How cookies have been used to commit ROAS fraud

There's ad fraud and then there's attribution fraud. Ad fraud is simply ads being shown to fake users -- bots -- and not humans. Attribution fraud is where a particular type of ad or a particular adtech vendor falsely claims credit for conversions/sales it did not cause. Why do they do this? They commit attribution fraud to make their form of digital advertising appear to perform really really well. This tricks their customers into spending more with them, so they can increase revenues under false pretenses -- i.e. fraud.

Note that unlike ad fraud, attribution fraud doesn't require bots. In fact, it relies on real humans that actually buy stuff online. So how is attribution fraud accomplished? Humans buy stuff. But most of those purchases were not caused by seeing a single ad.

"individual ads do not cause individual sales"

Think about your own experience. You don't typically go out and buy something just because you saw a single ad for it, no matter how cool or memorable the ad was. Sometimes you even buy something without ever seeing an ad. For example, folks buy BMW cars because their family has always purchased BMW, not because they saw a BMW ad on TV. Before we get too deep into marketing theory, let's get back to the issue at hand -- attribution fraud. Humans buy stuff online. All the adtech vendor has to do is claim credit for the sale, by making it look like their particular ad caused the sale, even if their ad impression didn't actually cause the sale.

Cookies, the ones in browsers, have made this easy for the last 20 years. Cookies are small bits of information in the browser that represent "users." What follows below are the case examples of how cookies have been used to commit fraud -- attribution fraud -- and enabled adtech vendors' tech to appear to be magical in terms of how much sales and ROAS it was driving, except that it wasn't, actually.

AFFILIATE FRAUD was committed using cookies

The great Ben Edelman had been documenting affiliate fraud since 1995 -- https://www.benedelman.org/archives/ The largest, successfully prosecuted cases of affiliate fraud dated back to 2013 when two of eBay's largest affiliates were sentenced for defrauding eBay out of millions of dollars in affiliate fees. Affiliate marketing was considered a form of "performance" marketing, where the advertiser doesn't pay until they get actual sales, for example when someone bought something from eBay. When such a transaction occurred, the advertiser would pay a percentage of the sale -- the affiliate revenue share or commission -- to the party that helped drive that sale. That party was identified by the "affiliate cookie" observed in the browser of the human that completed the purchase. In the normal, non-fraudulent course of action, the human user would visit a recipe site and see a special cooking utensil or other items they could buy. If there was an affiliate program set up on that recipe site, when they user clicks through to Amazon, eBay or some other ecommerce site, an affiliate cookie would be set in their browser so that site would earn the affiliate commission if a purchase was completed. This makes sense, on the surface. But criminals found an easy way to game this system and earn large sums of affiliate commissions under false pretenses.

All they had to do was set THEIR affiliate cookie on as many users' browsers as possible. That way, if ANY of these users ever completed a purchase, they would earn the affiliate revenue share. The advertiser would be super happy to see so many sales being driven by the affiliate program, they'd even increase the budgets set aside to pay for affiliate commissions.

How are these "affiliate cookies" set? Normally, it's when a user visits a site and clicks through to the landing page of the ecommerce advertiser, which has some special code on the page to set the cookie (this identifies who the affiliate was, and there who needs to get paid the commission after a sale occurs). But what if the fraudster deliberately loaded many, many of these affiliate landing pages into the humans' browser without the human user knowing?

In the screenshot above, we see exactly this. The affiliate pages of marriott, hilton, ebay, acehardware, anntaylor, etc. are all loaded invisibly (behind the scenes) into a single webpage the human was visiting. This is a favorite technique of click-bait sites. When the human is looking at the content, hundreds if not thousands of affiliate pages are loaded in the background so affiliate cookies could be set, fraudulently. Then when that human user buys ANYTHING from ANY of the advertisers being targeted by this form of attribution fraud, the advertiser pays the affiliate commission to the affiliate fraudster. This is how eBay's "super-affiliates" got to be "super" -- under false pretenses. The affiliate cookies were used to commit this form of attribution fraud. The advertiser paid out the affiliate revenue share to the fraudster when they should not have, because the fraudster didn't actually help drive the sale. The sale would have occurred anyway, but the cookie was used by the fraudster to falsely claim credit for the sale and thus falsely earn the revenue share.

To recap, this was not ad fraud, it was attribution fraud, where cookies were used to trick the advertiser into paying out a success fee for a completed purchase. The purchase was real, and completed by a human. But the attribution was falsified by a cookie being set by the fraudster, who got the revenue share under false pretenses.

