Help Center

| Submit or View Help Requests | Developer Docs |

View desktop instructions
View mobile app instructions
Types of Performance Fraud

There are many types of performance fraud, and some more common than others. Review the sections below to learn more.

False web attribution

This tactic involves bad actors stealing or fabricating clicks on your ads to claim attribution for leads or conversions. The bad actors then collect payouts even though they generated no value along the conversion path.

Click-spoofing

If you rely on partners to self-report events they generate through server-side calls (e.g., via FTP), reported actions are vulnerable to click-spoofing. Malicious partners may report illegitimate events that, if left unchecked, will lead to you paying them for value they did not generate.

How can you tell? There are three ways to confirm an embedded image on a web page: 1) a gray square and triangle icon indicates the artwork is embedded, 2) the absence of the icon means the artwork is linked externally, and 3) a red "X" indicates missing artwork, possibly due to image embedding.

Hidden landing pages

Partners can steal attribution by loading hidden landing pages that are invisible to the user. This can happen randomly or can specifically target users likely to convert. It is done by implementing techniques like pixel stuffing or ad stacking. When a consumer does convert, the malicious partner that loaded your landing page without the consumer’s knowledge claims credit and gets paid.

Image embedding

Image embedding happens when a partner replaces an image’s source code with its affiliate link, then places that image on a public website with heavy traffic. While the image will not load (it renders as a broken image icon or a blank space), the browser still follows the link, and reads and acts on cookies sent through it. This technique is relatively unrefined. However, what it lacks in targeting specificity, it makes up for in its broad reach and zero-cost, low-effort effectiveness.

How can you tell? There are three ways to confirm an embedded image on a web page: 1) a gray square and triangle icon indicates the artwork is embedded, 2) the absence of the icon means the artwork is linked externally, and 3) a red "X" indicates missing artwork, possibly due to image embedding.

Malvertising

Malicious partners pose as brands and buy ad space. In the meantime, they serve creatives that have been embedded with malicious JavaScript code. The hidden code can force clicks to brand sites and download malware onto a user’s device. Malvertizers force attribution—and pay themselves— by actively manipulating consumer devices.

Sneaky redirecting

Have you ever clicked a link or entered a URL and been sent somewhere completely different than where you requested? If so, you’ve been the victim of a sneaky redirect. This video shows how a sneaky redirect sends a user to a different URL than the one originally requested.

While not all redirects are malicious, a bad actor can purchase a domain name that's a misspelled version of a brand’s domain. The malicious partner then redirects users who accidentally navigate to the misspelled domain to another brand’s site, effectively generating illegitimate clicks.

Toolbar injecting

A malicious browser extension (e.g., a toolbar plug-in) injects cookies into the browser as a user navigates, feigning credit for organically occurring events.

Lead generating fraud

Lead gen fraud is sourced from malicious affiliates that collect brand payouts for producing fake leads or conversion events.

Bot fraud (click fraud)

Fraud scheme operators use emulators running retained scripts or infected devices in a botnet to automate large-scale nonhuman traffic, like rapid click events. This technique is especially prevalent in the cost-per-click (CPC) space. Bot clicks can be leveraged to generate fraudulent likes and follows, effectively committing influencer fraud across social media.

Device spoofing

Bad actors can produce worthless engagement (e.g., clicks, forms filled with stolen information, etc.) on a single device. However, a large volume of activity from the same device or cookie is easily detectable as fraud. To fool brands, bad actors spoof their browsers and operating systems (OS) and reset cookies, effectively allowing one device to impersonate many.

How can you tell? Device spoofing is easily uncovered through device fingerprinting techniques with JavaScript or a software development toolkit (SDK), which analyzes device settings like resolution, graphics cards, browser plug-ins, OS, cookies, and more than 300 other data points.

Incentivized traffic

When many affiliates share commissions with end users through rebates, social gaming credits, or donations to causes, they can engage in incentivized traffic. Perks like these incentivize users to download browser toolbars and plug-ins. However, users acquired this way tend to have a much lower customer lifetime value (CLV). Low-quality partners often sell this type of incentivized activity as normal paid traffic. In other scenarios, a bad actor stuffs a cookie when a user visits sites that participate in Performance programs.

Recycled or stolen information

Bad actors that defraud lead generation programs submit either illegitimate information (i.e., information about someone who doesn’t exist) or recycled/stolen legitimate information. In the latter case, real peoples’ personally identifiable information (PII) is purchased or captured through fake lead forms, then recycled to collect cost-per-lead (CPL) payouts from multiple brands.

This technique bypasses data validators and defrauds you of your performance spend. It can also damage your brand’s reputation among real audience members whose information is stolen or recycled, especially if you attempt to contact them.

Unapproved network syndications

If your demand for granular audience targeting goes beyond the scope of your program, partners may buy traffic to meet those overstated commitments. Unapproved traffic syndication can be difficult to untangle, especially since traffic brokers and ad networks often sell back and forth to each other in a larger arbitrage network. This means that traffic can be bought and sold a number of times before it reaches a partner.

Mobile fraud

Next up are fraudulent activities directly related to mobile devices and the events that can take place on them.

Install attribution fraud

Malicious partners can exploit your cost-per-install (CPI) programs by stealing or fabricating credit, then collecting revenue for driving an app install.

Click-flooding

An especially dangerous partner may use its app to hijack a user’s phone and generate hundreds of ads in the background. The partner can also trigger automatic click events for each ad. These click events are intended to game your CPI attribution models and occasionally redirect the user to the app store.

Click injection

This technique aims to force wins of last click attribution in CPI programs. It’s enabled on Android phones when a bad actor includes app code that uses the Android feature Install Broadcast to continuously monitor a user’s device for new installs. Based on this information, the partner can send fake clicks just before payable post-install events occur.

How can you tell? The easiest way to detect click injection is by comparing the timing of a reported click with the app's initial launch; typically, during click injection, these events occur very close together.

Click-spoofing

If you rely on partners to self-report mobile click events they've generated through server-side calls (e.g., via FTP), actions they report are vulnerable to click-spoofing. If left unchecked, malicious partners may report illegitimate mobile events that lead to you pay them for value they did not generate.

Install fraud

Bad actors can game your CPI program by collecting revenue for driving suspicious app installs where installers have zero intention of actually using the app.

Device ID reset marathons

Install farms or automated device emulators can exercise device ID reset marathons to replicate their exploitation ad nauseam, making the same activities only appear to be happening across many different devices.

Incentivized traffic

When many affiliates share commissions with end-users through rebates, social gaming credits, or donations to causes, they can engage in incentivized traffic. Perks like these incentivize users to download browser toolbars and plug-ins. However, users acquired this way tend to have a much lower customer lifetime value (CLV). Low-quality partners often sell this type of incentivized activity as normal paid traffic. In other scenarios, a bad actor will stuff a cookie when a user visits sites that participate in Performance programs.

Proxy tunneling

A malicious app installed across many mobile devices can install malware that effectively converts that network of phones into a mobile botnet. The mobile botnet is remotely controlled by a botnet operator, which leverages the hijacked IPs of devices to mask the operator's location as it commits large-scale install fraud.

Install farms

Bad actors employ hundreds of low-cost workers with real phones to install the apps of brands that reward partners on a CPI basis. In other cases, a fraud operator may set up a script within a mobile device emulator that automates the process of generating fake installs and in-app activity.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.