A new report from White Ops demonstrates that marketing fraud is growing, but that many in the online advertising space may not realize exactly how much the problem has grown in the past year.

Online marketing fraud primarily consists of the use of fake traffic to commit advertising fraud. This bilks advertisers via the digital marketing platforms they pay for targeted ad delivery.

Advertisers often engage in “pay per impression” or “pay per click” campaigns under the assumption that the person viewing the ad is part of the target demographic they hope to reach. Instead, the report reveals that a growing amount of these supposed prospective customers are actually fairly sophisticated bots designed to milk ad budgets. There are also other emerging forms that are becoming much bigger criminal industries, such as lead generation fraud and incentive program abuse.

Marketing fraud grows along with other forms of cyber crime in 2020

The “2021 Marketing Fraud Benchmarking Survey and Report” was conducted in fall 2020 and surveyed 129 marketing decision makers that mostly (60%) work at companies that employ over 1,000 people. At least half of the responding organizations had average monthly page visits of over 250,000 and spend at least $5 million annually on digital advertising.

As the report notes, the digital marketing industry spends at least $300 billion annually and is expected to grow in the wake of the Covid-19 pandemic effects. While one would reasonably anticipate that nearly all sectors of cyber crime have grown during the pandemic period, marketing fraud is an area that tends to go overlooked. Data breaches that compromise the records of millions tend to grab the headlines, but there is more than enough money in the ad spend pool to attract serious criminal attention.

Marketing fraud can be even more nefarious to organizations than hacking and leaks in that it requires continual auditing to detect. A data breach, or even a serious attempt, generally triggers a cybersecurity audit. Victims of marketing fraud may not even realize that they are hemorrhaging vast sums of money until they conduct a routine audit of their database of leads and their invalid traffic, something that they are not always doing.

And even when organizations are on top of their traffic, they sometimes cannot tell when it is fraudulent. 43% of respondents said that they could not estimate how much of the suspicious traffic on their websites was originating from sophisticated bots. 22% of respondents believe that at least 25% of their sales database is composed of fraudulent leads. A full 2/3 said that they had experienced marketing fraud last year, but less than half said that they regularly scrub their databases for inauthentic contacts.

Communication and assignment of responsibility are contributing to this problem. Less than half of marketing teams even communicate with the security team about these issues, and they can’t decide who is supposed to be preventing marketing fraud: 33% of respondents say it’s the security team’s responsibility, while 40% say the marketing team should be doing it themselves. 12% had no idea who is responsible.

Marketing fraud increase in sophistication

The more sophisticated marketing fraud that these teams are now seeing is difficult to detect because it blends in with the devices and web browsers of legitimate end users. These bots are often planted on the devices of unaware targets (usually via malware) and can make use of the subject’s device information, browsing history and web activity to add a layer of legitimacy to interactions with the advertiser’s site and tools.

These sophisticated bots have both created new marketing fraud models and enhanced existing ones. Lead generation fraud is one example. Criminals have been observed drawing on the personally identifiable information (PII) leaked in massive data breaches to auto-fill forms.

Bots are also enabling previously minor forms of marketing fraud on a much larger scale, some of them incorporating machine learning techniques. One example is the use of bot networks to automatically buy up inventories of limited-release items that are fairly certain to go up substantially in price on the secondary market (particularly with a bunch of bots creating artificial shortages, something that has vexed those seeking to buy the PlayStation 5 and Nintendo Switch gaming consoles in recent months). Another is the mass creation of fake accounts to engage in negative “review bombing” campaigns.

How much fraud can digital marketers expect when they run a campaign? The survey finds that organizations can expect anywhere from 1% to 40% of their traffic to be fraudulent for any given campaign, depending on how tight of a screening ship they run. Large leading retail organizations are estimated to lose about $7 million to marketing fraud each year on the front end, and then another $7 to $8 million in wastage within the marketing tech stack.



Data breaches that compromise the records of millions tend to grab the headlines, but there is more than enough money in the #adspend pool to attract serious criminal attention. #fraud #respectdata

Click to Tweet

However, constant monitoring and auditing is likely impossible for most organizations. So what are the warning signs of bot traffic? The report identifies the following symptoms that should trigger an audit: dramatic traffic spikes that cannot be connected to a recent event, time-on-site metrics that differ drastically depending on the source of the traffic, complaints from the sales team about the quality of leads captured from the web site, and conversion rates come up lower than expected.