How much money do you think you're wasting on paid advertising?

A new study from ANA, in which online ad purchases by 36 major U.S. brands were tracked between August and September 2014, found that 11% of online display ads and 23% of video ads aren't actually displayed to real people. And it's estimated that advertisers could lose more than $6 billion globally to ad fraud in 2015.

If your marketing team is paying for online advertising, you want and expect the views and clicks on your ads to be coming from humans -- real consumers who could potentially buy your product or service somewhere down the line. But in reality, a portion of those impressions and clicks you're seeing in your analytics may not be human at all: They could be bots, i.e. computer programs that mimic real users to defraud advertisers. The hackers create these bots to exploit the paid ad system, and they've been stealing billions of dollars of ad spend from businesses and agencies around the world. (And we're talking about organized criminals here, not tech-savvy twenty-somethings trying to make a buck on the side.)

How exactly are they doing this? In a nutshell, they build fake websites to host ads, sell ad space to businesses, agencies, and ad exchanges, and then send out robots to make fake impressions and clicks on those ads. And the potential for it "exists anywhere that media spending is significant and performance metrics are ambiguous and incomplete," writes IAB. That includes banner ads, video ads, search-based ads, and mobile search ads. So if you're going to spend budget on advertising, you'd better know the risks.

To learn more about digital ad fraud and how it affects marketers and agencies, we spoke to a leading digital strategy and social media marketing expert Dr. Augustine Fou, who earned his PhD from MIT and founded Marketing Science Consulting Group in New York City over 14 years ago. Dr. Fou focused on fraud associated with display ads (which can be affected by "impression fraud") and search-based ads (which can be affected by "click fraud") because they represent the largest portion of total ad spend. And since hackers follow the money, that's where the bad guys are spending the bulk of their time and effort.

In this post, we'll share with you what we learned from Dr. Fou about how impression and click fraud work, what incentivizes the hackers behind these schemes, how the industry is fighting back, and what marketers who advertise can do.

How Impression Fraud Works

Impressions measure the number of times an advertisement is displayed (i.e. viewed or seen), without taking into account whether or not the ad gets clicked. The types of ads typically measured this way include display ads (like banner ads), video ads, and a portion of mobile display ads. Any advertisements sold on a CPM (cost per thousand impressions) basis fall into this bucket and are potentially liable for impression fraud.

How Impression-Based Ads Are Supposed to Work

Businesses create advertisements, and then they pay third party website publishers to publish those advertisements on their websites. The businesses that created the ads then pay the website publishers an agreed-upon amount of money for every 1,000 times the ad is seen. While the businesses who make the ads hope the ads will expose their products and services to new audiences, ads also help the website publishers make money off their sites.

How Hackers Make Money From Impression Ads

But the "bad guys," as Dr. Fou calls them, have found ways to take advantage of the system. Here's how:

Hackers create fake websites, and then sell ad space on these websites.

You might be asking yourself, why do businesses and ad agencies sell to these sites if they know they're fake? It's because of what Dr. Fou calls "programmatic media buying and media placement." Nowadays, the process of buying and placing online advertisements is mostly automated. This means there are no humans involved in checking to make sure ads are placed on legitimate websites. Ad exchanges are particularly prone to fraud because they're the ones most likely to buy the enormous quantities of "ad impression inventory" for re-sale, says Dr. Fou.

"In the early days of the internet, a big advertiser might go to an established brand like Yahoo! or ESPN and say they want to place ads on their websites," says Dr. Fou. "But with the advent of Web 2.0 and then Web 3.0 came a slew of super longtail sites -- tiny, tiny websites that aren't big enough to matter to those big advertisers. Ad networks came about as a result, which aggregated tens of thousands of these longtail websites so they could aggregate the media buy of ad space on those websites."

The number of online display ads bought and placed using automated systems has been rising steadily for the past few days according to Dr. Fou's research, and it is expected to continue rising steadily.

Image from Dr. Augustine Fou's Webinar

"And as more digital ads are placed entirely programmatically, the opportunity for fraud continues to rise," warns Dr. Fou. And hackers always seem to be steps ahead of the industry's initiatives to detect fake websites and blacklist them.

Hackers load up their sites with tons of ads.

Once the hackers create their fake sites, they use a variety of tacts to load them up with a whole bunch of real ads they're selling to the ad exchange. For example, hackers have discovered ways to stack tons of ads above the fold on fake websites. This makes it easy for bots to "see" all of the ads at once without scrolling -- they can simply load the page, register all of the ad impressions on the page at once, and then repeat the process.

To make these ads be immediately viewable to bots, hackers will stack up to 72 hidden iFrame layers. Another tactic is to set the dimensions of each ad to be 1x1 pixels or 0x0 pixels, or setting the opacity of the ad to 100%.

