What is Ad Stacking?

Ad stacking is a type of digital ad fraud where multiple ads are layered on top of each other in a single ad slot, but only the top-most ad is visible to the user. Despite this, impressions are illegitimately registered and charged for every single ad in the hidden stack.

This deceptive practice is designed to inflate impression counts and generate fraudulent revenue for dishonest publishers. Advertisers end up paying for ads that had zero chance of being seen by a human user, completely wasting their ad spend.

Ad stacking is a direct violation of guidelines set by the Interactive Advertising Bureau (IAB). It fundamentally undermines the trust and transparency required in the programmatic advertising ecosystem.

The Origins and Impact of Ad Stacking

Ad stacking emerged in the earlier, less-regulated days of digital advertising. As programmatic systems became more automated, bad actors found ways to exploit the technology for financial gain.

The core deception relies on the difference between what a server ‘sees’ and what a human sees. An ad server simply registers a request to load an ad and counts it as a served impression. It has no immediate way of knowing if that ad was actually visible on the screen.

Fraudsters took advantage of this technical loophole. By using simple code, like JavaScript or nested iframes, they could call multiple ads into a space designed for only one. The result is a significant financial drain on advertisers and skewed performance data that makes campaign optimization impossible.

Over time, this practice has forced the industry to develop more sophisticated detection methods. Ad verification companies and industry bodies now work to identify and block this form of invalid traffic (IVT), but the technique continues to evolve.

The Technical Mechanics of an Ad Stack

Understanding how ad stacking works requires looking ‘under the hood’ at the process that fools both advertisers and ad exchanges. The entire operation hinges on creating a difference between technical impression records and actual human visibility.

The process begins when a fraudulent publisher sets up a standard ad placement on their website. To an advertiser or ad exchange, this placement, for example a 300×250 pixel rectangle, appears to be a legitimate piece of ad inventory.

Using custom JavaScript or by manipulating CSS properties within an iframe, the publisher then loads multiple ads into this single container. The ads are layered precisely on top of one another, with z-index values determining their order in the stack. Only the ad with the highest z-index is visible on the webpage.

Here is where the fraud truly happens. As the page loads, a programmatic call is made for each ad in the stack. Every ad network or Demand-Side Platform (DSP) whose ad is called receives a signal that their ad was ‘served’.

Consequently, an impression is recorded and billed for each layered ad. If ten ads are stacked, ten impressions are charged to ten different advertisers (or the same advertiser multiple times). All of them are competing for a single slot, but only one has a visible ad.

From the server’s perspective, everything looks legitimate. The ad calls are made, the ad creative is delivered, and the impression pixels fire correctly. Without a third-party verification tool checking the actual page layout and visibility, the fraud goes completely undetected.

This creates a cascade of problems. Advertisers pay for unseen ads, their campaign data becomes corrupted with useless impressions, and the fraudulent publisher profits from the deception. The entire programmatic auction is compromised by this false inventory.

Step-by-Step Fraud Execution

To make the process clearer, let’s break down the technical sequence of an ad stacking scheme. This chain of events happens in milliseconds every time a user visits a compromised page.

• Placement Creation: A publisher designates a space on their site for a standard ad unit, like a 728×90 leaderboard.
• Code Injection: The publisher or a malicious script on their site injects code. This code creates multiple ad containers (like divs or iframes) that are positioned absolutely, meaning they can be placed on top of each other at the exact same pixel coordinates.
• Multiple Ad Calls: As the page loads, the fraudulent script makes simultaneous ad requests to an ad exchange or SSP for each of the layered containers.
• Auction and Ad Serving: The ad exchange runs auctions for each request. Multiple advertisers win bids and their ads are served. The ad server for each winning advertiser fires an impression pixel, logging a billable event.
• Visual Deception: All served ads are rendered in the designated space. However, due to CSS properties like `z-index`, only the top ad is visible. All others are completely obscured.
• False Reporting: The publisher’s ad server reports a high volume of impressions, earning them revenue. The advertisers’ DSPs report that their ads were served, burning through their budgets on inventory with zero viewability.

