is looking at the traffic — i.e. bots — coming to the site, as opposed to methods of cheating happening on the site itself.

    So it is under-reporting the levels of fraud, when reporting an IVT %. And don’t even get me started at

    how bad they do that too. Just google “buy valid traffic”

    and you’ll find hundreds of traffic sellers offering traffic/bots that are

    guaranteed to get by the detection of these tech companies. 3. Additional Ways That Mobile Apps Cheat

    Finally, the publishers that create mobile apps to make money via digital ads have dozens of other ways they can cheat to make extra money.

    check the traffic for a website

    Invalid traffic-The rogue flashlight app can load ad impressions in the background; they can load the ads even when the app is not in use or the mobile device is not in use — i.e. 24/7. They are loading different ads from different advertisers,

    not the same ad from the same advertiser; so it’s unlikely any advertiser will catch them for over frequency.

    Mobile apps can pass fake geolocation information to make more money - bids with location data earn higher CPMs than bids without locations. 

    Mobile apps can also load webpages of sites that pay them for traffic. This makes it appear in the data to look like a real mobile device visiting those websites.


    Invalid traffic-The ads are sold by those websites as opposed to the rogue app,

    so these apps are unlikely to be detected

    and caught. How does an emoji keyboard app or selfie-camera app load webpages?

    Where would a human even see a webpage when taking a selfie, let alone want to load a webpage in the camera app?

    These are hidden browsers that run in the background to commit fraud that is not detected by

    IVT detection technologies.

    Invalid traffic-Fraudsters are also clever enough to further multiply their money making by using fake devices (mobile emulation software) in data centers to load these rogue apps.

    but traffic for website

    Invalid traffic-Since it’s all virtual, they don’t need racks and fans to cool roomfuls of physical devices.

    It’s all software so they can create millions of fake mobile devices,

    SEO traffic

    each with dozens of rogue apps to generate billions of ad impressions per minute.

    See Mobile Fraud is Rampant Beyond BeliefLooking at IVT is Seeing 1/3 of the Picture

    To re-cap, publishers cheat by buying bot traffic for their websites. Fraud detection tech companies are

    tuned for looking for bots/IVT.

    Learn Hacking

    Invalid traffic-They catch about 1% of these, but that doesn’t mean the other 99% are humans.

    Most bots are able to get by their detection. On top of this, the fraud detection tech cannot “see” the cheating happening on the sites and pages themselves - ad stacking, hidden iframes, popunders, etc.

    And they fail entirely to detect mobile apps’ sundry forms of fraud.


    Invalid traffic-So when TAG proudly claims credit for reducing fraud, citing IVT detection reports that show 1.05% IVT,

    you know they literally don’t know what they are talking about and they don’t know what they don’t know.

    You, the marketer, should look for the other forms of fraud that are still eating up ad budgets.

    With the right analytics, you can see these forms of fraud yourself and block the websites and apps that are committing the fraud,

    Invalid traffic-so your campaigns run more cleanly. You can do this without TAG certification and without buying from TAG certified sellers. The key is to have the right analytics to look at yourself.

    Oh by the way, over the last four years that TAG has been claiming their so-called “certifications” reduced fraud,

    every year we see more “largest-ever” fraud schemes being outed - across all digital ad formats,

    including CTV now.

    invalid traffic

    The frequency is almost monthly now; large scale fraud schemes are being exposed by

    cybersecurity researchers and independents who

    don’t buy the industry party line and certainly don’t buy “TAG Certified Against Fraud.”

    Invalid traffic-We’ll let the abundant evidence speak for itself. The prosecution rests. 

    white devil

    Post a Comment

    Previous Post Next Post