A Brief History of Digital Ad Fraud

I've been a digital marketer for more than two decades. I have witnessed the entire arc of the evolution of digital marketing -- from the humble beginnings of placing "banner ads" on websites to the sci-fi world of today where AI (artificial intelligence) and advanced algorithms buy and sell trillions of digital ads, each in milliseconds. These ads can purportedly even target the right user at the right time, with the right message, no matter where they show up or what app they are using.

Have we reached marketing "nirvana"? Or does it sound too good to be true?

Well, it is too good to be true. Don't believe me? Keep an open mind as we take a look back at digital marketing, digital ad tech, and digital ad fraud -- from 1995 to the present, a 20+ year tale of good versus evil.

Where We Came From

In the early days, portals like Yahoo aggregated many types of content - news, weather, sports scores, stock quotes, etc. Many humans went to these sites to get information. When they looked at webpages, for free, the site made money by selling ads to advertisers who were trying to reach these human audiences. The banner ads on the top and sides of the webpages were born. This was Web 1.0.

Web 2.0 saw the rise of big blogs and blogging platforms like Blogger and Wordpress. Blogs like Engadget and Gizmodo specialized into certain topics -- tech news -- to attract specific audiences. These higher value audiences commanded higher ad prices. The blogging platforms also enabled more people to publish content online without having to know how to write HTML code. This gave rise to what is known today as the "long tail" of sites. These were sites that had very niche content that were intensely pertinent and useful to small numbers of people. But because there were many many long tail sites, they could collectively amass at-scale audiences for advertisers to show ads to - or so said Chris Anderson's book.

But in terms of digital advertising, it was not possible for an advertiser to go to all these tiny websites and negotiate to place ads to reach their audiences. They needed a single place to buy; so ad exchanges were born. Ad exchanges created the tech that allowed thousands of tiny sites to carry ads, while giving advertisers a central place to buy the ad inventory. Advertisers would buy from the ad exchanges instead of from the publisher sites. And this began the long excruciating process of ad tech inserting itself between advertisers and publishers, to extract as much profit as possible.

Buyers also began to believe in the concept of targeting audiences, regardless of what sites they went to. Previously, advertisers would reach males by advertising on sportsillustrated.com, espn.com, and other sites with content that men wanted to read, just like offline magazines did for decades prior. Now with magical ad tech, advertisers could purportedly target any individual, not just male vs female, on any site they happened to go to. But the belief in a good idea far outran reality -- what was actually happening. So more myths were developed and piled on, like "look alike audiences" which seemed to appear out of thin air in large quantities, whenever targeted audiences were too small for ad tech companies to profit from.

How Did We Get Here?

With these foundational pieces of ad tech in place, ad fraud was also set to take off and take over digital marketing. The belief that audiences could be reached in large numbers of long tail sites created the incentive to create more and more long tail sites, even outright fake ones, to carry ad impressions and make money from digital ad spend. As more money shifted in from other channels like TV and print, the sheer amount of dollars in digital made it lucrative enough for criminal organizations to also "get in on this windfall" (ad fraud). After all, why risk your life trying to rob a bank, when the alternative is to sit behind a computer and make MUCH more money than you can ever carry out of a bank in bags.

Over the years, the number of websites skyrocketed; most of these were simply fake sites with no content, designed solely to carry ad tech to make money from ads. But these fake sites had no real human audiences, so how did they get the traffic to generate all those ad impressions? Right. They bought all the traffic. Some of this traffic was so obviously fake that over time buyers could see it as fraudulent and sought ways to detect it and stop it.

This created demand for "fraud detection" technologies to help detect fake traffic so advertisers wouldn't get ripped off. As these fraud detection companies proliferated, fraudsters evolved their tech as well. This has become well-known as the ad fraud "arms race." The question is whether the good guys' detection tech is actually catching all of the ad fraud out there. Likely not, because in the related cyber security industry there are constantly new "zero-days" being discovered - these are vulnerabilities or attacks that had been going on, but simply had not yet been discovered by the good guys.

Since advertisers wanted to target audiences and were willing to pay more for it, fraudsters saw the opportunity to create larger audiences, with the exact characteristics that advertisers demanded -- for example 300 million auto intenders in the U.S. Fake audiences that looked like a tiny sample that the advertiser was interested in, were created out of thin air using bots that simply visited specific collections of websites to make themselves look like highly attractive and engaged audiences.

Where We Are Now

Today, when digital advertising spending is at its highest point ever -- more than $100 billion in the U.S. and more than $330 billion worldwide -- do you think that fraud is lower than ever or higher than ever (when there is such an enormous bucket of money to steal from)? Of course most advertisers are already paying for fraud detection technologies. But are you sure those technologies are detecting all the fraud, especially new forms of fraud that they weren't designed to spot, and the fraud in new channels where the detection is not mature or not possible?

