When a risk manager says "we have an ATO," and a marketer hears "an unintelligible word" β the business loses money. Not because there is no protection, but because the teams are not speaking the same language.
This glossary closes the foundational gap: key terms that everyone working with digital traffic, advertising budgets, or online payments should know.
π Financial and Transactional Fraud
BIN Attack
What it is: Automated brute-forcing of bank card numbers.
A BIN (Bank Identification Number) consists of the first 6 digits of a card, which identify the bank and the product type. They are not secret: their databases are publicly available. The scammer knows the BIN and uses scripts to guess the remaining digits, expiration date, and CVV β testing thousands of combinations per minute.
How it looks in practice: An online store suddenly receives hundreds of micro-transactions for $1β$2 from different cards of the same bank. These are not buyers β this is brute-forcing. The goal of the attack is to find active cards for subsequent fund withdrawals.
Why it's dangerous for business: In addition to direct losses, a BIN attack leads to fines from payment systems for exceeding the permissible percentage of failed transactions.
Chargeback
What it is: A forced refund to the buyer through the payment system β bypassing the seller.
The mechanism was created as consumer protection: if an item did not arrive or the card was used without the owner's knowledge, the bank returns the money. In this scenario, the seller loses both the item and the amount, plus pays a fee for the chargeback itself.
The dark side is Friendly Fraud: The buyer receives the item, is satisfied, but calls the bank and says, "I didn't order this." The bank takes the customer's side. The seller is left with nothing. According to Chargebacks911, up to 86% of chargebacks in e-commerce are friendly fraud, rather than genuine third-party fraud.
Botnet
What it is: A network of infected devices remotely controlled by an attacker.
It can include thousands of computers, smartphones, and IoT devices β their owners often have no idea that their gadget is executing someone else's commands.
There are several uses for botnets: DDoS attacks, credential stuffing, and β especially relevant for advertising ecosystems β click fraud. The botnet clicks on banners, the advertiser pays for each click, the report looks decent β but there isn't a single real person behind the traffic.
Skimming & Shimming
What it is: Physical methods of stealing card data.
A skimmer is an overlay on an ATM card reader that reads the magnetic stripe data. A shimmer is a microchip as thin as a human hair inserted inside the slot, intercepting the chip data.
In the online world, their equivalent is Magecart attacks: injecting malicious JavaScript code into the checkout page. While the buyer enters their card details, the script quietly copies them and sends them to the scammer.
π’ AdTech Fraud: Advertising Schemes
Ad fraud is a separate ecosystem where money leaks quietly and methodically. Budgets are spent, metrics look normal, reports are pleasing β but there are no real buyers behind the numbers.
Click Fraud
What it is: Imitation of clicks on ads using bots or device farms.
The most common type of ad fraud. The advertiser pays for every click β and pays for nothing. Modern bots can mimic human behavior: random pauses, scrolling, mouse movement. A simple IP check no longer works β behavioral analysis at the session level is required.
Click Injection
What it is: Mobile fraud where a malicious app "injects" its click at the last moment before installation β and claims the attribution.
The scheme works like this: a malicious app installed on a user's smartphone monitors signals about the downloading of other apps from the store. At the right moment, it generates a fake click from the real device β the attribution system decides that this specific source brought the user and pays out a commission to the scammer.
Why it's dangerous: The victim is a real user, the device is real, the install is real. Detecting this fraud without analyzing the time patterns between the click and the install is virtually impossible.
SDK Spoofing
What it is: Imitating mobile app installs without a real installation taking place.
The scammer intercepts the traffic between the mobile app and the attribution system (MMP: AppsFlyer, Adjust, Branch) and reproduces the signals of legitimate installs on an industrial scale. There are no real users β just a stream of fake events, each of which the advertiser pays for. One infected server can generate thousands of fake installs per hour.
Ad Stacking
What it is: Multiple ad banners are layered on top of each other within a single ad slot.
The user only sees the top banner, but an impression is counted for all layers simultaneously. Every advertiser in the stack pays for an "impression" that no one saw. This is a simple scheme with massive damage.
Domain Spoofing
What it is: Selling cheap ad inventory disguised as premium publishers.
The scammer participates in RTB auctions, specifying an authoritative domain in the bid request β for example, forbes.com. The advertiser pays top-media rates, but the ad is actually shown on an anonymous site with fake traffic.
Pixel Stuffing
What it is: An ad banner sized 1Γ1 pixel β invisible to the user, but counting as an impression.
Technically the ad is present on the page, the view counter triggers, the CPM budget is spent. In reality, the ad is seen by no one. Used on sites with massive page volumes where scammers place hundreds of such pixels simultaneously.
Geo Masking
What it is: Falsifying traffic geolocation β cheap traffic from one country is passed off as expensive traffic from another.
An advertiser buys a US or Western European audience at corresponding rates. In reality, they receive traffic from low-cost regions via proxies, VPN farms, or infected devices. There are no conversions because the real audience does not match the offer geographically.
Cookie Stuffing
What it is: Fraudulent substitution or hidden addition of affiliate cookies in a user's browser without their knowledge.
Affiliate programs work on a "last-click" basis: whoever brought the buyer last gets the commission. A cookie stuffer embeds their affiliate ID into the victim's browser in the background β via a hidden iframe, redirect, or infected site. When the user makes a purchase on their own, the system "thinks" the scammer brought them. The advertiser pays for a conversion the scammer had nothing to do with.
Invalid Traffic (IVT)
What it is: Any traffic in ad systems that is not a genuine interaction by a real human user with an ad.
The IAB and MRC divide IVT into two levels:
- General IVT (GIVT) β known bots, search crawlers, monitoring services.
- Sophisticated IVT (SIVT) β advanced schemes: botnets mimicking humans, device farms, click injections.
π‘οΈ Protection Tools: Terms Worth Knowing
Device Fingerprinting
What it is: Technology for identifying a device based on a combination of its characteristics β without using cookies.
The system collects parameters: browser version, fonts, screen resolution, time zone, GPU behavior. Together they provide a unique "fingerprint," allowing the device to be recognized even after changing IP or clearing cookies. Used in anti-fraud to detect multi-accounting and bots masquerading as real users.
Phishing-as-a-Service (PhaaS)
What it is: Ready-made infrastructure for phishing attacks available for rent.
For a few dozen dollars a month, a scammer gets an exact replica of a bank or marketplace interface, a victim management panel, and automated mailing. No technical knowledge is required. This has been the main driver of growth in Account Takeover (ATO) attacks in 2025β2026: the entry barrier to cybercrime has dropped to an absolute minimum.
Why It's Important to Know
Anti-fraud is not just a technical task. It is a common language between marketing, security, and finance. When the team understands how cookie stuffing differs from click fraud, and SDK spoofing from click injection, it becomes possible to build real defense: preventing losses at the source rather than reacting to the aftermath.
Β«Understanding anti-fraud terminology allows a business to move from reactive to proactive protection. When a specialist can distinguish classic carding from a synthetic identity β they can fine-tune rules precisely and save conversionsΒ».