Image from spider.io

While the industry is slowly learning how to detect these things, the bad guys continue to outsmart with new techniques.

Hackers use bots to visit and reload their webpages.

Once they've loaded up their fake sites with a whole bunch of real ads, they send bots to visit the sites and create impressions on those ads. But the bots don't just view these pages once or a few times -- they repeatedly load the pages, thereby clocking up tens of millions of ad impressions.

Hackers profit.

They sell a chunk of these ad impressions to the ad exchange, and the ad exchange then sells it to whichever advertiser placed the ad. In other words, these exchanges get some revenue when advertisers sell ads to the bad guys' websites.

Those are the basics of impression fraud. Now, let's move on to the basics of click fraud.

How Click Fraud Works

Clicks measure the number of times an advertisement is actually clicked on. The types of ads typically measured this way are primarily search-based ads, plus a portion of mobile search ads. Any advertisements sold on a PPC (pay-per-click) basis falls into this bucket and are potentially liable for click fraud.

How Search-Based Ads Are Supposed to Work

Businesses create advertisements, and then they pay search engines to publish those advertisements in response to users' search queries. Typically, search companies use auctions to sell these advertising slots -- and to participate in these auctions, businesses select a set of keywords and submit bids on each of them. When a user searches for that term, the search company runs an auction among businesses who have placed bids for keywords matching the query, and winners are arranged in the ad slots. Then, the search engines charge the advertising businesses for each click their ad receives.

How Hackers Use Search-Based Ads to Make Money

Unfortunately, hackers don't just know how to create bots that can load and reload webpages; they also know how to create bots that perform fake "mouse" movements and actually click on webpages. Alex Kantrowitz wrote in Ad Age, "So much for bots giving themselves away by acting like, well, bots. Turns out they can be made to act quite human, which is foiling efforts to detect them."

Hackers create fake websites to carry search ads.

These websites are super simple -- often, they're automatically created using basic templates. This is easy because of that programmatic media buying and media placement I touched on earlier. Before everything was done automatically, hackers used to rely on luring real humans to their webpages to click on stuff. They used algorithms to plagiarize webpages and trick humans into thinking they're a legitimate website. Then, when a human clicked an ad on the fake website, an affiliate cookie was planted. If the human ended up buying something via that ad (which, remember, is a real ad from a legitimate business), the hacker gets a revenue share.

"They found that wasn't a great way to make money," Dr. Fou told me. "Even if the human bought a $2,000 TV, the revenue share from the affiliate cookie would only give them a small percentage, like 5% or something. This didn't scale very well, so hackers moved on from relying on humans to developing more sophisticated bots that can click on ads themselves."

These new websites are designed to show search ads and then self-click on them to siphon CPC revenue.

Hackers target the biggest PPC spenders.

How do the bad guys choose which search ads to run on their sites? To get the most bang for their buck, of course the bad guys are going to go after the industries and companies that spend the most on PPC advertising. According to Dr. Fou, this includes insurance companies (they spend between $60-80 per click) and retailers (they spend between $20-60 per click).

Hackers send bots to their pages.

Hackers send their bots to their own fake sites. The bots then type in high-value keywords to cause the paid search ads to appear. Then, those same bots click on the ads. The advertisers pay for each click they receive on these ads, so hackers pocket the profit.

That's it for the basics of click fraud.

How Is the Industry Fighting This?

There are a number of tools available that ad exchanges and agencies use to detect fraud and start the mitigation process. When the ad exchange is able to detect that a website is fake, they add that website to a blacklist. When a website is on a blacklist, the ad exchange filters it and doesn't run ads on that website.

But Dr. Fou says the problem is that the fight against digital ad fraud depends on the reliability of these huge blacklists and how often they're updated. As soon as the bad guys become aware that their sites aren't making money anymore, they shut them down, "spin up" new sites, and continue the fraud. So, while blacklists are part of the solution, they are easily and quickly outwitted.

What's a Marketer To Do?

"[The ANA] study puts a stake in the ground," ANA President Bob Liodice told the Wall Street Journal. "It's a wake-up call for marketers to pay attention." So what's a marketer to do about it?

Dr. Fou suggests asking your media agencies for detailed reports on ad spend and activities, while simultaneously putting technologies or mechanisms in place to independently verify those numbers.

The adoption of inbound marketing is another, longer term way to fight fraud, says Dr. Fou. "As more clients focus on and evolve with inbound marketing, they'll begin asking their agencies questions like 'Did a human actually take an action here?' They'll insist their agencies think about the subsequent actions after that impression or that click: that the impression or click turned into a purchase, or at least a step toward a purchase. Once businesses focus on those metrics, as opposed to the number of ads served, we can optimize for fewer ads and more human interactions -- which is a good thing."