What Types of Invalid Traffic Does TrafficGuard Prevent?

Every type of invalid traffic prevented by TrafficGuard

‍

Remind me, what is invalid traffic?

‍

Invalid traffic (or IVT) refers to any clicks or impressions that don’t come from a user with genuine interest. IVT is generated by actions that provide no legitimate value to the advertiser, and covers both fraudulent activities as well as accidental clicks.

‍

And why should I care?

‍

Wasted opportunity cost is the big bad of IVT - you don’t want to waste precious spend on clicks that won’t convert (like the TrafficGuard customer who was losing 36.2% of their ad spend to clicks from invalid sources). However, IVT’s effects stretch further than just the financial side of business.
‍

It can also massively compromise the quality of your marketing data. You need complete certainty in the validity of traffic to make effective and efficient campaign optimisations. Data is gold dust, so the cleaner and more accurate you can make your data, the better your campaigns will be. Using sham data? Expect sham results.
‍

In the worst case scenario, large volumes of IVT can lead to traffic sources appearing more lucrative than they are, with marketers subsequently diverting spend towards channels that don’t produce valid opportunities. Precious time, effort, and budget are funnelled into sources which do not produce a strong ROI.

‍

That’s why TrafficGuard exists

‍

Lucky for you, we’re here to stop the slippery slope of over-spend before it even starts. Our solution is built to prevent all kinds of invalid traffic, whether it’s bad guys behind screens or existing customers innocently clicking on your ad placements.

‍

The types of invalid traffic TrafficGuard prevents

General invalid traffic

Referred to by those-in-the-know as GIVT, general invalid traffic is a form of invalid traffic generated non-malicious activity. This could be existing customers who click on your ads just to navigate to your sign-in page, or just web crawlers. GIVT is the most common type of IVT, but that doesn’t mean it doesn’t affect your ad budget.

‍

Accidental clicks

It’s pretty simple, these are any clicks from users that were unintentional. If a finger slips when a user is scrolling they may land on your site and immediately leave. That’s why bounce rate is a big indicator of accidental clicks. 

‍

Clicks from existing customers

Often an issue with companies who host a customer portal or log-in on their site, clicks from existing customers occur when users navigate to your site via paid ads. You pay for these clicks even though they’ll never deliver further conversions or value— because they’re already paying you! 

‍

Known data centre traffic

Known data centre traffic is any traffic that has been detected, by its IP Address, to originate in a data centre. If this is the case, it’s likely to have come from a server rather than a laptop, smartphone, tablet or other device. High volumes of traffic from a single location, or high volumes of traffic from VPNs/anonymous proxies are good indicators of data centre traffic.

‍

Sophisticated invalid traffic

‍

Sophisticated invalid traffic is a lot more technical and harder to catch. It usually requires advanced analytics and significant human intervention to identify, analyse, and prevent.

‍

Ad injection

Ad injection is the technique of surreptitiously inserting ads on a publisher’s website without their consent. This can be done by placing the ads over the originally shown ads, replacing the original ads altogether or by placing ads on websites that otherwise never show ads. Ad injection is typically perpetrated as a background task by a user-downloaded browser extension, plugin or app. Without the knowledge of the user, the software injects ads into the user’s browser as they visit websites.

​

The impacts of ad injection are huge. They block the content on the publisher’s website impacting the user experience; they often contain malware that can compromise user security, and they obscure the website’s own advertising from the user’s view.

‍

Ad stacking

Ad stacking occurs when a fraudster layers or stacks multiple ads on top of one another so that only the top ad is visible to the user. When the user clicks the ad, they’re also unknowingly clicking all the ads underneath. 

‍

The biggest indicator of ad stacking is when multiple clicks are registered from the same user at the same time.

‍

App install farms

You may have seen pictures of these “farms” circulating on the web, app install farms use banks of physical devices to actually click on ads, download apps to devices, and then open them to trigger install events. The device ID is sometimes reset between app installs, making each install from the same device look like it is a new user. This tactic makes clicks look genuine from real devices - because they are! However, there is no genuine intent, and therefore no real engagement and no ROI for the advertiser.

‍

App install farms often show themselves through the high number of genuine devices generating installs from one location. Some less sophisticated farms can be detected by high volumes of installs from single IP addresses, so blocking these IP addresses is a common method of mitigating this type of traffic once detected.

‍

Auto-refresh

By incorporating auto-refresh functionality, each advertising slot on a website gains the ability to showcase multiple advertisements within a single page view. These ads are refreshed at regular intervals, with the refresh rates determined by various factors such as time durations or user interactions like scrolling, clicking on the screen, or utilising site search.

‍

Certain publishers opt for shorter refresh intervals in an effort to maximise the number of ads displayed within a single page view. Due to the brief duration of ad displays, users may not fully view the ad, but an impression will still be logged. Misusing auto-refresh in this manner, especially within a CPM (cost per thousand impressions) model, results in advertisers paying for impressions on ads that were either not viewable or not displayed long enough to elicit the desired audience response.

‍

Bots

As a pretty broad term, “bots” can refer to a number of different attack methods. A bot is an automated software program designed to carry out specific tasks over the internet, such as crawling websites and indexing content for search engines. However, in the context of ad fraud, we are usually talking about the ‘bad’ bots that are programmed to emulate human behaviour. These vary in levels of sophistication and can do anything from clicking and viewing ads to watching videos, installing apps and even adding products to the shopping cart. 

