My Q&A About Ad Fraud With A Skeptical CMO

1. “CMO: I know about ad fraud. But the ANA tells me that their initiatives have it well under control and that you’re fear-mongering to get more consulting business for yourself. Is that true?”

Which part? — that ad fraud is well under control? or that I’m fear-mongering?

Yes. It’s true that I make a living from doing consulting. I have been doing digital strategy consulting for most of the last 25 years, as a small business owner. I currently do consulting for clients -- helping them to audit programmatic campaigns and teaching them how to look for ad fraud in their own campaigns and mitigate it themselves. I’m not a fraud detection tech company, but I did build a toolset for myself, to gather data about digital ads and traffic to websites, so I had accurate analytics to use for the consulting. There was no such tool before and I don’t trust anyone else’s data, because it could be inaccurate or could have been tampered with.

But no, I’m not fear mongering because ad fraud is NOT “well under control.” My data shows there’s more fraud than before, and there’s more types of fraud, too. It’s not just bots and invalid traffic (IVT) which the ANA keeps referring to. If you consider only bot traffic, then of course, the simple bots that are dumb enough to be caught are in the 1% range. But the hackers that maintain the botnets are smart enough to evade detection, just like they’ve done after breaking into government systems and corporate networks; they’ve been able to stay hidden for years. And you’ve read about case after case after case of new fraud schemes being outed. Those schemes have been stealing ad dollars for years, while remaining hidden in plain sight. That’s the fraud I am talking about — it’s way more than just the invalid traffic hitting websites.?

It’s not fear mongering if it’s true, just like it’s not “crying wolf” if the wolf is standing right there in front of you.?

Bots evade detection by stripping out the tags

The reason current fraud verification vendors consistently report only 1% IVT ("invalid traffic") is because that is all they can catch. Bots have been actively stripping out their detection tags (see code sample below, observed in the wild in 2014). "No data" should not mean "no bots" but these vendors conveniently only report on % IVT. That does not mean the other 99% is good; it means they failed to detect anything wrong with the other 99%.

Despite fraud detection, 90 - 99% bot clicks in programmatic campaigns

Despite the use of multiple layers of fraud protection -- e.g. pre-bid filtering, post-bid measurement, etc. The following chart shows what the clicks look like from programmatic campaigns. Orange means declared bots (the bots told you they are bots); red means bad bots; blue means human clicks. Despite fraud verification, advertisers are still getting mostly bot clicks and only 1 - 4% clicks from humans.

2. “CMO: So you’re telling me that your homegrown tech is better than the fraud detection tech that’s got tens of millions of dollars of VC money behind it and virtually all marketers have chosen and paid millions of dollars for?”

Yes. It is better AND it gives you the detailed analytics needed to take action. I’m saying it’s more complete and actionable for the client. What do you get in a typical report from one of these fraud verification vendors? — a spreadsheet with an IVT percentage and a few other columns like data center bots, and breakdown between G-IVT and S-IVT, etc? What do you do with that? Does it tell you which websites and mobile apps caused the fraud? Nope. Does it take into account all the cheating things a site does to make more ad revenue, like stacking 100 ads on top of each other, sticking ads in hidden 1x1 pixel iframes, refreshing the ad slots every second, or running ads in popunder windows? Nope, But feel free to ask them. They may lie to you and say they do; but how will you know for sure? They’re all black box and don’t show you any supporting details of what they measured and how they measured it. So you won’t know if their measurement is correct or not. And you can’t take any action, like turning off those sites and apps in your campaigns. That’s the whole point; they are VC backed ad tech companies. They have to keep you in the dark so they can keep charging you. And B, T, dub — fraud detection companies rely on ad fraud to continue so they can keep making money detecting it for you.?

My tools are called analytics for a reason. Marketers large and small are logging into the analytics so they can monitor their own campaigns and see the fraud for themselves. The analytics takes into account IVT — bot traffic — as well as other forms of fraud like ad stacking, pixel stuffing, popunders, etc. It also shows suboptimal things that can be improved — like ads running in the overnight hours when humans are asleep, ads shown out-of-geo, overfrequency problems, etc. The analytics are like a smoke detector; it tells the marketer where to look more closely to find fraud and also suboptimal things that can be tweaked to make the campaign run better. And the key is that the marketer can see where the fraud is coming from — which sites and apps are causing the fraud, so they can add those sites and apps to block lists and stop wasting ads and money on them. I teach clients how to use the analytics so they can do it themselves.?

FouAnalytics is analytics, not just black box fraud verification

With FouAnalytics, you have enough details to verify for yourself whether the clicks are from bots or from real humans. Even if the clicks are from humans, you need to know what they clicked. In the chart below, you can clearly see the green dots are clustered around the AdChoices icon and the [x] in the upper right corner of the 300x250 ad unit. That means the user was trying to close the ad, not click the ad. The blue dots further below show real clicks on 300x250 ad units - those clicks are spread out across the entire 300x250, not just clustered in the upper right corner.

Current fraud verification fails to detect most things

Looking at the current fraud vendors' reports, you can clearly see they make no sense. Entire buckets labeled "mobile in-app" or "n/a" are marked as 99.99% fraud free. How? How can they say it is fraud free when they don't know what mobile apps there were or even what site the ads ran on ("n/a")? Like we said above, it is because they have no data (bots blocked their tag) so they failed to detect the fraud. The 99.99% is not fraud free; the 99.99% actually means "failed to detect" instead.