LOCATION FRAUD was committed using cookies

Over the last 14 years of studying ad fraud, I have seen many other forms of attribution fraud being committed using cookies. For example, there were a flurry of location based advertising companies that sprang up to help advertisers like Taco Bell, Dunkin Donuts, etc. drive more store visits -- or "footfall." This was a great idea in theory -- show an ad for Taco Bell to someone and report to Taco Bell that they actually walked into a Taco Bell store. That's the ultimate "performance" right? Right. But criminals found an easy way to game this system by showing large amounts of "footfall" under false pretenses.

Put simply, when an ad was shown to a particular mobile device, a cookie was set, so that that device is marked as "exposed" -- i.e. exposed to the ad. So whenever that device walks into a Dunkin Donuts store, the location based mobile vendor could claim credit for having "caused" the store visit. What if this vendor (unscrupulously) wanted to convince their customers that their form of advertising was driving SO much footfall, they would increase the budgets spent with that vendor? This was easily done by "exposing" as many devices as possible -- i.e. causing the cookie to be set -- by using low-cost, invisible ads loaded in the background without the users' knowledge, e.g. when they were playing a mobile game. If all 350 million mobile devices were cookied and marked as "exposed" then when any of those devices walked into the store, the mobile attribution vendor could claim credit for having driven the "footfall" (under false pretenses). This form of attribution fraud, using cookies, was rampant, until the stores realized most of those human visitors would have visited the store anyway, not because they saw an ad run by that location based mobile vendor. The human visits Dunkin Donuts every morning for coffee anyway.

ROAS FRAUD was, and is, committed using cookies

Finally, we get to the largest spenders, brand advertisers buying display and video ads to drive more sales. These large advertisers even use a success metric called ROAS ("return on ad spend") to measure success. They even report seeing very strong ROAS and conversions from these ads. That makes sense, on the surface. But criminals found an easy way to game this system and make it appear that ads you buy from them are generating massive return on ad spend. How are they doing this? Right, you guessed it, by attribution fraud (not ad fraud). The sales did occur. The problem is that the vendor is OVER-claiming credit for those sales, that ads on their platform did not actually cause.

How is this done? Right, by using cookies. Over the years, a metric called "view-through conversions" was created to give awareness ads (like display and video) more credit compared to performance ads (like search ads). The theory was that someone could have seen a display ad or video ad but not clicked on it. But those ads still deserve some credit for helping to drive the sale. View-through conversions were those conversions that happened in a 30, 60, or 90 day window after ad exposure, that were attributed back to the awareness ad. This is done by setting a cookie on the humans' browsers/devices upon ad exposure. If that same cookie is observed to complete a purchase within the "view-through conversion window" credit for that sale would be attributed to that ad. You can see the problem with this right?

ROAS is way way too high; and CPA ("cost per acquisition") is way way too low

ROAS fraud is the same as location fraud and affiliate fraud, described above. It's a form of attribution fraud where a vendor (or type of ad) gets too much credit for sales that DID occur, but the vendor DIDN'T cause. By setting as many cookies as possible on as many humans' devices as possible, the vendor could (falsely) claim they caused those view-through conversions. This means the ROAS would look awesome, and many many sales were attributed to them, even if the sales/bookings would have occurred anyway. Remarketing fraud is also exactly this. A cookie is set on a customer that has purchased from you before. Even if they went directly to your site and bought again, that second purchase is attributed (incorrectly) to a remarketing ad, which makes the ad appear to be driving more sales than it actually did.

So what?

Below is a really great story that illustrates how an advertiser found a way to save a ton of money on ads that appeared to be performing really well in the reporting.

Excerpt: After spending $10 million on Amazon ads, they decided to spend $0. Why? Did advertising on Amazon not work? No, it worked. But, it didn't work as well as it appeared in the reports. "For years we spent 8% of revenue on advertising. This is a standard practice for sellers, it bought top placement, the lift in sales was noticeable… but we were wrong. Mike Beckham, CEO of Simple Modern, had this key insight -- Advertising profitability was inflated by ads not driving sales. In other words, organic customers were clicking on ads to shop when they were going to purchase anyway. The reporting made it look like the ads drove the sales, when the sales would have occurred anyway."

In your case, there may not be fraud, but there still may be too much credit being given to a particular vendor or type of ad due to incorrect attribution. The key question is whether those sales were incremental -- i.e. would not have occurred in the absence of the ads. You can use FouAnalytics to measure your ads and your landing pages to get at this answer, without running difficult incrementality testing. Message me if I can help further on this.

Some marketers are using FouAnalytics to do COOKIELESS attribution. This also works when there are no clicks (for example from CTV) See below.

More case examples and screen shots from FouAnalytics: https://www.dhirubhai.net/in/augustinefou/recent-activity/newsletter/