MAISON CODE .
/ Strategy · Risk · Ads · Fraud · Finance

Ad Fraud: The Invisible Tax on your P&L

20% of your Ad Spend is being stolen by criminals. How 'Click Farms', 'Attribution Spoofing', and 'Made for Advertising' sites drain your budget.

CD
Chloé D.
Ad Fraud: The Invisible Tax on your P&L

You spend $10,000 on Google Ads this month. You check the dashboard.

  • Clicks: 10,000.
  • CPC: $1.00.
  • Conv. Rate: 1.5%. You high-five your agency. “Great job.” But here is the invisible reality: Of those 10,000 clicks, 2,000 were likely Bots. You didn’t spend $10,000 on marketing. You spent $8,000 on marketing and $2,000 on a donation to a criminal enterprise in a basement in Eastern Europe.

We are experiencing a Bot Pandemic. Estimates from Juniper Research suggest that $100 Billion per year is lost to Ad Fraud. This is not a “Marketing Optimization” issue. This is a Financial Risk issue. This article explains how the theft happens and how to stop it.

Why Maison Code Discusses This

We are engineers. We analyze server logs. When we audit the traffic hitting our clients’ servers, we see things the Marketing Dashboard hides. We see traffic coming from Data Centers (AWS, Azure) masquerading as iPhones. We see “Users” who browse 50 pages in 1 second (physically impossible). We discuss this because throwing cleaner code at dirty traffic is a waste of money. You don’t need a faster website; you need real humans.

1. The Mechanics of Theft: How they steal your money

Ad Fraud is sophisticated. It is not just a script kiddie. It is organized crime.

A. The Click Farm (Invalid Traffic - IVT)

Imagine a warehouse with racks of 10,000 low-end Android phones. They are plugged into power and programmed to run scripts.

  1. Bot wakes up.
  2. Searches “Luxury Shoes” on Google.
  3. Scrolls to find your ad.
  4. Clicks your ad. (You pay $2.00).
  5. Stays on your site for 30 seconds (to fool the bounce rate metric).
  6. Leaves.

Why? Sometimes it is a competitor trying to drain your budget. Sometimes it is a “Publisher” (a fake news site) clicking ads to boost their own revenue.

B. Attribution Spoofing (Organic Theft)

This is more insidious because it steals credit for real sales.

  1. A real human (Alice) decides to buy your bag. She types your URL directly.
  2. She has a shady browser extension installed (e.g., “Free PDF Converter”).
  3. The extension detects she is about to buy.
  4. It injects a “Affiliate Cookie” milliseconds before checkout.
  5. The Affiliate Network (e.g., ShareASale) sees the cookie.
  6. “We drove this sale! Pay us 10% commission.” Theft: You paid 10% for a customer you already had.

C. MFA Sites (Made For Advertising)

These are websites with zero content and 100 ads per page. AI generates fake articles (“10 Best Cats”). They buy cheap traffic (using bots) to visit the site. The bots “view” the ads (CPM model). You pay for “Impressions” that no human eye ever saw.

2. The Incentive Misalignment

“Why doesn’t Google stop this?” This is the uncomfortable truth: The Ad Platforms get paid for every click, valid or not. If Google blocked all bots tomorrow, their quarterly revenue might drop 10%. They have a fiduciary duty to shareholders to maximize revenue. They do filter “Obviously Fake” traffic (General IVT). But they are terrible at filtering “Sophisticated Fake” traffic (SIVT) because it looks human. You cannot rely on the fox to guard the henhouse.

3. The PMax Trap (Google Performance Max)

Google’s new AI tool, Performance Max, is a black box. You give it a budget + a goal (ROAS). It finds traffic. PMax loves cheap inventory. Where is inventory cheap? On garbage websites and MFA sites. We have audits where PMax spent 40% of the budget on mobile game apps (where fat-finger clicks happen) and unknown foreign news sites. PMax will aggressively claim specific “View-Through Conversions” to make its numbers look good, even if the traffic was low quality.

