Click fraud is bleeding $100B from AdTech. Here's where the money actually goes.

The IAB estimated $84 billion in global ad fraud losses in 2025. Most industry analysts expect 2026 numbers to exceed $100 billion. These figures get cited often enough that they've lost their shock value — but the underlying mechanics matter for anyone running ad-monetized inventory or buying programmatic media at scale.

The losses aren't evenly distributed. Major advertisers with dedicated brand safety teams catch most fraud against their campaigns. Mid-size advertisers operating through agencies lose meaningful percentages of spend. Publishers with weak inventory protection see fraudulent impressions drown out their legitimate inventory. The aggregate $100B number is the sum of many smaller losses spread across the value chain.

This piece is for AdTech, programmatic, and publisher leaders trying to understand what their actual exposure looks like and what defenses hold up. Written to explain the five major fraud categories in AdTech, why post-bid verification isn't enough, and what pre-bid architecture actually works.

The five major fraud categories in AdTech

Click fraud

The most direct form. Automated traffic clicks paid ads with no conversion intent. The advertiser pays for the click; the click produces no value. Industry benchmarks put click fraud at 15–25% of paid clicks across most campaigns.

The mechanism: bot networks or paid traffic operations generate clicks at scale. Modern operations use residential proxy infrastructure to make the clicks look like legitimate consumer traffic. The cost per fraudulent click is fractions of a cent on the attacker side, while the advertiser pays $1–$50 per click depending on the auction.

The targets: campaigns with high CPCs are most attractive. A legal services campaign paying $50+ per click is a more attractive target than a brand awareness campaign paying $0.25 per click. The fraud follows the money.

The defense pattern that fails: post-click conversion analysis. By the time you've noticed that clicks aren't converting, the budget is spent. Refunds from ad networks are possible but slow and partial.

The defense pattern that works: pre-bid device intelligence. Verify that the impression is being served to a legitimate device before the bid is placed. Latency budget is tight — typically under 50 milliseconds — but workable with the right architecture.

Impression fraud

Lower per-event value than click fraud, higher volume. Bot traffic generates impressions on inventory the advertiser pays for, but no human ever sees the ad. Industry estimates suggest 10–20% of impressions across the ecosystem are fraudulent.

The mechanism: publishers (often shadow publishers operating across multiple sites) generate bot traffic to drive impression counts on their inventory. The bot loads the page, the ad serves, the impression counts, the publisher gets paid. The traffic was never human.

The variants:

• Ad stacking: Multiple ads served in a single slot. User (if there was a user) sees only the top ad. The other 4–10 ads in the stack count as impressions.
• Pixel stuffing: Ad served in a 1×1 pixel iframe. Technically "viewable" by industry definition. Visible to nobody.
• Auto-refresh fraud: Pages auto-refresh ad slots at high frequency, generating impressions on each refresh. Common on low-quality sites trying to maximize impression count.

The defense pattern that fails: viewability metrics alone. MRC viewability standards (50% of pixels visible for 1 second) are easily gamed. Inventory that "passes" viewability can still be impression-fraud.

The defense pattern that works: pre-bid traffic quality assessment. Identify whether the device requesting the impression is a real consumer device or part of an inventory-inflation operation.

Conversion fraud

Specific to performance marketing and affiliate networks. The advertiser pays CPA (cost per acquisition) — typically $10–$200 per qualified lead, signup, or sale. Fraud operations generate fake conversions that look legitimate enough to claim CPA payouts but never produce actual customers.

The mechanism: affiliate operations harvest leads from previous data breaches, populate signup forms with these credentials, and claim CPA payouts. Or they create disposable identities through identity-as-a-service operations, complete the conversion flow, and disappear.

The economics: affiliate networks pay CPA on conversions. Fraud operations generate conversions at low marginal cost. Spread the operation across multiple advertisers and networks; each individual loss is small enough to escape close scrutiny but aggregate volume is significant.