If we're not sure that we are detecting all the fraud, let's consider what has been detected to get a sense of the size and pervasiveness of the problem. Not a week goes by when there is not another story of some form of fraud related to digital advertising. To name a few from recent months:

April 2019 - https://www.buzzfeednews.com/article/craigsilverman/google-play-store-ad-fraud-du-group-baidu

March 2019 - https://www.buzzfeednews.com/article/craigsilverman/in-banner-video-ad-fraud

February 2019 - https://www.zdnet.com/article/malvertising-campaign-hits-us-users-hard-over-presidents-day-weekend/

January 2019 - https://www.zdnet.com/article/iot-botnet-used-in-youtube-ad-fraud-scheme/

December 2018 - https://www.thedrum.com/creative-works/project/white-ops-3ve-the-mother-all-botnets

November 2018 - https://www.buzzfeednews.com/article/craigsilverman/android-apps-cheetah-mobile-kika-kochava-ad-fraud

October 2018 - https://www.buzzfeednews.com/article/craigsilverman/how-a-massive-ad-fraud-scheme-exploited-android-phones-to

Note that all of these "largest ever" discoveries of ad fraud, botnets, new forms of fraud were occurring while advertisers were supposedly protected by fraud detection technologies that were "certified" and "accredited." In addition to the possibility that the tech hasn't worked as promised, there is also the possibility that "certifications" are not valid or outright fake as well. To be clear, accreditations from a standards-setting body and the detailed interviews conducted by an accounting firm are useful; they help to verify that companies are measuring what they said they would measure. But the "certifications" where companies merely complete forms and pay fees -- i.e. get certified via "self-attestation" -- are problematic. These create a false sense of security and allows criminals to operate in broad daylight.

And even as the Association of National Advertisers is saying that "ad fraud is down" in their 4th annual Bot Baseline Report, massive ad fraud schemes continue unabated. For example, two distinct iPhone botnets are absorbing tens of billions of highly lucrative, high CPM iPhone inventory (since many advertisers want to target high value iPhone users). Mobile devices and fake mobile apps generate tens of billions of fake deviceIDs monthly to defeat frequency caps (each device looks like a new one, so keep serving the ads). And hundreds of thousands of fake websites sell inventory without even needing their own sellerIDs because they have rented others' ads.txt files and get paid "under the table."

What Lies Ahead

I am one of the staunchest supporters of digital marketing. But what I am witnessing today saddens me, because what we are doing today is not real digital marketing. It is based on impossibly inflated metrics. Sadly, young marketers today don't have the experience to know that 30% click through rates are not real, for example. They think those are normal, because they have not seen anything else to the contrary.

Going forward, we may see ad fraud continue for a while, because almost everyone wants it to continue. How? Why? The ad tech middlemen make more profits when there is more volume of impressions flowing through their platforms. But, somewhat surprisingly, even some marketers want the fraud to continue because it gives them more volume to buy (they love buying more impressions, at lower CPMs) and it would be embarrassing for some to admit that what they bought in the past had more fraud than they realized (because fraud detection didn't detect it).

What's important is that marketers NOT let their guard down, thinking that fraud is low or solved. Marketers need to stay vigilant and look at the data and analytics themselves so they can verify whether ad fraud is impacting them. If they see strange things in the analytics, don't ignore it; ask questions. There has to be a reason for strange things like 100% bounce rates, 0% bounce rates, perfectly consistent pages per session across dozens of referring sites, etc. It's probably not from real humans seeing your ad and visiting your sites.

Once marketers start to look into it themselves and not just blindly trust what their agencies/vendors and fraud detection tech companies tell them, they will start to see where the fraud is still getting through. Then they can take a more active role in the reduction of ad fraud themselves, like turning off suspicious sites and apps, so they can't steal ad budget any more. And some marketers may run experiments like P&G and Chase where they cut digital ad budgets and digital reach and found NO CHANGE in business outcomes. Whether those digital ads were fraudulent or not doesn't matter -- the digital ads simply didn't drive any incremental business outcomes -- so why continue to invest in it. The ad budgets that you DIDN'T spend will flow right through to the bottom line -- especially significant when marketers like CPG companies operate on razor thin margins anyway.

If we can, as an industry, throw a rock to shatter the glass house that is digital marketing today, we will all see a dramatic reduction in impression volume, traffic, clicks, etc. Every single volume metric will drop through the floor. And then, even with 99% fewer impressions, business outcomes will start to go back up -- think, outcomes per dollar spent in digital. This is how we will know we are on the path back to real digital marketing.

The History of Ad Fraud - compiled from 2008 onwards - https://docs.google.com/spreadsheets/d/1QVI1eeQbm20ktZcKt-tSxajf3BGmhmKIoJV48dgY2Oo/edit#gid=0

About the Author:  “I am an independent ad fraud researcher and not a fraud detection technology company. I help advertisers and marketers by doing independent audits of their digital campaigns to show them whether and how they are affected by ad fraud. I show them detailed data so they can verify for themselves what is fraud and what is not fraud; and I 'teach them to fish' so they can take a more active role in fighting ad fraud in their own campaigns. The audits are free so both objectivity and independence are preserved.”