Case Study A: E-commerce Brand’s Wasted Spend

The Scenario

A popular direct-to-consumer (DTC) sneaker brand launched a major programmatic display campaign. Their goal was to drive traffic to their new product line. They allocated a significant budget to run ads across a wide network of publisher websites.

The Problem

Initial campaign reports looked promising from a top-level perspective. Impression volume was massive, and the click-through rate (CTR) from a few specific lifestyle blogs was surprisingly high. However, the analytics team noticed a glaring issue: conversions from these high-impression sites were zero.

The cost-per-acquisition (CPA) for this segment of traffic was effectively infinite. The brand was spending thousands of dollars on impressions and clicks that never resulted in a single sale. This anomaly was big enough to skew the entire campaign’s ROI into negative territory.

The Investigation

Sensing fraud, the marketing team implemented a third-party ad verification solution. The tool immediately began flagging impressions from the problem publishers. The primary reason cited was ‘ad stacking’ and ‘critically low viewability’.

A manual review confirmed the findings. The brand’s stylish sneaker ad was being served, but it was buried five layers deep in a stack. The top, visible ad was for a completely unrelated mobile game. The high CTR was likely due to bots programmed to click on hidden ads within the stack.

The Solution

The brand took immediate and decisive action. First, they added the fraudulent publisher domains to a universal blacklist within their DSP, preventing any future bids on that inventory. This stopped the financial bleeding instantly.

Second, they implemented stricter pre-bid filtering. They configured their DSP to automatically avoid bidding on inventory known for IVT or that failed to meet a minimum viewability threshold of 60%. This proactive measure helped shield them from similar schemes in the future.

Case Study B: B2B Lead Gen Campaign Failure

The Scenario

A B2B SaaS company specializing in cybersecurity software was running a lead generation campaign. The target audience was Chief Information Security Officers (CISOs) and IT Directors. They bought ad inventory on a curated list of tech news sites and industry forums.

The Problem

The campaign generated a huge number of impressions but almost no tangible results. The key performance indicator (KPI) was not clicks, but form fills for a downloadable whitepaper. Despite serving millions of impressions, the campaign generated fewer than ten leads, and none were from their target accounts.

The budget was evaporating with nothing to show for it. The marketing operations team was under pressure to either fix the campaign or shut it down. The data made no sense; the impressions were high, but engagement was non-existent.

The Investigation

A deep dive into the placement reports in their DSP revealed a suspicious pattern. Over 75% of the total campaign impressions were coming from a single, seemingly reputable tech news aggregator. Yet, this source had not produced a single lead.

They cross-referenced this data with their ad verification partner. The verification reports showed a viewability rate of less than 5% for that specific publisher. This was an enormous red flag. An impression that is not viewable cannot be engaged with, explaining the lack of form fills.

The Solution

The team immediately blacklisted the underperforming publisher. More strategically, they changed their buying model. Instead of purchasing on a standard CPM (cost per thousand impressions), they shifted to a vCPM (cost per thousand viewable impressions) model.

This simple change ensured they would only pay for ads that had a verifiable chance of being seen by a user. While the vCPM rate was higher, the overall cost was lower because they were no longer paying for millions of fraudulent, non-viewable impressions from stacked ads.

Case Study C: The Publisher as a Victim

The Scenario

An independent publisher ran a popular blog about sustainable gardening. They monetized their content through several major ad networks, relying on the income to support their work. Their traffic was legitimate, and they had a loyal, engaged audience.

The Problem

Out of nowhere, their revenue plummeted. Within a week, they received notifications from two of their largest ad network partners that their account was suspended due to ‘suspicious activity’ and ‘high levels of invalid traffic (IVT)’. They were accused of ad fraud.

The publisher was devastated and confused. They knew their audience was real and had never engaged in fraudulent practices. They were at risk of losing their primary source of income and having their professional reputation destroyed.

The Investigation

Facing a crisis, the publisher hired a web security consultant to audit their site. The consultant scanned the site’s code and server logs. The source of the problem was quickly identified: a recently installed third-party WordPress plugin for social sharing.