The defense pattern that fails: looking at conversion rates in isolation. Fraudulent traffic often produces normal-looking conversion rates because the fraud is structured to look normal.

The defense pattern that works: device-level analysis of conversion sources. Multiple "different" leads coming from the same device fingerprint signals affiliate fraud. Cross-customer device linking catches operations spanning multiple advertisers.

Domain spoofing

The fraud category that exploits the ad exchange ecosystem most directly. The attacker misrepresents inventory to ad exchanges, claiming impressions are happening on premium domains when they're actually happening on shadow sites.

The mechanism: the ad request includes metadata claiming the page domain. Some exchanges and SSPs don't rigorously verify this. The advertiser pays premium CPM for impressions on what they think is a trusted publisher; the impression actually serves on a shadow site that shares CPM revenue with the spoofer.

The variants:

• Subdomain spoofing: Claiming impressions on yourbrand.com when they're on subdomain.shadowsite.com that mimics it.
• App-domain spoofing: Mobile app inventory claiming to be premium app inventory.
• CTV/streaming spoofing: Connected TV impressions claimed to be on premium streaming platforms.

The defense pattern that fails: trust the SSP. Many SSPs have inadequate verification on domain claims. Trust without verification is the vulnerability.

The defense pattern that works: pre-bid verification of inventory authenticity. Combine device intelligence (catching bot-driven inventory inflation), referrer analysis (catching domain spoofing), and SSP audit (selective trust based on verification quality).

Sophisticated invalid traffic (SIVT)

The IAB category that captures the most concerning fraud — bot traffic specifically designed to look like real users to evade detection. This isn't crude click bots; it's automation that simulates engagement metrics, completes funnel actions, and looks behaviorally similar to humans.

The mechanism: bot operations driven by sophisticated software (often LLM-powered agents in 2026) drive real engagement on advertiser sites. They scroll, dwell on pages, click through navigation, and sometimes complete partial conversions. The behavioral signature looks similar enough to humans that simple behavioral analysis doesn't catch them.

The defense pattern that works: device-level intelligence that catches the gap between behavioral similarity and underlying infrastructure differences. The agent might behave like a human, but the device, network, and environmental characteristics give it away. Multi-layer detection with coherence checking catches what behavioral analysis alone misses.

The architecture gap most advertisers have

Most advertisers and publishers use one or more of these defense layers:

Post-bid verification (MOAT, IAS, DV, etc.). Analyzes impressions after they're served. Good for refund claims and brand safety reporting. Not effective for prevention — the budget is already spent.

Static block lists. Lists of known-fraudulent domains, IPs, or device characteristics. Bypassed by simply changing the surface signature. Maintenance burden is high; effectiveness is limited.

Ad exchange filters. Pre-bid filters built into the ad exchange or DSP. Quality varies dramatically. The major DSPs have sophisticated filters; smaller ones don't.

Conversion tracking analysis. Detect fraud by looking at conversion rates and quality. Catches the lazy fraud; misses the sophisticated kind that's designed to produce normal-looking conversion rates.

Internal traffic analytics. Some advertisers analyze their own traffic for fraud patterns. Useful for catching some fraud after the fact; limited for prevention.

The gap: real-time, pre-bid intelligence about whether the inventory is legitimate before the bid is placed. This is the layer that's underinvested across the industry. The architecture to implement it exists but isn't widely deployed.

What pre-bid device intelligence looks like

The architectural pattern:

At the publisher side: SDK on the page captures device fingerprint and behavioral signals as the page loads. The device data is included in bid request metadata sent to ad exchanges.

At the ad exchange: Bid requests carry the device intelligence payload alongside standard inventory information.

At the DSP / advertiser side: Pre-bid verification call against the device intelligence service. The service returns a verdict — likely human, possibly bot, likely fraud — within the 10–50 millisecond pre-bid latency budget.

