The connected TV (CTV) ecosystem has grown exponentially in recent years, attracting advertisers seeking highly segmented, quality audiences. However, this growth has also made the channel an appealing target for ad fraud, one of the biggest current challenges in digital advertising.
While not a new phenomenon, its impact has intensified with the rise and consolidation of programmatic buying: the automation of processes has also enabled the automation of fraud, allowing malicious actors to scale their operations and exploit vulnerabilities in inventory trading systems.
According to Statista, digital ad fraud generated global losses of more than $80 billion in 2024. In CTV, the scenario is especially delicate: the combination of high CPMs, premium audiences, and an ecosystem still in consolidation, makes it fertile ground for fraudulent practices. According to the latest Pixalate report, 24% of traffic in open programmatic CTV (OpenRTB) is classified as invalid or fraudulent (IVT). In Q4 2024 alone, global investment in open programmatic CTV reached $7.6 billion, illustrating the scale of the risk.
What is Ad Fraud?
According to IAB Europe, Ad fraud, also referred to as invalid traffic (IVT), is the fraudulent representation of online advertising impressions, clicks, conversions, or data events, in order to generate revenue. These activities manipulate delivery channels, significantly impacting an advertiser’s return on media investment, often jeopardizing brand reputation.
In the next section, we take a closer look at the most commonly used ad fraud techniques:
1. Ad Stacking
This technique involves layering multiple ads on top of each other, invisible to the user. Typically, the video player frontend is manipulated by creating multiple hidden iframes or player instances using CSS attributes such as:
opacity:0
visibility:hidden
display:none
width:0
height:0
Another manipulation method involves triggering multiple VAST requests from the client-side player, only one of which is actually visible, fraudulently inflating impressions and revenues.
2. Ad Injection
This method inserts unauthorized ads into legitimate streams by manipulating the stream itself or the end client. It exploits security holes or device vulnerabilities (e.g., Roku, Fire TV, Smart TVs) or app-level flaws, using malware or malicious scripts to intercept HTTP/HTTPS requests to legitimate CDNs and redirect them to fraudulent intermediary servers. These servers modify the VAST or VMAP response, inserting illegitimate ads that are often imperceptible to the viewer. The fraud occurs through the manipulation of the XML code in the ad tag responses.
3. Spoofing
Spoofing simulates ad impressions by manipulating contextual and environmental user or device data. HTTP/HTTPS headers are tampered with, modifying User-Agent, Referer, or X-Forwarded-For values to mimic various devices, browsers, and geographic locations.
In some cases, parameters involved in the programmatic supply chain are also altered, such as advertising identifiers (IFA, IDFA) or demographic or geolocation data. At this point, fraudulent full SDKs can also be injected into applications or devices that would natively be falsifying the information provided to the buyer, or to the programmatic buying and selling chain. VPNs can also be used to avoid detection of a fraudulent or disreputable IP.
4. Bot Traffic
This method automates large-scale ad plays and interactions without human involvement. This kind of traffic is produced by compromised devices (personal computers, servers, devices with internet connection) that generate very high traffic to stream or CTV services. The way to do this is with the use of headless browsers (without graphical interface) such as Puppeteer, Selenium that because they are very light can simultaneously generate multiple instances in the compromised devices by means of automated scripts in constant execution. In this way, real-time interactions are simulated by generating JS events such as onPlay(), onPause(), onEnded() to mimic human behavior when it really is not. The result is completely distorted viewing metrics.
Additionally, the use of timed execution patterns helps these bots evade anti-fraud detection systems.
5. Pixel Stuffing
SThis basic but still-used technique embeds ads in 1x1 pixel containers. While common in traditional display advertising, it is still exploited in CTV to trick ad servers into registering impressions. It aims to make the ad server believe that something is being visually displayed, as there has been a request for load but really nothing is displayed because the dimensions are 1x1px.
When combined with bot traffic or spoofing, the impact and scale of this fraud can become significant.
6. Domain Spoofing
In this method, the origin of ad traffic is faked to appear as if it comes from premium or reputable publishers. This involves manipulating the HTTP referrer, forging sellers.json and ads.txt files, or conducting DNS attacks that resolve a fake domain as if it were a legitimate publisher. Fraudsters then replace identifiers in OpenRTB tags to mimic high-value traffic and sell low-quality or fraudulent impressions as if they came from premium sources, thereby inflating CPMs and generating illicit profits.
7. Made for Advertising (MFA) Inventory:
While MFA sites or apps may not always meet the strict definition of ad fraud, their widespread presence poses a serious threat to campaign effectiveness. These environments are built almost exclusively for monetization, with minimal editorial value or user experience. In CTV, MFA can take the form of low-quality FAST channels or apps that mimic legitimate content but are designed to maximize impressions. They can artificially inflate metrics like playtime or generate unqualified traffic, affecting campaign optimization and ROI.
Conclusion
