The results are in – and they’re not pretty.

“I’ve had my eyes opened and it’s frightening,” said Bob Liodice, president and CEO of the Association of National Advertisers (ANA), which released the fruits of its anti-fraud study on Tuesday. The work was conducted in conjunction with online ad security firm White Ops as part of an effort to get closer to a true quantification of online ad fraud.

The numbers point to a serious issue facing the industry. White Ops estimated that bot fraud left unchecked would lead to about $6.3 billion in losses in 2015. That said, the data uncovered by White Ops is somewhat less than what other ad fraud-detection companies might claim.

“Our estimates come below figures that have been bandied about by Solve Media and the analytics guys,” said White Ops CEO Michael Tiffany. “But that’s because a) they’re not scientists and b) they’re just marketing their products so they can capture people’s attention.”

The report found that bots are responsible for 23% of all video impressions and 11% of display ads. The 60-day study tracked 181 campaigns among 36 ANA members – a veritable who’s who of ad spend, including AB InBev, Colgate-Palmolive, ConAgra Foods, General Mills, Johnson & Johnson, Kellogg’s, Kimberly-Clark, Walmart and Verizon.

White Ops looked at 5.5 billion impressions, 85% of which were display, with video making up the remainder. Although mobile did not fall within the scope of this report, Tiffany and the ANA are mulling a separate study to tackle the growing concern around mobile fraud.

Tiffany attributed the differential between video and display to one simple factor – the almighty dollar. Video CPMs are high and they attract a smarter breed of criminal. Video ad bots need to be created using HTML5, support plug-ins and javascript, have cross-browser compatibility and be able to fully load and play a video. Anyone coding at that level is most likely building in robust countermeasure so as not to get caught, Tiffany said.

“Video ad buying is growing by leaps and bounds – but we found that almost one quarter of all video ad views are bogus, which means that the market expectation of how many people are actually watching videos online is wildly wrong,” Tiffany said. “And that’s a perfect condition for a bot because it can fill in the gap between the buy-side demand and the available supply.”

Drilling down a bit into the numbers, the study also found that bot traffic among programmatic display was 55% higher than overall bot traffic at 17% – but that doesn’t necessarily mean that automation is responsible for the problem.

“Yes, the programmatic number at 17% is worse than the 11% display average, but it’s not hugely worse,” Tiffany said. “That just goes to show you how much fraud is probably happening in direct buys.”

Much of the bot traffic identified by White Ops took place in what Tiffany called the “well-lit parts of the Internet.” Of the roughly 3 million sites it examined, only a small minority were bogus websites controlled by the bot masters themselves.

Most of the sites implicated, both premium and long-tail, were recognizable, popular and legitimate – but that doesn’t protect them from bots, which, depending on the site, can comprise anywhere between 5% and 50% of their monetized audiences.

“Quite simply, fraud has permeated every level of the supply chain and it’s even attacking the premium sites,” Liodice said.

But programmatic – named the top marketing word of 2014 by the ANA – isn’t necessarily to blame. Bots are using the concept of ad targeting against itself, Tiffany said.

“The problem with programmatic is not a matter of maturity, it’s a matter of audience targeting,” he said. “Much of the fundamental value proposition of buying programmatically is that you can reach the right person no matter what websites they visit, and bots are made to take advantage of that. Bots clone the cookies related to high-value customers. Ads are then targeted to that cookie as if its a real person.”

That could be the reason why White Ops noted 19% bot fraud among retargeted ads – 73% higher than the 11% average for regular display.

“Retargeting is one of the things that has the privacy advocates up in arms because it feels so creepy to have ads follow you from site to site,” Tiffany said. “But it’s not even as effective as you might think because it’s being so thoroughly undermined by the bad guys.”

Who’s Going To Fix It?

Now that the industry is closer to putting a number on ad fraud – although Liodice was quick to note the study somewhat underestimates the problem – it’s time to start doing something about it.

The report outlines certain steps advertisers and publishers can start taking right away, including avoiding legacy browsers and dayparting. Most bots operate between midnight and 7 a.m., which means advertising during daylight hours time zone by time zone is a less risky proposition than advertising at all hours.

White Ops also discovered that outdated browsers often have more bots using them than actual humans. Old versions of Internet Explorer are two of the worst offenders – roughly 58% of impressions coming from IE6 were fraudulent, with IE7 faring only slightly better at 46%.

“The problem with these actions is that when advertisers start changing, the bot operators will adapt,” Tiffany said. “That’s why the recommendation I’m most bullish about has to do with changing the way insertion orders and RFPs are conducted and how terms and conditions between advertisers and publishers are written to require the publishers to be more transparent about where and how they source their traffic.”

It’s a systemic problem. The report revealed that publishers who buy sources traffic from third parties have about 52% more bot fraud.

But the accountability shouldn’t sit squarely on the publisher community’s shoulders.

“The exchange has a responsibility to detect fraudulent impressions and not sell them. And buyers have the responsibility to detect signals, so we can set up this ecosystem,” said Neal Richter, chief scientist at the Rubicon Project, speaking at AdExchanger’s Programmatic I/O conference in New York City in September.

And advertisers also need to shoulder some of the burden, too. We’re all in this together, Liodice said.

“The easy answer is that we’re all responsible,” Liodice said. “The hard answer is figuring out what every group has to do in order to respond to this challenge. Fraud is arguably perpetuated by the passivity of some of the advertisers out there, but we’re starting to put our foot down. We needed a collective kick in the pants to move us forward – and this is it.”