Uncomplicating digital ad fraud with FouAnalytics so you understand how to solve it yourself

I remain flabbergasted at the lack of understanding of digital ad fraud, among ad buyers (advertisers and agencies) and also among ad sellers (publishers). But you are NOT to blame. Who can blame you for not looking into digital ad fraud in more detail when your national trade association has been telling you ad fraud has been low (sub 1%) for the last 8 years; and the legacy fraud verification vendors you paid for also showed those low numbers.

Let me uncomplicate some examples of digital ad fraud here, in hopes of helping you overcome long-held beliefs that have caused ad fraud to proliferate. Let me start with a recent, and strongly held belief...

"There's no ad fraud in CTV because it's impossible"

You're right. There IS no ad fraud in CTV because it's impossible. If the ad runs on Hulu, Disney+, Amazon Prime, NFL SundayTicket, ESPN, HGTV, FoodNetwork, etc. bad guys can't make money from that, because the ad revenue goes to those legit media sellers. So CTV ad fraud is impossible in real CTV channels.

Bad guys focus on where they CAN make money. They have hundreds of Roku streaming apps that no one has heard of, just like the millions of fake android and iOS apps made for advertising, that no humans know about. The bad guys juice the view counts on their fake Roku apps just like they juiced site traffic with bots 15 years ago. Even mainstream steaming apps have been documented doing questionable and shady things. PlutoTV, for example, has long been known to run ads throughout the night, when no one was streaming and the TVs were off. Note that smart TVs are like smartphones, the screen can be off, but the device is not off and can continue to load ads throughout the night. More recently, PlutoTV was also called out for doing deliberate bid duplication to get higher CPMs.

Finally, when ad buyers try to buy low cost CTV, they turn to programmatic exchanges and supply sources other than the mainstream media sellers. In the current examples below, you can see CTV CPM prices for North America ranging from $14 - $20, $5.72 - $14, $15 - $20, respectively.

What do you think the $5 - $15 CTV ads come from? Are your ads actually running on a big, connected television screen? Of course not. Your CTV ads were running on crappy websites and mobile apps, just like display ads and video ads. When we present this evidence, the ad buyer inevitably says it's fine because it was only $5 - $15 CPMs, instead of real CTV prices like $70 - $90 CPMs). They must be getting in front of some humans' eyes, right? Believe what you want to believe. $5 CPM ESPN is not real ESPN.

Even direct buys, PG deals, PMPs, etc. are not a cure-all for fraud, or misrepresentation of inventory. This "direct buy" from Samsung had 11% of the impressions showing on websites, which was not what the ad buyer was expecting. They thought the ads were going on large Samsung connected TV screens in the living room and were paying the much higher CTV CPMs. Needless to say, they were not happy. Turns out, Samsung was doing audience extension to get more inventory to sell. They believed that anyone who had a SamsungTV was their audience, so regardless of which sites they visited or mobile apps they used, they were still their audience and could be "sold" as that.

And don't forget that the earliest cases of CTV fraud involved mobile apps like Grindr pretending to be CTV streaming sticks -- i.e. they generated fake CTV bid requests and used rotating lists of streaming device names and user agents.

Do you still think there's no fraud in CTV because it's impossible? Perhaps you think the examples above are NOT fraud?

Publishers frantically looking for bot traffic on their own sites

Good publishers, over the years, had been forced to pay for fraud verification by ad buyers and trade associations; to detect and block IVT (invalid traffic). But the invalid traffic didn't actually occur on their own sites. They were falsely blamed for bots and fake traffic, due to the incorrect reporting (placement reports and log level data) and incorrect measurement by the legacy fraud verification vendors. How is that possible?

Fake sites must lie about their domain in the bid request; otherwise they'd get no bids. So they pretend to be mainstream sites like esquire .com, foodnetwork .com, reuters .com in the bid request. They get bids and ad revenue. But the ads never ran on those real sites. The ads ran on the fake site that was using IVT ("invalid traffic"). Log level data and placement reports record the domain that was passed in the bid request, not the domain where the ad actually ran. Furthermore, legacy fraud verification vendors record the domain and app names that were passed in the bid request.

This particular error was documented in both the Sports Bot (2017) and 404 Bot (2020) cases where none of it occurred on the mainstream publisher sites. There were no large botnets on the sites. These 2 cases were entirely faked bid requests. In the Sports Bot case, billions of fake bid requests, purporting to be on major sporting sites like NFL .com, NBA .com, MLB .com, etc. did not require a giant botnet on these sites. The faked bid requests were all generated by code on servers. 404 Bot was similar, but this fraud scheme even passed non-existent page urls in the bid requests. When these urls were visited, a 404 error was seen (page not found). There was no botnet on the major publisher pages and the page urls didn't even exist. But yet they were recorded in the placement reports and verification vendor's data. Let me re-iterate, the ads could not have been run, because the page urls didn't exist.

These were incorrectly reported by the legacy fraud verification vendors and the fraud did not occur on the mainstream publisher sites. In fact, in all cases of spoofing, the fraud siphons dollars away from the good publishers to bad guys pretending to be those good publishers' sites and apps. The fraud didn't occur on the mainstream pub sites; it occurred elsewhere. So publishers wouldn't find 80% IVT on their own sites. Spoofing continues today and large sums of money are diverted away from good publishers sites, and they can't see any of this because all of it occurs somewhere else.

