Ad Fraud: Filed Under C'Mon Man!

“Ad Fraud is 2% and on the wane?”  C’Mon Man!

I love fluffy pink cotton candy as much as the next baby, but C’Mon Man!  When one ad fraud detection vendor tells you “don’t worry about it, fraud is 2%”..... is it? When many ad fraud detection vendors tell you “don’t worry about it, fraud is ‘on the wane’”.... is it? Really?

"Have you entertained the possibility that lower fraud doesn’t mean lower fraud, but that you’re simply detecting less of it?"

Bad guys have gotten better at disguising their bots so they don’t get marked as NHT (non-human traffic) or fraudulent. Consider the fact that we are up against the best hackers in the world. That’s what they do; they hack. So when we put in place technology to detect fraud, don’t you think they can (easily) find workarounds so their traffic gets detected as not NHT? Note I didn’t say human, because it’s not.

"We have fraud detection installed at the network level." C'Mon Man!

Fraud detection technology is handicapped by where the measurement takes place. Depending on where the measurement takes place, what can be detected and what can be done may be very limited. For example, in-network detection means you can see the bid come through. You will have 2 main bits of information to use to make a decision -- the site and the user (e.g. some identifier). If the fraud detection vendor has seen the site before or has seen the user before and either one is on a blacklist; they don’t call the ad. But the default action in the majority of the cases is to let the ad serve because they have not seen either the site or the user before. Of course the most obvious fraud (by dumb and amateur bad guys) can be filtered out. But slightly more advanced bad guys take down websites that don’t make money and dump the cookies of bots that don’t produce for them. So this method of filtering doesn’t even keep up.

Having fraud detection is not the same as having fraud protection

Just look at the Methbot revelation from the end of 2016; just one botnet was making gobs of money undetected for years. Don’t you think there’s more Methbot cousins out there? For other limitations to detection based on where the measurements take place, please see https://www.dhirubhai.net/pulse/ad-fraud-detection-handicapped-where-measurement-dr-augustine-fou-.

"Don't worry; we've got very low bots." C'Mon Man!

Current fraud detection only reports on NHT or bots. They don’t report on humans. That’s telling half the story. Saying there is only 2% bots does not mean the other 98% is human. In fact, in recent data I can only confirm 2% humans in massive run of exchange measurements. The key is for fraud detection services to also positively detect for humans, not just bots. And they should report on what portion of the data is not measurable, or if they extrapolated from a small sample. Only reporting on bots and saying that it is low, is irresponsible and misleading. Because the uninformed will assume it means the other 98% is human. Which is not true.

"My number's correct. No, my number's correct." C'Mon Man!

Ever wonder why no one’s numbers agree with anyone else’s numbers. Through no fault of their own, necessarily, fraud detection companies numbers just don’t match up to any one else’s numbers. The many advertisers cite this as their top reason for mistrust; the next reason being, obviously, that the vendors don’t provide enough or any detail whatsoever about how they arrived at those NHT or viewability numbers in their reports. The problem, according to my research, lies in the assumptions. When there is a significant portion of the data that is not measurable, do you assume those are “fine” or “not fine” -- i.e. viewable or not viewable, NHT or not NHT. Sometimes this comes down to who the paying client is and what they want to see. But even if it is not such egregious manipulation, it could simply be no one knows what assumptions were made and therefore how a high or low number was reported.

"We don't want the bad guys to find out our secret sauce." C'Mon Man!

Fraud detection companies don’t want to disclose their algorithms because they are afraid the bad guys will find out and work around them. But bad guys don’t give a sh*t about your algos; because they already sell bot traffic that gets by all of it. They have done sufficient A/B testing to know their traffic gets through those filters and is marked as clean. They brazenly sell “[insert fraud detection vendor name here]-compliant” traffic. And lots of folks buy it, because they need it to make their monthly numbers. There simply aren’t enough humans on earth, that spend so much time online and using their mobile devices, that account for the impression volumes we are seeing today.

"I demand 100% viewable and 0% NHT inventory." C'Mon Man!

You want 100% viewability?  Sure. No problem. Bad guys don’t play by the rules, so they don’t have to array ad units across a page. They can just stick all of them above the fold, stack all of them one behind another, or just pass fake data to measurement providers. Viewability measurement providers measuring in the foreign iframe of the ad, will register all those impressions as 100% viewable; but they actually were not.

