Rationalizing Fraud

Rationalizing Fraud - An economic explanation of why fraud thrives in the digital and programmatic ecosystem.

Consider this - you run a store.

Last year, $400,000 worth of merchandise has left your store, presumably sold.

At the end of the tax year, as you go to balance to books, it shows only $250,000 in sales has gone through your accounting/bookeeping.

You scratch your head — anywhere from 5–10% is understandable — stock can go missing, thieves could steal a little here and there, a staff member may take a pencil or two to use in work and forget to pay for it later — but 37.5% lost sales hints at a much wider problem.

You make it your mission to find the culprit, as Daniel Weiss did, when he was promoted to manager of the John F Kennedy Center for the Performing Arts, in 2011.

He monitored the employees of the gift store, and identified one as his main culprit.

Alongside the US National Park’s detective agency, he set up a sting operation, involving marked notes which could be easily traced.

Sounds very Hollywood up to now, but the conclusion is anything but.

Once the main culprit was followed home from work, surprised by the detectives and searched, it turns out a mere $60 in marked bills were found.

Doesn’t sound like the work of a sophisticated criminal mastermind, does it?

After the employee was fired, the losses continued.

Daniel’s next step was to start properly recording all sales made, and who was responsible for the sale.

Hey presto — the sophisticated fraud stopped there and then.

So, what actually happened?

Daniel put checks and balances in place. These checks and balances reminded each employee that not only were they responsible, but also that they were being scrutinized in more depth than before.

Without these checks and balances, the 300 strong, mostly elderly, volunteers of the gift shop would help themselves to a pen or a hat, or take $5 from the till to pay for a coffee.

It wasn’t one single, super-sophisticated mastermind here, simply a high number of staff committing ‘small’ crimes.

Bear in mind, the gift store employees were not hardened criminals — just regular people. Regular people and their behaviour can be examined and even understood better using economics.

The Simple Model of Rational Crime, or SMORC, helps us examine exactly why you or I would commit a crime.

A crime, in this definition, is simply breaking the rules — parking illegally on a double-yellow line or rushing past the ticket barrier at the train station in a bid to catch the train waiting, to avoid being late, as examples.

We use three elements in the SMORC –

a/ The benefit you would gain from the crime

b/ The probability of getting caught and

c/ The expected punishment if you are caught

Let’s apply one of our examples above to the model –

I’m running late, as I frequently am, and decide to drive to my meeting.

I can park in the multi-storey car park, which is a ten-minute walk away from the office, or I can park on the street behind the office, on a double-yellow line, which is a 30 second walk from the office.

This walking time difference will dictate whether I am on time, or late for my meeting.

Not wanting to be late to meet my client, I opt to park on the street behind my office, thus committing the crime.

The benefit I gain is being on time for my meeting — thus ensuring I don’t annoy my guest — which is key if we’re to have a positive business relationship.

Next, the probability of me getting caught is quite low — it’s a busy area, with frequent deliveries and drop offs to the restaurants and bars near my office.

Finally, if I am caught, it’s simply a ￡60 fine.

You can rightly say that I am willing to take the risk, as the cost vs. benefit analysis I’ve conducted (the low probability of a ￡60 fine vs. looking good in front of a potential client and the chance to progress in my career) shows me that taking the risk in committing the crime is certainly worth it.

Subconsciously, we conduct many of these cost/benefit analyses in our day to day life, using the three criteria explained above.

What is the cost vs. benefit of leaving the office ten minutes early?

What about telling a white lie to get out of a social engagement we’d rather not attend?

In the story about crime at the JFK Center for Performing Arts, above, every volunteer at the gift store conducted these analyses every time they were in work.

What is the cost vs. benefit to taking a $5 note from the till, where nothing is recorded, to pay for the coffee I’m about to order? Now ask the same question, with the three criteria, in a scenario where everything is recorded.

Economists are very keen to create models which are universal — the Simple Model of Rational Crime works when we apply it to a physical store selling physical, tangible goods.

Does the propensity to commit crime increase when the good being sold is theoretical and intangible? You cannot hold an ad impression. Similarly, you can’t pick up a click and put it in your pocket.

The digital ecosystem, and especially programmatic media, has a massive fraud problem.

Forrester Research estimates that $7.4 billion/￡5.5 billion (roughly) was wasted on display ads alone in 2016. This is without even considering in-app or video ads. Wasted ads in this case means both fraudulent and non-viewable.

Furthermore, Forrester is forecasting that wasted ads on display alone will rise to $10.9 billion/￡8.1 billion (again, roughly converted) if nothing is done to address the issue.

Outside of display, the same report names video, typically with much higher prices than display, as seeing 44.7% of overall spend, but with 63.8% of overall fraud.

As mentioned, programmatic is the big culprit here, with programmatic video seeing 66.5% higher fraud than direct-sold video.

Many steps are being taken to address this — third party verification companies exist to help advertisers address ad wastage (from fraud or lack of viewability).

Ads.txt, whilst not seen as the silver bullet in killing fraud altogether, is certainly gaining traction throughout the ecosystem in a bid to clean up the entire supply chain.

Whilst it will likely be a footnote for programmatic in 2018, many are forecasting Blockchain technology to be the death-knell for fraud, but as solutions are light on the ground today, it’s hard to say just how effective it will be, and how widely it will be adopted, ecosystem-wide.