Multiple forms of ad fraud usually occur together

It is reasonable to believe that mainstream publishers and media sellers are not trying to rip you off. For example, Hearst, Conde' Nast, Meredith, Gannett, etc. are not deliberately trying to rip you off. But owners of fake sites and fake mobile apps ARE trying to rip you off, for as much money as possible, as fast as possible, and for as long as possible. Some 15 years ago, when most of the programmatic ads were display ads on websites, the bad guys made hundreds of websites using Wordpress templates and stolen content. But their sites had no traffic because humans didn't even know they existed. So these fake site owners went out and bought some traffic. As long as the cost of the traffic (e.g. $1 CPMs) was less than the ad revenue (e.g. $10 CPMs) they happily and easily made money hand over fist. Large ad buyers wanted to buy more quantity of impressions than could be created by human activity on websites. These fraudsters happily obliged, and created as much ad inventory as needed to absorb all that sweet, sweet ad budget that had to be spent before the end of the year.

Bots, or "invalid traffic" (IVT), were the primary form of fraud 15 years ago. But the sites that used bot traffic because they had no human visitors, would layer on other fraudulent techniques to multiply their own ad revenue. Why stick only 1 ad in an ad slot when you can stick 50 ads in the same ad slot (ad stacking) and multiply your revenue by 50X. Why load only 10 ads per page when you can load 500 per page in tiny 1x1 or 0x0 pixel iframes (pixel stuffing)? Why not load entire webpages into ad slots of "recommendation widgets." Aside form fake visitors (bot traffic) loading the page, many other fraudulent techniques done on the page level help the criminal multiply the numbers of impressions they could sell, and therefore their own ad revenue.

The trade associations appear to have finally caught on to these types of sites, and named them MFA ("made for advertising") sites. What they are still missing are the MFA mobile apps that are committing ad fraud at a far larger scale that websites, since the majority of ad impressions run in mobile now.

Bad guys have gotten around legacy fraud detection for a long time

How did ad fraud get so bad? Everyone's been paying for legacy fraud verification. Turns out, instead of helping advertisers avoid ad fraud, these legacy verification vendors actually helped fraudsters by effectively covering up the fraud that was there. They have reported invalid traffic to be 1% for the last 8 years. So ad buyers could not see the fraud that was there and do something about it.

Here's one other simple concept to keep in mind. Bots were fake devices -- headless chrome browsers created in data centers to repeatedly load webpages. These automated browsers are the same tools that developers use to test their websites, and that scrapers use to scrape/steal content from publishers. So when they load a page, and cause ads to load, those are marked as "IVT" because it was invalid traffic. The ads shown to bots were not what the ad buyer wanted. But what about the flashlight apps, alarm clock apps, emoji keyboard apps, VPN apps, spam call detection apps, etc. that are loaded on real people's phones? The app is real; and the device/phone is real. So both of those will pass inspection by the legacy fraud verification vendors. But ads loaded throughout the night by the alarm clock app, or ads loaded in the background by the keyboard app, or webpages loaded in the background by kids gaming apps, etc. are all forms of fraud where the ad buyer is not getting what they thought they were paying for -- ads shown to humans. The legacy verification vendors failed to detect the fraud because the apps were real and devices were real. They missed the fraud and severely under-reported on the impressions that were simply waste for the advertiser. These low numbers were used by the trade associations to claim credit for their fraud fighting programs; unbeknownst to them, the low numbers are due to the failure of the legacy verification vendors to catch the fraud, not because the fraud fighting efforts of the trade group were working.

So what?

Let's wrap this latest edition by focusing on the levers you can pull to make your digital campaigns better. You don't need to know which individual ad impressions were subject to fraud. You just need to know which sites and apps exhibit a one or more fraudulent techniques. Some of their visitors may be fake -- i.e. bots. But the site owner that's a cheater will also do OTHER shady things like ad stacking, pixel stuffing, ad slot refreshing, reloading entire webpages, etc. Beyond just IVT (bot traffic), if we observe other shady actions by the ad seller, the evidence presented in FouAnalytics empowers the ad buy to choose not to buy from the seller any more. They can add sites and apps to the block list, or remove them from inclusion lists. These are the actions we can take to clean the campaigns. In the case of Google search, you turn off search partners; in the case of Facebook advertising, you turn off Facebook Audience Network; for YouTube, you turn off Google Video Partners; for TikTok, you turn off Pangle, etc. These are the levers you can pull to fix digital advertising.

You don't NEED FouAnalytics to solve digital ad fraud. You can do that yourself, for free, and with some common sense. But you CAN use FouAnalytics to check that you are getting what you thought you were buying. That's it. It's simple. Turn off all audience networks on social sites. Use inclusion lists in programmatic and turn off as many supply sources as possible to avoid 90% of the fraud. Use FouAnalytics to check that your ads are going to the sites in your inclusion list. And use FouAnalytics for more advanced optimizations like ads shown to more humans (not just fewer bots) and for greater attentiveness once the user arrives on your landing pages.

For more case examples and screen shots: https://www.dhirubhai.net/in/augustinefou/recent-activity/newsletter/