You want 0% NHT? No problem. Like we said above, the bad guys have bots that are proven to get by any fraud filter and be labeled as clean. Bad guys cheat and trick your measurements. So if you are insisting on buying 100% viewable inventory and 0% NHT inventory you are actually increasing your risk of exposure to fraud -- and sending more money to the bad guys.

"Fraud is 'priced in' since we're getting lower prices."  C’Mon Man!

Yes, you are paying 30 cent CPMs instead of $30 CPMs. But you've heard the phrase "you get what you pay for" right? Real human audiences are a scarce resource. When more and more dollars poured into digital/programmatic, the prices should have gone up, if the normal market forces were at work. Instead, prices have come plummeting down, because virtually unlimited "inventory" of ad impressions can be created out of thin air.

Also, you're not spending any less. You're still spending the entire budget, but now you are buying vastly larger quantities of impressions at lower CPMs and most of those incremental impressions were not being shown to humans, visiting legitimate sites. So lower CPMs meant more of your dollars are going to waste and fraud, not less.

"Ad fraud in mobile is low."  C’Mon Man!

This case is pretty incontrovertible, if you asked me. Many have said or heard that ad fraud in mobile is low. But is it? Really? C’Mon Man! Fraud detection companies publicly admit that mobile in-app is not measurable. NONE of the javascript detection technologies work in-app. But yet, mobile is now the largest category of digital ad spend and in-app is the majority of the impressions (compared to mobile web).

So, do you think the fraud is higher or lower in mobile which has the largest pool of dollars and is the least measurable? And we are not even mentioning other forms of fraud like 1) seemingly legitimate apps just keep reloading thousands of ad impressions in the background, without the user knowing, or 2) fake mobile devices created in data centers, which can download and install apps, and even open and interact with them, to defeat those fraud detection measures on CPI (cost per install) campaigns.

“mobile’s more lucrative and less measurable… hmm, do you think fraud is higher or lower?”

"Mobile, native, video ad views are growing like craaazy!" C'Mon Man!

If you look at the census charts for the last 10 years humans on the internet (U.S.) grew from 200M to 300M (a 50% increase) and internet penetration grew from 69% to 89% (a 30% increase). But the growth in ad impressions served -- from display, to video, to mobile, to search -- has outstripped these growth rates by orders of magnitude. You need a logarithmic chart to even plot it. Google alone serves at least 30 billion ads per day (or 1+ trillion display ads per month). Source: https://adwords.googleblog.com/2013/09/reach-relevance-and-trust-big-three-in.html and https://qz.com/900349/google-goog-has-been-quietly-placing-more-ads-in-search-results/. Add in Facebook and other large ad exchanges. There simply aren’t enough humans spending enough time online to generate that much ad inventory.

"The curious case of insufficient humans. Ever wonder why they call it 'inventory'?"

And completely separately, 3 network analysis companies have reported that 1/2 to 2/3 of the traffic on the Internet is not human. It doesn’t mean it is bad; it’s just not human. So if you still think fraud is 2%... C’Mon Man!

Fraud will continue rampant until we change financial incentives for both the bad guys and the ad guys

Very basically, as long as advertisers are incentivized to buy as much volume as possible and measure easily-faked metrics such as impressions, clicks, traffic, etc. there will be demand for more impressions and therefore fraud. As long as business goals are set up to favor higher quantities at lower average cost, there will be demand for low cost impressions found on open exchanges.

Low CPM prices are possible because no real content was needed to attract real human audiences. Creating real content is really hard, expensive, and time-consuming. Just ask real, mainstream good publishers.

And finally the fraud may not even need to be carried out by the hackers themselves -- it may be the junior ad ops person in the back room. They are under such enormous pressure -- “make your monthly ad revenue number or you lose your job” -- that they resort to things like sourcing traffic, audience extension, getting paid to install a content discovery widget, etc.

Fluffy time is over.

Don’t get lulled into a false sense of security when you read things like “ad fraud is on the wane.” It’s not. And vigilance, action, and transparency have never been more necessary than it is now.

About the Author:  “I advise advertisers, publishers, and agencies on the technical aspects of fighting digital ad fraud and improving the effectiveness and transparency of digital advertising. Using forensic technologies and techniques I help to assess the threat and recommend countermeasures to combat fraud and improve real ROI.” 

Follow me here on LinkedIn (click) and on Twitter @acfou (click)

Further reading: https://www.slideshare.net/augustinefou/presentations