There are many types of performance fraud, and some more common than others. Review the sections below to learn more.
This tactic involves bad actors stealing or fabricating clicks on your ads to claim attribution for leads or conversions. The bad actors then collect payouts even though they generated no value along the conversion path.
If you rely on partners to self-report events they generate through server-side calls (e.g., via FTP), reported actions are vulnerable to click-spoofing. Malicious partners may report illegitimate events that, if left unchecked, will lead to you paying them for value they did not generate.
Partners can steal attribution by loading hidden landing pages that are invisible to the user. This can happen randomly or can specifically target users likely to convert. It is done by implementing techniques like pixel stuffing or ad stacking. When a consumer does convert, the malicious partner that loaded your landing page without the consumer’s knowledge claims credit and gets paid.
Image embedding happens when a partner replaces an image’s source code with its affiliate link, then places that image on a public website with heavy traffic. While the image will not load (it renders as a broken image icon or a blank space), the browser still follows the link, and reads and acts on cookies sent through it. This technique is relatively unrefined. However, what it lacks in targeting specificity, it makes up for in its broad reach and zero-cost, low-effort effectiveness.
There are 3 ways to confirm that an embedded image has appeared on a web page: 1) a gray icon of a square and triangle appears—this means the artwork is embedded on the page, 2) the lack of a gray icon means the artwork is linked from somewhere else, and 3) a red “X” appearing where the image should be, means the artwork is missing and image embedding could be happening.
Have you ever clicked a link or entered a URL and been sent somewhere completely different than where you requested? If so, you’ve been the victim of a sneaky redirect. This video shows how a sneaky redirect sends a user to a different URL than the one originally requested.
While not all redirects are malicious, a bad actor can purchase a domain name that's a misspelled version of a brand’s domain. The malicious partner then redirects users who accidentally navigate to the misspelled domain to another brand’s site, effectively generating illegitimate clicks.
Lead gen fraud is sourced from malicious affiliates that collect brand payouts for producing fake leads or conversion events.
Fraud scheme operators use emulators running retained scripts or infected devices in a botnet to automate large-scale nonhuman traffic, like rapid click events. This technique is especially prevalent in the cost-per-click (CPC) space. Bot clicks can be leveraged to generate fraudulent likes and follows, effectively committing influencer fraud across social media.
Bad actors can produce worthless engagement (e.g., clicks, forms filled with stolen information, etc.) on a single device. However, a large volume of activity from the same device or cookie is easily detectable as fraud. To fool brands, bad actors spoof their browsers and operating systems (OS) and reset cookies, effectively allowing one device to impersonate many.
When many affiliates share commissions with end users through rebates, social gaming credits, or donations to causes, they can engage in incentivized traffic. Perks like these incentivize users to download browser toolbars and plug-ins. However, users acquired this way tend to have a much lower customer lifetime value (CLV). Low-quality partners often sell this type of incentivized activity as normal paid traffic. In other scenarios, a bad actor stuffs a cookie when a user visits sites that participate in affiliate programs.
Bad actors that defraud lead generation programs submit either illegitimate information (i.e., information about someone who doesn’t exist) or recycled/stolen legitimate information. In the latter case, real peoples’ personally identifiable information (PII) is purchased or captured through fake lead forms, then recycled to collect cost-per-lead (CPL) payouts from multiple brands.
This technique bypasses data validators and defrauds you of your performance spend. It can also damage your brand’s reputation among real audience members whose information is stolen or recycled, especially if you attempt to contact them.
If your demand for granular audience targeting goes beyond the scope of your program, partners may buy traffic to meet those overstated commitments. Unapproved traffic syndication can be difficult to untangle, especially since traffic brokers and ad networks often sell back and forth to each other in a larger arbitrage network. This means that traffic can be bought and sold a number of times before it reaches a partner.
Next up are fraudulent activities directly related to mobile devices and the events that can take place on them.
An especially dangerous partner may use its app to hijack a user’s phone and generate hundreds of ads in the background. The partner can also trigger automatic click events for each ad. These click events are intended to game your CPI attribution models and occasionally redirect the user to the app store.
This technique aims to force wins of last click attribution in CPI programs. It’s enabled on Android phones when a bad actor includes app code that uses the Android feature Install Broadcast to continuously monitor a user’s device for new installs. Based on this information, the partner can send fake clicks just before payable post-install events occur.
If you rely on partners to self-report mobile click events they've generated through server-side calls (e.g., via FTP), actions they report are vulnerable to click-spoofing. If left unchecked, malicious partners may report illegitimate mobile events that lead to you pay them for value they did not generate.
When many affiliates share commissions with end-users through rebates, social gaming credits, or donations to causes, they can engage in incentivized traffic. Perks like these incentivize users to download browser toolbars and plug-ins. However, users acquired this way tend to have a much lower customer lifetime value (CLV). Low-quality partners often sell this type of incentivized activity as normal paid traffic. In other scenarios, a bad actor will stuff a cookie when a user visits sites that participate in affiliate programs.
A malicious app installed across many mobile devices can install malware that effectively converts that network of phones into a mobile botnet. The mobile botnet is remotely controlled by a botnet operator, which leverages the hijacked IPs of devices to mask the operator's location as it commits large-scale install fraud.