That does not mean advertising itself is the problem. Ads help support much of the internet we use every day, from news sites to social media and streaming services. The issue is the ad-delivery system behind them. It is built to move ads at enormous speed and scale across websites, apps and connected devices. The Media Trust came to its conclusion after monitoring more than 200 billion ads a month across more than 100,000 digital properties.

To understand this growing threat, it helps to know how an ad gets to your screen. When you open a webpage, the ad space on that page is often sold in an automated auction. But before that instant auction, ads usually go through review. Google says most ads are reviewed within one business day, though some take longer. In practice, that means there can be a one-to-three-day lag between the time an ad campaign is submitted and the time it begins showing up in your apps and on other sites you visit. Once approved, the ad can move through the system almost instantly each time a page loads.

A malicious ad does not always look malicious at first. It may appear to be a normal ad creative during review, then use redirects or other code further down the chain to send people somewhere else. One example from 2025 was GhostCat, a redirect malware family that appeared across 48 ad networks. Like with more than half of all malicious ads, the motivation was financial.

Here’s how it worked: When a user clicked on a malicious ad, the program assessed whether the person matched its target profile, including things like mobile use, certain geographic locations and specified websites. A match forced a redirect to a malicious website or a pop-up where users saw fake security alerts, prize pages, subscription traps and look-alike login or payment screens designed to steal their account credentials or pay for non-existent items.

While the motivation is the same for phishing emails, malvertising is often harder to detect. The warning signs are often obvious in phishing emails: bad spelling, strange links and dire threats. For ads, the threat can be embedded in ordinary browsing. You may be reading the news or checking a shopping site, click on an ad and then get redirected to a fake login page or a bogus software alert. AI and deepfake-style tools are making these campaigns more convincing, while the complexity of the ad-tech supply chain helps hide where the threat originated.

Not all ad networks and websites carry the same risk. Top-tier ad networks such as Google and Microsoft use stringent review systems that result in malicious-ad rates below 0.03%, while some high-risk networks with looser filters may have a rate as high as 7.5%. According to native ad network provider MGID, financial ads are particularly risky, with 14.3% classified as malicious, and that statistic isn’t surprising. Criminals follow the money.

Higher-quality publishers generally have more controls over the kinds of advertisers and ad partners they allow. Lower-tier sites, especially those in gray areas such as illegal streaming, cracked software (illegal copies of software) and dubious download pages, are more likely to rely on looser networks and reseller chains. You usually cannot tell which network is serving a particular ad, but you can make smart judgments about the kinds of sites you visit.

The practical advice to reduce your risk is straightforward. Keep your browser, phone and computer operating systems up to date, as well as your apps. For banking, it is safer to use the institution’s app or bookmark and go to the official website without using search or by clicking an ad. Turn on built�’in protections in your browser, such as block pop�’ups/redirects and enable tracking protection or “strict” privacy mode (Safari, Firefox, Edge, and Chrome all have these controls).

You can also block third�’party cookies where possible to cut cross�’site tracking that feeds aggressive ad targeting. If an app asks you for permission to track your browsing across websites, choose “do not allow.” And like with phishing emails, if an ad sounds too good to be true, it’s may be a bad ad, so just don’t click.

Leslie Meredith has been writing about technology for more than a decade. As a mom of four, value, usefulness and online safety take priority. Have a question? Email Leslie at asklesliemeredith@gmail.com.