The plugin, which appeared legitimate, contained malicious code. This code was hijacking the publisher’s ad slots, secretly stacking multiple ads from shady networks beneath the publisher’s legitimate ads. The publisher was an unknowing victim, used as a host for a fraud operation.

The Solution

The publisher immediately removed the malicious plugin and all associated files. They ran a full security scan to ensure the site was clean. They then implemented a strict Content Security Policy (CSP) to prevent unauthorized scripts from running on their pages in the future.

With evidence from the security audit in hand, they appealed the suspension to their ad network partners. They were able to prove they were the victim of a supply chain attack, not the perpetrator of fraud. After a review, their accounts were reinstated, though they had to rebuild trust with the networks.

The Financial Impact of Ad Stacking

The financial damage caused by ad stacking is direct and substantial. It is not a theoretical loss; it is real money being stolen from advertisers’ budgets. The math behind the fraud reveals just how costly it can be.

Consider an advertiser buying inventory at a $10 CPM. This means they agree to pay $10 for every 1,000 ad impressions served. Now, imagine a fraudulent publisher stacks 10 ads in a single slot.

For every one user who visits the page, the publisher illegitimately records 10 impressions instead of one. If 1,000 users visit the page, the fraudster logs 10,000 impressions. The advertiser is then billed $100 ($10 CPM x 10 sets of 1,000 impressions).

In reality, there were only 1,000 legitimate opportunities to see an ad. The fair cost should have been $10. The fraudster has stolen $90. For the one potentially viewable ad at the top of the stack, the advertiser’s *effective* CPM was an astronomical $100.

This wasted ad spend is the primary injury. However, the secondary damage comes from corrupted data. The campaign’s performance metrics are rendered meaningless, leading marketing teams to make poor optimization decisions based on fraudulent signals.

Strategic Nuance: Beyond the Basics

Protecting against ad stacking requires more than just basic awareness. Advertisers need to adopt a more advanced and skeptical mindset to stay ahead of fraudsters. This involves debunking common myths and using more sophisticated tactics.

Myths vs. Reality

Myth: Ad stacking is an old, solved problem.
Reality: While detection has improved, fraudsters constantly develop new techniques. They use advanced JavaScript obfuscation to hide stacking activities from basic crawlers and verification scripts, making it a persistent threat.

Myth: My DSP’s built-in fraud filter is enough protection.
Reality: Native DSP filters are a good first line of defense but often focus on general invalid traffic like data center bots. They may miss sophisticated placement-level fraud like ad stacking, which requires specialized, third-party verification to detect accurately.

Myth: Ad stacking only happens on low-quality, unknown websites.
Reality: While common on such sites, it can also occur on seemingly legitimate websites. A publisher can be a victim themselves, with their site compromised by a malicious third-party script or plugin that injects stacking code without their knowledge.

Advanced Protective Tactics

Go beyond simple domain blacklisting. Fraudsters often use domain spoofing or rapidly cycle through domains. A more durable strategy is to analyze publisher sub-IDs and placement IDs. If a specific placement consistently shows near-zero viewability, block it at that granular level.

Make viewability a core part of your buying strategy. By setting a minimum viewability threshold of 70% (based on the IAB standard), you make ad stacking unprofitable for fraudsters. Since only the top ad in a stack has any chance of being viewable, the hidden ads will fail the verification check, and you will not be charged for them under a vCPM model.

Pay close attention to data discrepancies. Regularly compare the number of impressions your DSP reports with the number your third-party verification partner measures. If a specific publisher shows a large and consistent gap between served impressions and measurable impressions, it is a strong indicator that something is wrong, and ad stacking could be the cause.

Abisola

Meet Abisola! As the content manager at ClickPatrol, she’s the go-to expert on all things fake traffic. From bot clicks to ad fraud, Abisola knows how to spot, stop, and educate others about the sneaky tactics that inflate numbers but don’t bring real results.

View all posts by Abisola (Abisola)