3. “Ok, now I get that fraud is more than just IVT and bots and you can find some more than the other major vendors. But they’re MRC accredited, and you’re not. So we can’t use your stuff.”

Uh, who said you can’t use my stuff because it’s not MRC accredited? I will never, ever seek MRC accreditation because I don’t need to and because they’re not qualified to accedit any fraud detection vendor let alone my analytics. The MRC doesn’t have their own tech; and they have no data; and they have no truth set to use to determine if any bot detection is accurate or not. They are handing out accreditations to companies for measuring what they said they would measure. That’s why a company measuring 5 things and another company measuring 300 things can both get MRC accredited. And later you’re stuck in a situation where vendor A says IVT is 1% and vendor B says IVT is 27%, even though they are both MRC accredited and measuring the same campaign. MRC accreditation does not mean they measure IVT correctly.?

"MRC accreditation means the vendor is measuring what they said they would measure. That is entirely different than measuring fraud correctly. The MRC has no tech of their own, they have no data or answer key to know if any accredited vendor actually measured bots/IVT correctly and completely. But I do; and I have tuned FouAnalytics for the last 10 years personally."

The reason I said I don’t need to be accredited is because I show the client all the detailed data. It’s not black box; it’s analytics. This way, the client can understand why something is marked as fraudulent and why something is marked as NOT fraudulent. If the analytics shows you a website that has 100% Android 8 traffic, your own common sense should tell you something is strange about that. A normal site with normal human visitors should have a wide variety of different devices, not just one flavor of Android. If you understand why a site or app is marked fraudulent, you can take action — turn them off in your campaign.?

See: IVT Vendors Fail to Meet Minimum Standards for MRC Accreditation

4. “I see your point about analytics versus black box fraud detection and that we can turn off the fraudulent sites and apps ourselves. But I still don’t think a lot of ad fraud affects our campaigns.”

You may be right. Depending on how you buy the ads, you may only have relatively little fraud in your campaigns. The key is to use analytics to check that assumption. What I’ve witnessed over the years is that in general, the larger the advertiser, the more exposure they have to ad fraud. That’s because they have so much money and they want to buy such large quantities of ads. There aren’t enough humans on earth, visiting sites and using mobile apps so much to generate those 10s of billions of impressions on long-tail sites. So a good portion of those ads are created out of thin air by bot activity or other forms of fraud like repeatedly refreshing ad slots, etc. The other complication is that the larger the advertiser the more likely they have handed their multimillion dollar budgets to media agencies to spend. Even if the agency is knowledgeable and means to do the right thing, they are not incentivized to look too closely for fraud. In fact they are incentivized to not look, unless the client insists. You should use FouAnalytics yourself, so you can see if your agency is doing right by you; or if they have missed various things that can be made better. ?

Fraud and waste in programmatic media is far more than just bots

Marketers have been paying for fraud protection for years; that didn't work and doesn't work well. Marketers have not paid enough attention to other problems that make their campaigns suboptimal. For example, in the slide below, you can see that most of the ad impressions were served between midnight and 2am (green bars) and all the ads were used up by noon. That leaves no ads to serve for the rest of the day when humans are awake and online. Current fraud vendors don't help with that.

Also, did you get what you paid for? The 2 slides below show the "drop-offs" between the DSP quantities (bids won), the ad server quantities (ads served), and the quantity of ads rendered on screen (FouAnalytics measurement). In some examples, 25 - 33% of the ads were never shown on screen, but yet the marketer paid for it, and didn't know. Current fraud vendors don't help with that. Having FouAnalytics to measure campaigns helps you identify problems and troubleshoot them. It's not just about IVT/bots or not.

5. “So, what should we do now?”

Simple, let’s run a no-cost pilot. Use the analytics to tag your ads so you can see where they are running and if they are loaded by bots or humans. This way you don’t have to take my word for it. I can’t show you other clients’ data. But if you measure your own campaigns you can see your own data. And this lets you double check if indeed your campaigns are as clean as you think, or if there's something else that is not detected yet by the fraud vendors you are currently using. Be prepared you will get pushback from your own agency. They really don’t want you to be taking a closer look. But what have they got to hide, if they were paying attention and doing their job for you in the first place.?

"The tide is turning. From what I am seeing 5 of 5 marketers are planning to ditch their current fraud verification vendor and use FouAnalytics themselves going forward."

Also, since you were skeptical before, you don’t have to pay me — the analytics are free to pilot. And you don’t have to hire me for consulting. I can show you how to use FouAnalytics yourself (or your teams). I can also refer other practitioners to you who have been using FouAnalytics for a while and have plenty of experience looking at the data and helping clients improve their digital campaigns.?Have a look at some more screen shots and examples in the 2 articles below.

How Site-Owners Use FouAnalytics to Troubleshoot Bot Traffic

https://www.dhirubhai.net/pulse/how-site-owners-use-fouanalytics-troubleshoot-bot-dr-augustine

How Marketers use FouAnalytics to Scrutinize Clicks from Programmatic Campaigns

https://www.dhirubhai.net/pulse/how-use-fouanalytics-scrutinize-clicks-from-programmatic-fou