Ad Fraud is a popular topic of discussion in the digital advertising world today. Criminals set up networks of fake sites, create bots to drive a large number of phony impressions, and exploit the programmatic ecosystem to make money from ads that no one sees. To combat such nefarious activity, advertisers and agencies require some form of invalid traffic verification to filter out bot traffic.

But you run a reputable site. You don’t use bots to inflate your impression numbers. So, why are verification companies reporting that a percentage of your traffic is generated by bots, costing you money and hurting your reputation with advertisers in the process?

The truth is that intentional ad fraud is only a portion of the problem. Most bots were created for a purpose unrelated to advertising. But they have huge unintended consequences for the industry.

Verification Companies Get It Wrong

A verification company’s primary role is to make sure an ad ran where it was supposed to. They check for viewability, ensure multiple ads aren’t loading on top of each other, protect brand safety, and a host of other things. Identifying bots is not at the core of their business. In fact, they’ve only recently started to address it. As a result, they use rudimentary detection methods, like IP and domain blacklisting. But those methods just don’t work anymore.

Criminals are smart, and as verification methods have improved, they have become more sophisticated. In 2017, 74% of bots were Advanced Persistent Bots that cycle through IP addresses and switch user agents. They accomplish this by using malware to hijack legitimate devices. When a user installs an irreputable browser plugin, he or she could initiate bot activity in the background that results in their device being added to a blacklist. Worse yet, this blacklisting will remain even after the user removes the malware from their device. That human user may never see another one of your ads.

You Have Bots on Your Site and Don’t Want Them There

Ad fraud is only one of many reasons the bad guys create bots. In fact, last year more than 42% of all internet traffic came from bots, and most bots are not involved in ad fraud. If you create content, chances are someone has written a web scraping bot to steal that content from you and monetize it for themselves. Sites that have a paywall are an even bigger target.

If your visitors log into an account, hackers want to steal those login credentials so they can sell them on the black market. They also want to use your site to test the validity of credentials they may have stolen or purchased elsewhere. On average, sites face login attacks two to three times per week. But after a data breach, like ones we’ve seen recently from Best Buy, Lord and Taylor, and Panera, that number triples.

Ad fraud bots will visit your site to pick up one of your cookies, making them appear more real and less suspicious. A rich history of cookies with intent data also makes them more targetable, and thus more valuable. None of these bots care about generating an impression on your site, but if you don’t take measures to prevent it, you will unwittingly show them an impression.

Bots aren’t just wasting your advertisers’ money, they’re hurting your bottom line as well. While bots can watch videos and click on ads, sometimes on purpose and other times as an unintended consequence, they don’t ever convert or make real purchases. Filtering bot impressions produces higher click-through rates, increasing campaign conversions. The same applies to your audience segments as well. When your inventory performs better, advertisers buy it more often.

You Can Do Something About It

You have a bot problem. Every website does. Bots are stealing your content, hurting your relationship with advertisers, making your campaigns perform worse, and siphoning ad dollars away from you. A post-campaign report does nothing to help you with any of these problems. It’s frustrating, but there are a few things you can do right now to stop bots before they hit your site:

Block outdated user agents and browsers

Many bot tools have default configurations that contain outdated user-agent string lists. This step won’t stop the more advanced attackers, but it might catch and discourage some. And the risk here is very low. Most modern browsers force auto-updates on users, making it more difficult for real users to browse using an outdated version.

Monitor your traffic sources carefully

Do any have high bounce rates? Do you see lower conversion rates from certain traffic sources? These can be signs that a source is sending you bot traffic. Buying traffic or using audience extension platforms only exacerbates the problem. If you are incentivizing someone to send you large volumes of traffic, chances are they are going to game the system, often using bots. Avoid them if you can.

Get help

Bots mitigation is an arms race. As long as the incentives and potential rewards are great, fraudsters and hackers will keep innovating to create new bots that get past whatever measures you put in place. You aren’t in the business of catching bots, and you just can’t keep up on your own. A third party expert on bot mitigation will help you stay ahead of the bad guys, and also help you push back on false positives from verification companies.

Reid Tatoris is VP Product Outreach and Marketing at Distil Networks. Reid was previously the co-founder of Are You A Human, a Detroit-based company that analyzes how real humans interact with the Internet. Prior to starting Are You a Human, Reid was a technology consulting working in strategic roles and leading development teams. Reid holds both an Engineering Degree and an MBA from the University of Michigan and is a mentor for Techstars Mobility.