Invalid traffic: How AI bots are eating advertising

Digital transformation and AI have worked wonders in the ad market, but they have also seen a massive rise in invalid traffic – traffic from bots that skews ad stats and costs advertisers and publishers dear. Paul Skeldon reports

More than a fifth of internet traffic is invalid. Or to put it another way, one out of five website visits is not a real person, but an automated program –a bot – with no intention or capability to convert into a paying customer.

When you look at in-ad traffic in programmatic campaigns this figure sometimes hits 90%. That is a lot of non-paying traffic.

So finds a study by Fraud0, which analysed data from its largest 100+ customers and analysed a total of more than 2.9 billion sessions in 2023.

It is important to note that Fraud0 excluded crawlers, such as the Google Search Engine Crawler, from the invalid traffic data in order to obtain more meaningful results. And the results are shocking – but why is this happening and what can be done about it?

THANKS DIGITAL TRANSFORMATION

Taking a step back, digital transformation has revolutionised the business world, enabling companies to leverage AI for growth and efficiency. However, it also creates new challenges and risks, especially in the realm of digital advertising. One of the most pervasive and persistent threats is this invalid traffic, which refers to any clicks or impressions that are not generated by genuine human users.

The cost is huge. Services and ads are made and sold based on traffic and, if you can’t trust what or where that is coming from – nor, indeed, if it is actually real – then the business of digital marketing looks shaky. With more companies poised to make a commerce media play (see page 1), anything that undermines digital marketing could be extremely costly.

So, where are the problems and what can be done to fix them?

CHANNELS AND INDUSTRIES

According to the research, invalid traffic is a major threat across all digital marketing channels – no channel is exempt. Its uncontrolled presence means wasted ad budgets and has negative consequences such as ineffective campaigns, skewed analysis, and misleading attribution.

The biggest proportion of invalid traffic is seen, perhaps unsurprisingly, on Google Shopping, which hi 67% in 2023. TikTok’s rapid growth has also seen it rocket up the charts for invalid traffic, hitting nearly 40%. Interestingly, The Trade Desk – a commerce media platform – is the second biggest, coming in not far behind Google Shopping on 55%. LinkedIn Ads is also seeing some issues, with nearly half its traffic being invalid.

The issue of invalid traffic and bots naturally affects every industry. But there are some significant differences in terms of the extent. The sector most impacted by invalid traffic is gambling, which sees nearly 40% of its traffic being invalid. Typically this is being seen in fake account creation to take advantage of promotions, credential stuffing and account take over – where criminals use bots to break into customer accounts by automating login attempts using compromised or predictable passwords. There is also growth in polluted analytics that distort customer numbers and ad stacking, where multiple ads are piled up in one place so a click on the top, genuine, ad registers impressions on all the others. This is costing the advertisers as they pay for clicks they don’t receive.

Ecommerce and retail see almost a third of its traffic being invalid. Here scalping and scraping – where bots reserve limited availability or desirable goods to drive up prices and bots that harvest data respectively – are the biggest headaches. Inventory hoarding and wasted ad spend are also a big deal.

But it is domain spoofing that has the biggest impact. Domain spoofing is a widespread technique used by fraudsters to siphon off ad budgets. Inferior websites are created that pretend to be well-known websites. They are often an exact copy of these websites or are simply created by AI.

The approach sounds simple and effective – and it is. Advertisers pay for this supposed premium traffic, but never see a conversion or the hoped-for branding effects.

Telecoms and tech/SaaS sector players are each seeing around a fifth of their traffic (21% and 19% respectively) being invalid. Media and marketing hits 18%.

WHERE AND WHEN

Interestingly, the majority of invalid traffic originates from Germany. However, this does not necessarily mean that the persons are also physically located in Germany. Cybercriminals often use data centres or proxy servers to organise bot attacks, so the analysis of web traffic in different countries is likely to reflect proxy locations rather than the actual locations of the attackers.

According to Fraud0, the result is not surprising, as the majority of companies in this evaluation come from Germany. Attackers also benefit from lower latency when they choose proxies that are closer to their targets – a key advantage when conducting high-volume attacks.

Similarly, when it comes to the distribution of operating systems, cybercriminals follow the market. Both Windows and Android are market leaders (>70% in desktop and mobile) and are therefore more often abused for invalid traffic in order to get buried in the crowd and not attract attention in the corresponding analyses and security systems.

Android accounts for 48.88% of invalid traffic, while Windows has 12.26%. MacOS is under 10%, while iOS doesn’t quite make it to 2%.

THE FUTURE – AND THE SOLUTION

Advances in AI, exemplified by the likes of Bard or ChatGPT, will lead to an increase in fake internet activity, as the barriers to creating bots are lowered and the sophistication and capabilities of malicious bots are improved. Using modern AI, it is now trivial to spin up hundreds of thousands of fake bot accounts with human-like behaviour for less than a penny per account. We are coming to the end of this version of the internet and it will be replaced by something entirely different.

This evolving landscape turns cybersecurity into a constant game of adaptation, where defence mechanisms are continually challenged by advancing opponents. The availability of advanced, free AI models potentially offers those with malicious intentions a tactical advantage.

In today’s world, organisations must employ proactive strategies, monitor inbound activity and automatically intercept and identify spoofed traffic before it enters their systems. Bot management is challenging, but by implementing effective bot detection and mitigation strategies, you can protect your website from threats.

fying visiting bots and minimising their negative impact on your company, your users,and your customers. Bot detection and mitigation solutions are tailored to enable uninterrupted website access for humans and legitimate bots and act as barriers to prevent unauthorized access by malicious bots.

With bot activity on the rise, it is important to detect and deal with traffic generated by bots. Nowadays, software continuously monitors bot activity within your online platforms, meaning it automatically fights threats in real-time as soon as they appear or try to gain access.

Download the full report https://www.fraud0.com/ wp-content/uploads/2024/02/ Unmasking-the-ShadowsInvalid-Traffic-2024-Report.pdf