Bot, but NOT fraud; NOT bot but IS fraud

Tongue twister or brain twister? Both.

"90% of what was once called "instream" is now considered "outstream." "A recent update to IAB's video ad guidelines changed the definition of in-stream video to include video that is sound-on and plays before, during or after streaming video content the user has requested; delivers within a player; monetizes content that the publisher is delivering." Source: https://www.adexchanger.com/on-tv-and-video/unpacking-the-latest-changes-to-the-iab-tech-labs-video-advertising-guidelines/ An adops person put it succinctly on reddit -- "well, the thing is, it was never "in-stream" in the first place."

source: https://www.reddit.com/r/adops/comments/1fun1t2/whats_happened_to_your_video_ad_cpms_since_iab/

Mis-categorizing or mis-declaring inventory

"Out-stream" video ads declared and sold as "in-stream" -- Note that ad buyers were paying for what they THOUGHT was "in-stream" video ads all along. But they weren't because the IAB guidelines/standards were previously not strict enough or precise enough, and shady sellers were getting away with selling non-viewable, sound-off video ads entirely unrelated to video streaming content as if they were "in-stream." Out-stream video ads were mis-categorized as in-stream video ads and sold for more money.

"Reseller" declared as "direct" in ads.txt -- Inventory mis-categorization or mis-declaration has been widespread. And has been simple to do by bad guys. For example, ad buyers who insisted on buying only "direct" inventory were given "direct" inventory to buy. All the bad guys had to do was change the declaration in their ads.txt file from "reseller" to "direct" (even if it wasn't actually direct) to tap into all the ad spend meant for "direct only."

"Not viewable" falsified to be "viewable" -- Similarly, bad guys and even mainstream pubs like Newsweek, used code to falsify viewability measurements they could sell them and sell them for more money (advertisers wanted to buy viewable only ads). Bad guy's fake sites always had 100% viewable ads 100% of the time, not because they were viewable, but because the viewability measurements were falsified. Similarly, mobile apps that run ads in 0x0 and 1x1 pixel windows, in the background, and when the app or mobile device is not in use are selling 100% viewable ads, not because they are viewable, but because the legacy vendors failed to correctly mark them as not viewable, and they are declared as viewable in the bid request.

Blending inventory

Another common technique to obfuscate and cover up incorrectly declared inventory is "blending." By blending low cost display and video ad inventory into expensive CTV supply, shady sellers and even mainstream sellers had more impressions to sell; they knew that few ad buyers would ask for more details, because they were so happy to buy enormous quantities of low cost CTV ads.

This has been documented over the years. Grindr (mobile app) was sending faked CTV bid requests, pretending to be Roku streaming apps and devices. And javascript code in display ad slots were generating 12 billion fake CTV bid requests per DAY. Why were fraudsters doing this? Because they want to get the far higher CTV CPMs. It's much more lucrative to generate fake CTV impressions to sell, AND it's far easier to get away with too, because there's limited measurement (no javascript detection tags allowed).

Even when shown by FouAnalytics that those "CTV ads" never ran on big screen connected TVs, but instead were run on crappy MFA sites and crappy MFA mobile apps, ad buyers would often just shrug, and justify it by saying "we love it because we got a great deal -- $5 CPMs for CTV ads." Ahem, $5 CPM CTV ads are not CTV ads. The article below shows more examples of "blending" -- display ads blended into video ad campaigns. Ad buyers pay for more expensive video ads that ran hidden in low cost display ad slots.

So what can you do about the above, if the platforms that you buy from and the verification vendors you pay for can't detect and protect you from mis-declared inventory, blending, etc. If you had better analytics and more detailed data, you can see the phenomena above and take corrective action. Let me show you examples of what we can see in the data. When combined with context and common sense you will see why in some cases "it was a bot, but it was not fraud; while in other cases, it was not a bot, but it was still fraud." Read on.

Bot, but NOT fraud

Here are 2 examples, where the device is clearly a fake device (not a real PC or mobile device). So this IS a bot. But it is NOT fraud. For example, the platform below is Linux x86_64 (a server operating system). And the HTTP_USER_AGENT contain "HeadlessChrome" (the bot honestly declared itself). Headless chrome is an automated browser created in data centers and used to load webpages. AdsBot-Google crawls the landing pages to make sure they are live and the content matches the ad creative. These are examples of obvious bots, but not ad fraud. So it should be separately labeled -- e.g. orange in FouAnalytics. Have your legacy bot detection vendor shown you any of these details? Of course not.

In this next example, you can see the bots came from Amazon, Microsoft, and Cloudflare data centers. The screen resolution (video) and window size were heavily repeated. And the IP addresses were as well. These were clear and obvious bots, but they were not related to ad fraud. By checking the url, we could see there were no UTM_SOURCE query strings AND there was no referrer; that means these bots hit the page directly, and did not come from clicking on paid ads. So these were definitely bots, but was not ad fraud or click fraud. Context and support data are crucial to understanding this. Have any of the legacy verification vendors provided you with this level of detailed supporting data so you can 1) understand why it was marked as a bot, and 2) why these were not ad fraud?

NOT bot, but IS ad fraud.

Let's now consider the opposite scenario -- NOT bot, but IS fraud. Remember the dozens and dozens of cases over the years where "malicious" apps from the Google Play Store and Apple App Store were committing ad fraud? These were NOT bots (fake visitors) hitting webpages. These mobile apps were real apps, downloaded from the app stores, and running on real mobile devices. So none of the impressions were detected as "fraud" by the legacy verification vendors, even though the ads were running in the background, running throughout the overnight hours, running in 0x0 pixel ad slots, etc. Would you consider any of these ad impressions valuable for your digital campaigns?

I won't belabor this, but hopefully you get the point. It doesn't have to be a bot to be ad fraud. And most of these other forms of fraud are not detected by the legacy vendors. In the example FouAnalytics data below you can see the number of ads per page (up to 40), the number of iframes on the page (up to 215) and the details of the contents in the iframes -- note the 0x0 iframes, some of which contain tracking pixels.

And finally, there are entirely fake mobile apps that don't actually exist, but still appear in the data chomping on your ad impressions. See the article below for the comical app names, made up by bad guys.

So what? Use FouAnalytics so you can "see Fou yourself" if you are actually getting what you paid for, or what you expected to get when setting up the campaigns.

For more case examples and screen shots, follow and subscribe: https://www.dhirubhai.net/in/augustinefou/recent-activity/newsletter/