The purpose of this article, however, is not to talk about combatting fraud.

On the contrary, I want to use the Simple Model of Rational Crime to address firstly why fraud exists and why it is such an issue, and secondly, the potential for a fraud-free future for our industry.

So, firstly, why does fraud exist?

The simple answer is that fraud exists because we allow it to.

Yes, you and I are indirectly responsible for fraud.

As we work in digital, we encounter fraud daily. We try to fight it — removing fraudulent domains from whitelists, not paying for fraudulent impressions, educating our clients about dodgy players in the ecosystem, using vendors to keep fraud levels down. But this is where it ends.

No professional body, within our industry or outside tackles fraud like ticket inspectors on trains, parking enforcement guards for illegally parked cars and police for actual crime.

Consider for a second, just how terrible the parking situation in your city centre would be if there were no parking guards issuing tickets for illegally parked cars. It would be chaos.

This is, in effect, the digital ecosystem; no one will pursue you in an effort to lock you up, nor will they pursue you to drag you to the courts so agencies, advertisers and technology vendors can recoup lost earnings from fraud.

Let’s revisit the Simple Model of Rational Crime, and apply it to fraud in programmatic –

a/ The benefit you would gain from the crime –

As seen in the Forrester Report above, the loss advertisers suffer, at least a portion of such, is going directly into the pocket of fraudsters.

Non-viewable impressions are a different beast, as the trading desk may be lead to believe the impression is in view, and buy it in good faith. Whilst not fraud, it is wastage.

The monetary gain is easy to see — advertisers are flocking to programmatic buying with varying levels of experience and expertise. A less experienced advertiser could be running their ads on fraudulent domains, with ads never seen by human eyes, and are paying for the privilege.

To give a example of the potential benefit, Methbot, the highly sophisticated ad fraud scam which surfaced in December 2016, was widely reported to have made $3-$5 million per day before being uncovered.

b/ The probability of getting caught -

Yes, Methbot was caught and uncovered.

Not before it made an estimated $180 million for its’ creators, though.

While we have many third parties in the industry tackling fraud, and they are effective, some fraud will always slip through the net.

As I’m going to explore in the next section, fraudsters play on the law of averages — if they make 200 fraudulent domains, maybe 10 will get through the filters and generate revenue for them.

Even if these are live for a matter of days before being switched off, that is still more programmatic spend funnelling into fraudulent hands.

c/ The expected punishment if you are caught -

I recently saw a fantastic presentation from Oliver Hülse, MD at Integral Ad Science DACH.

He referenced a report which confirmed my biases in writing this article — that ad fraud is the perfect trifecta of a/ relatively easy to conduct, b/ has a high potential for payout and c/ has a very low perceived risk. Article is available here (https://static.politico.com/b9/55/4e3ce4cc41d88401e264dcacc35c/hpe-security-research-business-of-hacking-may-2016.pdf Figure 1 on Page 4)

Let’s first look at the ease of conducting fraud –

While Methbot was a very sophisticated model for fraud (reading more into its set up and operation is eye-opening), not all fraud is created equally.

Domain spoofing is entry level fraud, and is still widely successful.

Say you’re an advertiser, and the Guardian is a publisher that resonates well with your target audience, you want to spend a portion of your budget on Guardian inventory.

I could simply register a cheap domain, let’s call it skjhg,com (which is available for ￡0.99 at the time of writing).

All the fraudster will do is create some subsections of the site, say a news aggregation page, and call it guardian.skjhg.com

Next, you want to really want to make this page generate money for you, so not only will you keep the page short (so it is 100% viewable/no scrolling) you will also load it up with many ad slots. Being able to show 10 ads on the page can potentially generate 10x revenue than if you were showing just one ad.

All that’s needed now is for the page to be accepted on to a monetization programme, and hey presto — fraud in action.

We’ve already seen the potential for payout when talking about both the level of money flowing through digital and programmatic, and the reported monetary success of Methbot, so let’s look at the risk.

What happens if our guardian.skjhg.com domain is found to be fraudulent?

Pretty much nothing. We will likely be blacklisted by all buy side vendors once we’ve been flagged as fraudulent.

No checks or balances in place to stop us from registering a brand new domain and appending ‘guardian’ before it. In fact it’s highly likely a fraudster will have hundreds of domains operating the same way, so if one is switched off, it may only account for a small few percent of the fraudsters earnings.

As mentioned higher up in the article, no legal body will come knocking on the door of the fraudster looking to claw back lost spend.

Going back to the question on how your city centre would look if no one handed fines for illegal parking, now consider why ad fraud is such an issue for our industry.

Applying the SMORC to the Programmatic space shows us exactly why fraud has a chance to flourish, but can we possibly have a fraud free future?

Using the example of Daniel Weiss and the JFK Center, I fully believe we can combat the worst offenders by implementing checks and balances that apply to the entire ecosystem.

Here’s a thought; If an advertiser lost ￡1 million due to fraud last year, would they be willing to split any reclaimed money with an independent body that chases on their behalf?

Or instead, should an independent body demand donations from all major players in programmatic, so that they act as a ‘programmatic police’, and chase the worst fraudsters in a bid to reclaim lost spend?

What do you think?