Decloaking Ad Fraud: Answers to Your Top Questions

Without rigorous preventative measures, upwards of 40% of ad budgets may be lost to fraud. This estimate, drawn from industry analysis and Kochava’s extensive fraud investigation experience, represents the potential impact when advertisers operate without capable detection systems.

While advertisers are generally resigned to accepting moderate levels of fraud (single- to low double-digit percentages), the aspiration should always be to minimize this to the lowest feasible rate through vigilant detection and mitigation systems rather than writing off a set percentage as “normal.” The goal is to create an environment where fraud becomes economically unviable for bad actors.

CMOs should monitor click flooding indicators, install validation failure rates, percentage of jailbroken or rooted devices receiving attribution from specific publishers, and time-to-install (TTI) distributions. These metrics serve as early warning systems that don’t require deep technical expertise to interpret.

Unusually high concentrations of jailbroken devices (anything approaching double digits from a single source), disproportionate TTI clustering (installs occurring within seconds of clicks), and high authentication failure rates signal fraud risks. For perspective, Kochava’s install authentication disqualifies about 1.8% of all install traffic, but some individual networks show install authentication failure rates as high as 40%—a clear red flag warranting immediate investigation.

Establishing verification rules and regularly reviewing violation reports are recommended first steps for rapid detection and action.

Click-through-rate (CTR) values above 10% warrant investigation. In legitimate advertising environments, CTRs rarely exceed single digits consistently, as genuine user engagement follows predictable patterns based on creative quality, audience targeting, and placement context.

CTRs above 100% represent a mathematical impossibility in legitimate advertising—indicating either gross errors in measurement or deliberate manipulation wherein impressions are underreported and/or clicks are fraudulently manufactured without legitimate ad views. Always investigate campaigns with abnormally high CTR for data integrity issues, as they often reveal broader fraud schemes affecting multiple metrics.

Robust traffic verification tools produce comprehensive audit trails, enabling both immediate action and long-term optimization:

• Detailed reports showing which ad signals fail verification and specific reasons (e.g., timing anomalies, blocklisted entities, device authentication issues)
• Ongoing partner-level summaries showing accepted and rejected traffic with trend analysis
• Actionable datasets and exception logs for informing network partners and enabling dispute processes or contract renegotiations

While not always directly exportable as platform-ready audience segments, these outputs empower advertisers to block fraudulent traffic sources, optimize spend allocation, and define custom segments for further targeting or exclusion. The key is treating verification as an ongoing audit function rather than a one-time check.

Kochava Traffic Verifier uses a multi-layered detection protocol to identify and mitigate waste in real-time.

Session hijacking—where fraudsters intercept legitimate user sessions to claim attribution for organic conversions—requires specialized detection beyond standard fraud monitoring. Best practices involve deploying web application firewalls (WAFs), monitoring session token integrity, employing device fingerprinting, and using behavioral anomaly detection to identify suspicious session patterns in real-time.

Advanced solutions can detect when session characteristics suddenly change mid-journey (different IP addresses, device signatures, or behavioral patterns), indicating potential hijacking attempts. The goal is to maintain session continuity verification throughout the conversion funnel.

In retargeting, click flooding dominates the fraud landscape—fraudsters generate massive volumes of false ad signals concentrated across very few devices to maximize attribution claims from existing users. This differs from user acquisition fraud, which focuses on manufacturing new attributed users.

Analyze device-level distribution of ad events: If single devices account for abnormally high click volumes (sometimes tens of thousands), this is an immediate red flag. In the webinar, we noted cases where individual devices showed 30,000+ attributed clicks across apps & campaigns—physically impossible for human interaction.

Other retargeting fraud tactics include recording impressions as clicks to boost attribution priority. Cases where clicks outnumber impressions or CTRs exceed 100% indicate systematic manipulation. Monitor suspicious referral strings, OS type distributions, and cohort anomalies to enhance detection capabilities.

The fundamental distinction lies in optimization goals: Retargeting fraud maximizes events per device rather than new installs, while UA fraud focuses on maximizing unique attributed install conversions.

Retargeting fraud favors click flooding and recycling ad events for known devices, exploiting the fact that these users already exist in attribution systems. Fraudsters can generate thousands of false clicks knowing that eventual organic app usage will trigger attribution to their inflated click volumes.

User acquisition fraud exploits install farms and click injection designed to manufacture entirely new attributed users through device emulation, app store manipulation, or hijacking genuine download processes. These schemes require more sophisticated infrastructure but offer higher per-conversion payouts.

Modern fraudsters can script comprehensive post-install event sequences to mimic legitimate user funnel progression, including fake in-app purchases, registrations, and payment events that at times even clear through actual banking systems. We have come a long way from simple install fraud toward complete user journey simulation.

However, telltale signs emerge when analyzing conversion quality. Look for dramatic drop-offs in completion rates at specific funnel stages when comparing paid vs. organic cohorts, or mismatches between reported event completion and actual business outcomes (e.g., revenue recognition, customer service interactions).

Advanced fraud operations may trigger legitimate payment events while ensuring that the underlying user accounts remain dormant, creating impressive and inherently impossible conversion metrics. Scrutinizing event sequences and implementing receipt verification (comparing in-app purchases against store receipts) can reveal these cunning schemes.

Made-for-advertiser sites represent a gray area between fraud and low-quality inventory, but detection follows similar principles to fraud identification. MFA identification involves analyzing site/content quality metrics, ad-to-content ratios, and engagement pattern comparisons across traffic sources.

Deploy blocklists of known MFA sites coupled with behavioral metrics such as bounce rate, session duration, and page views per session. If there’s a cohort of suspected incentivized installs, examine post-install behavior patterns: Do users all behave identically—completing exactly one level and then abandoning the app, or viewing a specific store item and nothing else?

During the webinar, we emphasized looking for unnatural uniformity in user behavior, as legitimate users exhibit natural variation in engagement patterns that MFA and incentivized traffic often fail to replicate convincingly.

In the webinar, we expressed particular skepticism about “networks grading their own homework,” with PMAX and PPC requiring especially careful independent monitoring. Large platforms like Google possess sophisticated fraud detection, but they also have incentive to maximize advertiser spend.

We recommend vigilance around potential zombie conversions—attributed events that satisfy technical requirements but lack genuine user intent or business value. Focus on measuring post-install/event quality rather than relying solely on claimed conversions for campaign evaluation.

All major buying platforms—including Google’s—can be susceptible to fraud without careful, independent monitoring of downstream quality events. The key lies in implementing parallel measurement systems that verify platform-reported performance against actual business outcomes and user behavior patterns.

This scenario exhibits multiple fraud indicators that warrant immediate investigation. The combination of geographic concentration, technical anomalies, and impossible performance metrics suggests coordinated fraud infrastructure rather than isolated issues. Your analysis has already identified key warning signs: geographic concentration anomalies, VPN usage patterns, and statistically impossible CTRs.

Expand the investigation by examining:

• Timing patterns: Do clicks cluster around specific times or follow unnatural regular intervals?
• OS and referral string analysis: Are device signatures consistent with claimed traffic sources?
• Post-install activity assessment: Compare conversion rates and engagement patterns for these suspicious cohorts against baseline performance.
• TTI and installation funnel behaviors: Look for artificial patterns in user journey timing.

These steps can reveal manufactured installs, fraudulent click traffic, or systematic attempts to game attribution at scale.