It’s time for more organisations to step up and proactively take action to block these attacks

Ads are everywhere in the digital space. As long as you are connected to the Internet, there will be ads shown to you. So it shouldn’t be surprising that ad fraud, too, is everywhere.

From illegal bots creating fake advertising demand, automated phishing attempts to compromise business advertising accounts, domain and app spoofing to defraud major brands , and SSAI insertion schemes against the CTV ecosystem, unique forms of ad fraud continue to take place every second.

In fact, the total cost of ad fraud globally is expected to hit $100 billion by 2023, with Asia Pacific being the largest affected region.  Closer to home, Singapore saw a 1.9% increase in ad fraud year-on-year, across desktop display. As a result, its ad fraud rate in the first half of 2022 was 4.9%, the highest among its APAC counterparts. Japan and Vietnam also followed closely with respective ad fraud rates of 3.3% and 3.1%.

When looking at the rate of ad fraud, it’s hard for most people to wrap their heads around a number like $100 billion annually – but this breaks down to over $270 million in ad fraud committed against major brands *every single day of the year.* A significant portion of every dollar spent online is going to ad fraud schemes, and it’s crucial for more online businesses to step forward to fight back with a modern defence.

At HUMAN, we recently discovered a highly sophisticated fraud operation targeting advertising software development kits (SDKs) involving nine apps on the Apple App Store and 80 Android apps on the Google Play Store. Collectively, these apps were downloaded over 13 million times by users all around the world. The attack, named Scylla, isn’t new; it’s actually a third wave of the original attack of this nature, originally named Poseidon, that was discovered back in 2019. The fraud committed by these apps were done through several methods that included app spoofing, hidden ads, and fake clicks. Because of the evolving nature of the attacks, they are ongoing even today, despite our team being actively tracking down the perpetrators and trying to put a stop to them.

Cases like these show the sophistication of ad fraud that are taking place today. As they become more complex in nature, it gets more and more difficult to put a complete halt to an operation. Instead, we need to continuously monitor and adapt, keeping up with ad fraud operators to ensure that business assets and budgets are protected. .

The consequences of ad fraud

While ad fraud can seem cumbersome to defend against, there are real and potentially very serious consequences if not addressed. For one, it can completely ruin your digital campaigns, which is the equivalent of burning your money in the street. Just imagine running a campaign that involved months of hard work, only to be clicked on by bots, never reaching your intended audience. Not only does this drain your time and resources, but possibly entire budgets that have been allocated to a campaign, with no ROI. Suffice to say, all of these events will impact your business bottom line.

Despite the large amounts of money drained due to invalid traffic, many organisations in Southeast Asia continue to fall prey to fraudsters. This is largely because businesses are not equipped to handle them, and the modern defences in the online advertising ecosystem are not the same between regions due to the complexities of business partnerships. Moreover, with the constantly evolving nature of ad fraud attacks, especially attacks targeted to specific languages or audiences, it can be challenging to stay ahead of fraudsters that are already on their next plan to cannibalise your paid traffic.


Zach Edwards, Senior Manager Threat Insights, HUMAN

Invest in cybersecurity and protect your assets, before it’s too late

The total cost of ad fraud in Asia was estimated to be tens of billions of dollars in 2022, and is set to escalate even further in 2023. With such alarming impacts on revenue, no organisations buying online ads can ignore these risks to their marketing budgets, and it’s time for more organisations to step up and proactively take action to block these attacks.

The World Economic Forum has highlighted the need for organisations to take control of their state of cybersecurity, stating that it is no longer something that should be reserved for the IT department, or CISOs (Chief Information Security Officers). Since cyberattacks and ad fraud can happen anytime and impact every department in an organisation, every employee should be equipped with the right knowledge and tools so they can quickly escalate the issue should an attack take place or if some marketing stat from a paid marketing campaign isn’t aligning to expectations. At the management level, it is also wise to set aside a budget for crisis management within the marketing team. Since we cannot plan for ad fraud, having funds set aside will take away the added stress of managing costs when the team is busy dealing with the threat at hand.

What to expect in 2023 and what you can do

Unfortunately, cybercrime and ad fraud is here to stay, and evolve. As cybersecurity professionals become smarter in identifying and managing cyberattacks, fraudsters are also stepping up their game, as we’ve seen with the Scylla attack, and even more recently with the VastFlux takedown by our team, which was generating 12 billion fake requests per day at it’s peak.

Since ad fraud isn’t going away anytime soon, the best way to manage ad fraud is by putting prevention measures in place, communicating to your team about the impacts of ad fraud, and planning for the inevitable impacts on your marketing budgets. Internally, IT teams need to keep themselves updated on new threats, as well as ensure that the right infrastructures are in place to both see and automatically stop these types of attacks. Set up proper hygiene factors that include cybersecurity baselines and leverage modern defence strategies to lower the risks of fraudulent attacks on your bottom line. Knowledge sharing is also something that can be done within the organisation and beyond, which can yield significant benefits for industries with persistent threats.

Combating ad fraud is a collective effort against a complex adversary, but if everyone does their part, we will be more equipped to stand against ad fraud in the year ahead, reducing the financial impacts for businesses while increasing the costs for criminals.