Ad fraud is costing marketers approximately USD 20 billion per year. From fake audience to fake traffic, and fake clicks, to fake installs; advertisers are paying for clicks and exposure that never happens.
In October 2018, Buzzfeed News uncovered a massive mobile ad fraud that affected over 125 android apps and websites, including Facebook, Lyft, PUBG Mobile, Hulu, and so on. The in-depth investigative report said that the fraud scheme saw hundreds of millions of dollars in ad revenue stolen. The fraudsters purchased legitimate, established applications from developers through a front called “We Purchase Apps.”
The ownership of those apps was then transferred to shell companies that would continue to manage the apps, while also analysing user behaviour and interactions with the apps. This data was used to program a network of bots that would be directed toward the purchased apps, realistically spoofing user behaviour using the real data, thereby evading fraud detection systems.
This behaviour was also masked by legitimate users who were still interacting with the apps. The fraudulent user behaviour reaped millions of dollars in ad revenue from companies paying to advertise with in-app ad networks. This also included ads run by Google. “The majority of impacted advertiser spend was from invalid traffic on inventory from non-Google, third-party ad networks,” said Google in a blog clarifying its action after being alerted by Buzzfeed. Google’s dollar value estimate of the impacted Google advertisers spend across the apps and websites involved in the operation is under USD 10 million. But fraud detection firm, Pixalate, who first exposed one element of the scheme in June 2018, estimated that a single mobile app could generate USD 75 million of fraudulent ad revenue.
App metrics firm AppsFlyer estimates that in the first quarter of 2018, fraudulent schemes stole between USD 700 million and USD 800 million from mobile apps alone. Pixalate’s research says that 23 per cent of all ad impressions in mobile apps are in some way fraudulent.
Beverly Chen, Marketing Director Appsflyer APAC, believes that fraud distorts and pollutes the data businesses rely on to make decisions. This, he says, results in a misinformed use of resources, inefficient spending, as well as financial loss. To combat this, Chen says that marketers “need to have multi-layered protection solutions in place. One must understand and remain vigilant against the rising threat of bots, non-human traffic, and the always-evolving techniques of bad actors to maintain their competitive advantage.”
Ad Fraud has been plaguing the digital advertising industry for years. It is estimated that in 2019, ad fraud will be able to steal $5.8 billion from advertisers.
Common Types of Ad Frauds
Digital ad fraud is all about volume, and it is carried out in two ways – fraudulent ad impressions, and click (CPM and CPC) fraud. Both of these types of fraud can be executed through the following means:
- Invalid Traffic (IVT) bot
Be it General Invalid Traffic (GIVT) or Sophisticated Invalid Traffic (SIVT), bots are used to create traffic. GIVT bots are harmless, as their activity is disclosed by the companies using them. For example, Google uses bots to crawl pages and organise indexes. SIVT bots are the harmful kind and require a lot of expertise to detect, analyse, and identify. These include hijacked devices, malware, and falsely identified viewable impressions.
2. Cookie stuffing
One of the most common types of ad fraud schemes, cookie stuffing, generates misleading and diluted audience information, subsequently affecting the results of an entire campaign. Cookie stuffing tracks a user’s journey from an affiliate to a central site, padding out the statistics and making the central site pay more while gaining less.
3. Domain spoofing
When a low-quality publisher disguises itself as a premium publisher in a programmatic advertising marketplace, it is termed as domain spoofing. For the former, spoofing a premium publisher means ad impressions become more valuable, and the demand grows as well. For example, the Methbot fraud scandal, uncovered by WhiteOps, was one of the most profitable ad fraud operations to date, spoofed 250,267 distinct URLs to falsely represent inventory.
4. Data Center traffic
In this type of fraud, the traffic originates from servers set up in a data center, instead of an actual company. It looks like the targeted audience is seeing the ad, whereas, in reality, there’s no screen involved in the data center, so actual view shouldn’t be counted.
5. Fake device IDs
One of the major ways of conducting mobile ad fraud, fake mobile devices create a random string of alphanumeric code, a fake ID, to increase the frequency of CTRs. These are designed to overcome frequency counters that can detect fraudulent clicks.
6. Ghost sites and Traffic Redirection
Fraudsters create a blank page without content to which an ad tech code is added. This is then added to a low-quality exchange to start generating money through fake impressions. Fraudsters also set pages to redirect traffic to other pages in an infinite loop, creating fake impressions. Bot detection tools cannot detect this type of fraudulent behaviour as ghost sites and redirected traffic falls under the blind-spot of anti-fraud technology.
The India head Mobile Marketing Association (MMA), Moneka Khurana says that the top two challenges faced by marketers in mobile advertising are mobile ad fraud and brand safety. “Ad fraud is likely to rise by 40 per cent this year,” she informs, adding, “Interestingly, misrepresentation fraud — which includes ad stacking, device hijacking and falsify site or ad-specific information —turned out to pose the highest risk, followed by traffic and attribution fraud.” Brand campaigns have emerged as the top segment reporting highest ad fraud, according to the latest survey by MMA India.
How to Detect and Prevent Ad Fraud?
Mobile measurement provider Adjust found that mobile advertising fraud doubled between 2017 and 2018, where around 80 per cent of ad budgets were siphoned off through ad fraud. A similar study by eMarketer says that annual digital advertising fraud-related losses between USD 6.5 and 19 billion.
In fact, most of the ad fraud impacts mobile marketers. According to Adjust, 20 per cent of all mobile ad fraud were fraudulent installs, while 27 per cent of all fraud was trying to disrupt install events through click injection.
Marketers can also use ads.txt to prioritise transparency. IAB’s initiative is nothing more than a text file that is published in the site’s root directory with the information on Authorised Digital Sellers (ADS). This creates a public record of sellers, helping buyers to identify the ad inventory for each and every publisher. This prevents scammers from selling fake inventory.
With ad fraud, the main problem marketers face is that the effects of the fraud are, to a certain extent, irreversible, despite detection. In the case of ad fraud, prevention is better than the cure.
Here’s how we can detect ad fraud:
- Signature-based: Detect ad fraud bots through a set of patterns of suspicious actions, clicks, traffic, or impressions.
- Anomaly-based: Analyse statistics and data to check suspicious activity or ad placement on ad spaces, websites, and publishers. This method is especially useful in detecting click farms.
- Honeypot-based: Place additional fields in a form that can be seen by bots but not by users. This way bots filling that point of the form can be detected and therefore rejected to avoid future bot activity.
Ad fraud is a global menace, and there’s no one way of tackling it. While avoiding or stopping ad fraud entirely is difficult, marketers can follow best practices for identifying and reporting fraud. They can leverage technology like machine learning to fight fraud in real-time, while also educating and engaging the consumers daily.