One question that haunts every marketer: how do I know it’s a real person seeing my ad?
When at least 40% of web traffic comes from fake users, according to cloud computing service provider Cloudfare, it’s not a paranoid question — it’s a necessary one.
The answer, up until now, has been simple. For a fee, verification vendors like IAS, DoubleVerify, or Human Security promise to filter out bots and invalid traffic, offering peace of mind that real budgets are reaching real people.
But a new report from Adalytics undermines these assurances; it turns out these vendors might not actually be very good at filtering out bots.
What’s the main finding of the report? The 240-page report from the analytics firm reveals that advertisements from thousands of brands are being shown to bots — despite many firms paying extra for services that promised to detect and stop this exact kind of activity.
Some of the brands involved reported spending millions of dollars each year specifically for bot avoidance. Tools from companies like IAS and DoubleVerify are supposed to block known bots before ads are shown. But in many cases, the report shows that these tools either failed to block the traffic, or even marked it as human.
How did Adalytics find this out? They analysed more than 1,000 terabytes of traffic between 2019 and 2025, focusing on three known bot types — including HTTP Archive (which collects performance data across the web) and URLScan.io (a cybersecurity tool that sometimes mimics human behaviour).
A client-facing tool used by IAS made it possible to see exactly how the vendor classified this traffic. The results were troubling.
- URLScan.io bots, which obscure their identity, were flagged as human 77% of the time.
- HTTP Archive bots, which explicitly identify as bots, were still classified as human 16% of the time.
No similar transparency was available for DoubleVerify.
How big is the problem? This isn’t a one-off glitch. The findings suggest a long-running, systemic failure across the digital ad ecosystem. Adalytics stops short of estimating the total financial waste — but with billions of dollars spent annually on programmatic trading, even small error rates translate to hundreds of millions in wasted spend.
Is this just a vendor problem?
Not entirely. The whole ecosystem is implicated. Platforms like Google and The Trade Desk served the impressions. Verification vendors failed to block them. The report names WPP, Publicis, Omnicom, IPG, Dentsu, Havas, and Horizon Media as having bought inventory that ended up going to bots. And many brands never looked under the hood.
What’s the key takeaway for media buyers? Don’t assume verification tools are bulletproof. Ask hard questions about what protections are in place, how they work, and whether they’ve been tested against real bot activity. If even known bots can slip through, then programmatic media may be more vulnerable than the industry wants to admit.
Verification isn’t a guarantee — it’s a product. And right now, that product may not be delivering on its promises. In a system built on trust, the Adalytics report should serve as a wake-up call.