Decision logic: The DSP uses the verdict to decide whether to bid on the impression. Likely human inventory gets bid normally. Likely bot inventory gets bid at lower amounts or skipped entirely. Likely fraud gets explicitly excluded.

Post-bid logging: The verdict and signals are logged with the impression for post-event analysis, refund claims, and ongoing rule tuning.

The advantage: prevention rather than post-event refund. The advertiser doesn't pay for fraudulent inventory in the first place rather than chasing refunds afterward.

The latency constraint is real. Pre-bid budgets are typically 100ms total round-trip from auction start to bid response. Within that, the device intelligence call needs to complete in 30–50ms to leave time for other DSP logic. This is a hard engineering constraint that limits which detection architectures are viable in the pre-bid context.

What a deployment actually looks like

A programmatic advertising platform serving roughly 100M impressions monthly. Pre-deployment estimate of fraud rate based on industry benchmarks: 18–25% of impressions reaching either bots or fraudulent inventory.

Architecture deployed:

• Device intelligence SDK on publisher inventory (where access available)
• Pre-bid verification call from DSP to verification service
• Verdict integration into bid logic with three thresholds (high confidence human, suspicious, likely fraud)
• Post-bid logging for analysis and refund claims

Results at 90 days:

• Bot impressions reduced 78% on inventory with SDK deployment
• Click-through rate increased 31% on cleaned inventory (because real humans were actually seeing ads)
• Conversion rate increased 22% on cleaned inventory (because clicks came from real users)
• Refund claims to upstream SSPs reduced 60% (because pre-bid prevention caught most fraud before it required refund)
• Average bid latency added by verification: 32ms (within budget)
• Direct savings on prevented fraud: $340K per month at this scale

The ROI math for the platform: verification infrastructure cost roughly $4,000 per month. Direct savings: $340K per month. The non-direct benefits (improved campaign performance metrics, better advertiser retention, less time spent on refund claim management) compound the value.

What this means for your team

If you're operating in the AdTech space, three observations:

Observation 1: Your fraud rate is probably higher than what shows in reports. Post-bid verification catches what it can identify. Sophisticated invalid traffic specifically targets the gaps in post-bid verification. The honest rate is usually higher than the reported rate, sometimes significantly so.

Observation 2: Pre-bid is underinvested across the industry. Most platforms have post-bid verification because the industry has standardized on it. Pre-bid verification is the high-leverage gap. The platforms that deploy it have an advantage their competitors don't.

Observation 3: The 50ms latency constraint is a feature, not a bug. Architectures that fit the latency budget are forced to be efficient. Architectures that don't fit get rejected by ad exchanges. The constraint produces better engineering.

The platforms that handle this transition well share a pattern: they measure fraud rate honestly (including the categories post-bid verification misses), deploy pre-bid verification at every available inventory point, and treat the integration as ongoing engineering rather than vendor selection.

Where Tracio fits

Tracio device intelligence is designed for pre-bid deployment in the AdTech context. The architecture meets the 50ms latency budget that ad exchanges require. The signal coverage handles all five fraud categories — click fraud, impression fraud, conversion fraud, domain spoofing, and SIVT — through a unified detection layer.

The integration patterns:

• Publisher-side SDK for inventory verification
• DSP-side server call for pre-bid verdict
• Cross-customer signal sharing for catching fraud operations spanning multiple advertisers
• Polymorphic JavaScript layer that rotates daily to resist evasion by fraud operations

The verdict — likely human, suspicious, or likely fraud — returns in under 50ms with the underlying signals attached. The DSP team uses this to drive bid logic. The publisher team uses it to filter inventory before serving.

The free tier covers 2,500 verifications per month — enough to run a meaningful pilot on a specific campaign or inventory segment and measure your actual fraud rate.

Want to see what your real fraud rate looks like?

Start your free trial — 2,500 verifications free, no credit card required. Book a demo to walk through your specific AdTech deployment scenario with our team — including pre-bid integration patterns and DSP-specific architecture.