4. The Defense Strategy: Building a Wall

You need a multi-layered defense.

Layer 1: Exclusion Lists (The Basics)

Go into your Google Ads settings.

  • Exclude “Unknown” Categories.
  • Exclude “Mobile Apps” (Unless you are selling an app). Game placements are 90% accidental clicks.
  • Exclude Geographies: If you only ship to US/UK, why are you paying for clicks from non-serviceable countries?

Layer 2: Defensive Software (The Shield)

You need 3rd party verification tools. Legacy tools: ClickCease (Cheap, OK for small brands). Enterprise tools: Cheq, Lunio, Human Security. These tools install a pixel on your site. They fingerprint every visitor.

  • “This user has the screen resolution of a server.” -> Block.
  • “This user is moving the mouse in a perfect mechanical line.” -> Block. They automatically feed these IPs back to Google/Meta as a “Negative Audience”. This prevents the bot from ever seeing your ad again.

Layer 3: Conversion API (CAPI) with Value Rules

Facebook Pixel (Client Side) is easily spoofed. Move to Server-Side Tracking (CAPI). Only send “Purchase” events to Facebook after the credit card has cleared and you have verified the fraud score. Do not feed “Page Views” into the optimization algorithm if the view was a bot. Starve the algorithm of bad data.

5. The Audit: How to spot if you are bleeding

You don’t need expensive software to do a quick check. Look at your Google Analytics (GA4). Create a Segment: “Paid Traffic”. Look for anomalies:

  1. Bounce Rate: Is it 99%? (Bot). Is it 0%? (Bot). Humans are messy (40-60%).
  2. Session Duration: Do you have thousands of sessions that are exactly 0 seconds?
  3. City Data: Do you see a massive spike from Ashburn, Virginia?
    • Ashburn is the “Data Center Capital of the World”.
    • 70% of the world’s internet traffic flows through there (AWS is there).
    • Humans live in New York and LA. Servers live in Ashburn.
    • If your ads are clicking from Ashburn, you are paying for servers to visit your site.

6. The “Fake Influencer” Problem

This applies to Influencer Marketing too. You pay an influencer with 100k followers $2,000 for a post. You check the post. 5,000 likes! But scroll through the comments. “Great pic!”, “Love it!”, ”🔥🔥🔥”. Generic comments. No relation to the product. These are Engagement Pods. The influencer pays a service to have bots like the post instantly to trick the algorithm. Audit Tool: Use Modash or HypeAuditor before you pay anyone. If their “Audience Credibility” score is low, run.

7. The Future: Blockchain Verification?

Can Blockchain solve this? In theory, yes. If every ad impression was recorded on a public ledger (Ethereum/Solana), we could track the provenance of the traffic. Companies like AdChain tried to solve this. The problem is speed. Real-Time Bidding (RTB) happens in milliseconds. Blockchains are too slow (for now). However, Private Ledgers between major publishers (New York Times) and major brands (LVMH) are emerging. They bypass the “Open Exchange” (Google) entirely. “I buy ad space directly from you. We verify it cryptographically.” This is the future of Clean Trade.

If you find proof of fraud (e.g., using Cheq or Lunio reports), you can get a refund. Google has an “Invalid Traffic Refund” policy. But you have to ask. They will not volunteer it. The process:

  1. Export the fraud logs from your defensive software.
  2. Open a support ticket.
  3. Submit the CSV of invalid IPs and timestamps.
  4. Demand credit back. We have seen clients recover thousands of dollars this way. It requires effort, but it is your money.

9. Conclusion

If you had a physical store, and 20% of people walking in were robots stealing your inventory, you would hire a security guard. In digital, you leave the door wide open. Ad Fraud is an invisible tax. It inflates your CAC. It destroys your ROAS. It muddies your data. You cannot optimize a funnel if the data entering it is fake. Clean the water before you drink it.

Is your traffic real?

We conduct forensic Traffic Quality Audits to identify bot leakage and install blocking infrastructure.

Hire our Architects.