‍

Click injection

Click injection uses an app located on the user’s device which “listens” to app installation broadcasts. Bad actors are informed when new apps are installed on the device, triggering a click before installation is completed, enabling them to take credit for the install.

‍

The time between every click and install is measured, forming a normal distribution of the time to click an ad and install the corresponding application. Anything that falls outside of this is flagged by TrafficGuard. Given the size of the app, the time between clicking the ad and downloading the app will be impossibly short when Click Injection occurs.

‍

Click spam

Click spam occurs when a large volume of clicks are faked on a mobile device, even though the user never clicked the ad. If the user or a user with a similar fingerprint later visits the target website and installs the app, the spammer receives credit for the install and is paid a commission. Due to the install actually being misattributed this is considered invalid.

‍

Compliance fraud

Compliance fraud occurs when traffic is deliberately sourced from outside of the advertiser’s target audience or using means prohibited by the advertiser. Fraudsters attempt to maximise their ROI by misrepresenting cheap traffic as premium traffic. For example, sending traffic from a tier 3 country to a campaign specifically targeting a tier 1 country. Technically the install is by a genuine user, but not the user the advertiser is targeting.

‍

Above normal volumes of traffic received from VPN’s or anonymous proxies from a single supply, sources indicate that fraudsters are attempting to obscure details about their traffic. This helps them to disguise low value, out of target traffic; to distribute traffic from other fraud tactics such as App Install Farms over multiple IP addresses to evade detection, and to evade IP blacklists. If TrafficGuard observes unreasonably high volumes of anonymised traffic, it automatically blocks that source of supply.

‍

Cookie stuffing

A type of affiliate marketing fraud, cookie stuffing or cookie dropping is the practice of surreptitiously attaching multiple third-party cookies to a user after they visit a website or click on a link. The additional cookies are tied to websites that are unrelated to the website/link originally visited by the user. If the user ends up visiting these websites and converting, tracked by the cookie, the bad actor gets the credit.

​

The reason why cookie stuffing is considered illegitimate is that the bad actor who had no role in encouraging the user to visit the website gets credit for the conversion while the legitimate source loses attribution.

‍

Domain spoofing

Domain spoofing is a practice through which bad actors monetise the traffic from low-quality sites by manipulating the domains and making it appear to come from high-quality sources.

​

To the advertisers, it appears that their ads are being shown on premium websites but in reality, traffic is coming via low-quality sources. For example, a pirated video website spoofing its domain to appear as The New York Times to sell its inventory at a premium price.

‍

Location fraud

Advertisers invest extra funds for geo-location targeting, aiming to display their ads exclusively in designated regions where traffic costs may vary. Location fraud arises from the manipulation of users' location data to align with the advertiser's targeting preferences. 

‍

For instance, in a campaign directed at users in a high CPM country, a bad actor might alter location information to present traffic from low CPM regions, thereby meeting the campaign criteria and illicitly obtaining the higher CPM.

‍

Pixel stuffing

Pixel stuffing occurs when one or more ads, typically of standard dimensions like 468 x 60, are condensed into a minuscule 1x1 pixel frame within a publisher's site. Each time a visitor accesses this website, it results in an impression being triggered, despite the ad being nearly imperceptible to them. Through the reduction of ads to a mere 1x1 pixel, malicious actors can generate impressions from a larger quantity of ads than they would authentically be able to accommodate on a page.

‍

Retargeting fraud

Retargeting campaigns typically command higher CPMs compared to regular display advertising. So when a bad actor fabricates engagement in retargeting campaigns, they stand to gain a higher payout.

To achieve this, these actors employ two main strategies: either generating artificial clicks to claim credit when a user naturally reengages, or using programmed bots to visit and interact with a website in a manner that mimics authentic and genuine user behaviour. When these bots abandon carts or navigate away without completing a conversion, they give the appearance of high-value users, making them eligible for inclusion in the website's retargeting lists. This artificial audience of bots becomes the target of retargeted advertising, generating revenue for the traffic source even though there is no authentic advertising engagement.

‍

Sophisticated bot driven instals

Users unknowingly download seemingly legitimate apps that employ background install bots. These sophisticated bots replicate human behaviour by downloading, opening and interacting with apps without the user's awareness.

Although the clicks take place on genuine devices and the apps are genuinely downloaded, the installations lack value for the advertiser since they don't involve genuine user engagement.

‍

Our detection process begins with comprehensive monitoring of post-install events by each traffic source. TrafficGuard observes events that occur extensively as bots adhere to programed patterns. By scrutinising each traffic source independently while also having the capability to analyse their traffic across multiple campaigns, TrafficGuard can assess whether their overall traffic conforms to the expected patterns.

‍

User-agent spoofing

A user agent is a set of data, encompassing details such as browser name, version, operating system, and device type, transmitted by your browser to every website you visit. Its purpose is to assist websites in tailoring content display to suit your device.

Marketers often leverage user-agent data to verify their ad traffic against targeting criteria, as it provides comprehensive information about each website visitor. For instance, they may assess whether the device type is mobile to validate traffic for a mobile ad campaign. However, it's worth noting that user-agent information can be manipulated through a practice known as user-agent spoofing.

‍

In user-agent spoofing, malicious actors alter elements of the user agent string to obscure details of their traffic. This manipulation can involve making high volumes of traffic from a single device appear as numerous individual advertising engagements from multiple devices. Additionally, these actors may manipulate the user agent to make out-of-target traffic resemble the targeting criteria, such as presenting desktop traffic as iPhone traffic, in order to pass it off as valid.