This year has been proclaimed as a milestone in advertising, marking the first time that digital ad spending in the United States will surpass that of more traditional media like TV, radio, outdoor, and print. Marketing research firm eMarketer reports that total U.S. digital ad spending will grow 19% to $129.34 billion this year, about 54% of the estimated total ad spending. More than two-thirds of that digital spend will be on mobile–about $87 billion this year. The global digital advertising market has been pegged at about $250 billion for 2019.

As marketers are pouring billions into digital ads, a new report from Tel Aviv-based cybersecurity firm Cheq says up to 20% of that money is being stolen through ad fraud. Not only that, but 77% of that fraud is more sophisticated than the industry is prepared to deal with.

“This finding is clear and counterintuitive,” says Cheq’s chief strategy officer Daniel Avital. The study looked at 4.1 billion ad requests made in the United States across 1.2 million domains, between October 2018 and February 2019. “You always expect the dumb fraud to be more prevalent than the sophisticated type. But this is exactly the opposite. This means that the tools being used today to combat the fraud are very likely not enough, and the industry as a whole needs to step up its game.”

Back in 2017, Juniper Research estimated $19 billion would be lost to ad fraud in 2018. Ad fraud has been called the most lucrative yet low-risk form of crime in the world. Because of that, Avital says it’s drawing tech fraud talent from other industries, like the financial sector, making the type of fraud that much more advanced.

Why should consumers care if brands are getting ripped off for billions of dollars every year? Avital says that while ad fraud doesn’t target or steal from consumers directly, there is collateral damage. In many cases of fraud, millions of user IPs are hijacked to fake traffic at scale and make money. “What they’ll do is get innocent users to download some form of malware, which allows them to mine the computing power of that person,” says Avital. “You’re not the target of the fraud, but you are being used for it. There are also plenty of data privacy issues that arise from that.”

The longer-term threat of large scale digital ad fraud is that by eroding trust in the system, the free internet that advertising supports is undermined. The more money stolen, the less gets into the hands of the publishers and content producers who make the stuff we see for free thanks to advertising.

For the ad industry, Avital says that the most common practices of prevention need to be re-evaluated. He says the most common practice today in ad fraud mitigation is buying a list of known fraudulent IPs and cross-referencing it with a client’s ad traffic. If they see a fraudulent IP, they flag it. “That is in no way an effective method to fight fraud, because these IPs are very easily manipulated,” says Avital. “Finding that much more of ad fraud is more sophisticated than we imagined, should prompt the industry to say, ‘Let’s have an honest discussion about what technology is being used here.”