Beating the Fraud Guide: How To Protect Your Ads

Yaroslav Kholod, director of the Programmatic Division at Admixer, reviews today’s most common and tricky ad fraud types and presents the best practices on protecting online ads from fraud in 2021.

Programmatic emerged in response to digital advertising’s need to scale and eliminate the menial process of establishing direct contracts with publishers. Ad servers were introduced to streamline the auction process and automate bidding on behalf of the advertiser, but they brought some problems of their own.

The programmatic ecosystem is complex – it has a long supply chain for impressions and multiple resellers along the way. The intricate web of partnerships, sophisticated technology, and the global marketplace that enable the personalized ads’ delivery opened the door to ad serving fraud. In 2019, according to different estimates, $5.8 billionOpens a new window to $42 billionOpens a new window of ad spend was lost due to ad fraud.

This article will review the most common types of advertising fraud and present the best practices on protecting your ads from it.

A Bit of Theory

For ads to be effective, they have to be seen and clicked by real consumers, not botnets that mimic consumer behavior. Bots that generate fake traffic inflict significant losses on advertising and marketing budgets. According to a joint reportOpens a new window by Traffic Guard and Juniper Research, in 2019, advertisers spent $407 on each internet user, with $61 wasted on invalid traffic.

Before diving into the anti-fraud solution, advertisers need to understand differences in the invalid traffic reporting, distinguish General Invalid Traffic (GIVT) from Sophisticated Invalid Traffic (SIVT), and see the degree to which each type can influence their media campaigns.

 

GIVT

General Invalid Traffic is the background noise on your charts, always present and never threatening. It is often generated by industry crawlers or bots that perform maintenance tasks. They display behavior unlikely for human users, like jumping between websites every couple of seconds – and thus can be easily detected. GIVT may include:

• Search engine crawlers
• Analytics and measurement partners crawlers
• Datacenter bots
• Traffic from unidentifiable browsers (with VPN, for instance)

GIVT can be detected with the standard procedure of filtration with lists or parameter checks.

SIVT

Sophisticated Invalid Traffic is what people mean in conversation when they are talking about fraud. SIVT is traffic created to click or view ads and to get ad revenue. Fraudsters generate SIVT in a variety of ways with domain spoofing, device hijacking, manipulating cookies, etc.

This kind of traffic is very hard to detect because it mimics legitimate human behavior and usually would not raise any red flags. Identifying SIVT requires in-depth analytics, coordination between partners, and anti-fraud expertise. SIVT may include:

• Hijacked user sessions and devices
• Ad stacking
• Pixel stuffing
• Bots and click farms masked as real users
• False location data
• Malware, cookie stuffing, and much more

While there is a negligible amount of GIVT traffic volume, SIVT presents a real threat, affects the baseline, and siphons off money from both advertisers and publishers. When the advertiser attributes an impression or a click to its supply partners, the fraudster gets the cut.

Learn More: Mobile Advertising Evolution: Mobile Web to In AppOpens a new window

What Can Harm Your Ads?

There are various types of fraud that involve fake supply, fake attribution, or fake traffic. It is essential to know the most common fraud cases in different environments to identify if your ads were compromised:

Click injection

The technique known as click injection is based upon malicious apps or browser extensions producing ad clicks.

Last year, Facebook filed a claimOpens a new window against two app developers, LionMobi and JediMobi, for driving fake traffic to its advertising platform. Those developers got unde served payouts from Facebook for misrepresenting that a real person had clicked on the ads.

Click injection is the common scam practice for easy-to-make apps, like hyper-casual games, which get downloaded in the millions. Such apps click on the ads in the background without the user noticing.

For instance, apps infected with the click injecting malware Simbad were downloaded 150 million timesOpens a new window from Google Play. Simbad clicked on ads in the background and got the credit for the fake actions while churning up a user’s mobile data and battery power.

Click spamming  

Similar to click injection, click spamming also generates fake clicks. However, instead of inserting malware on actual users’ devices, click spamming produces a large number of clicks with bots and click farms. Fraudsters flood the measurement system with those low-quality clicks hoping that some will pass through the filters and get the payout.

Law enforcement routinely uncovers thousands of click farms, predominantly in Tier 2 and Tier 3 countries. For instance, a couple of years ago, three men were arrested in Thailand for running a click farm with over 300,000 SIM cards and 400 iPhonesOpens a new window .

Ad injection

This type of fraud involves deploying ads on the publisher’s website or app without their permission or knowledge. Those ads are usually placed by fraudulent browser extensions that replace or overlay the existing ads or even some parts of the original content.

Recently, security company AdGuard discovered 295 Chrome extensions Opens a new window that hijack and insert ads inside Google and Bing search results. The majority of them operated as fake ad-blocking extensions, cookie cleaners, or weather bots that were available in the official Chrome Web Store. The fraudulent extensions were downloaded by 80 million users, then hijacked their impressions, stealing generated ad revenues.

Ad Stacking

Ad stacking is the fraudulent tactic that involves stacking multiple ads in a single placement, where only the top one is viewable. This way, the user is unaware that they are viewing other ads, while the advertiser pays for the hidden fake impressions.

Pixel Stuffing

Pixel stuffing is another method that misrepresents human activity by placing the ad in a format invisible for the user, in a single-pixel or on hidden parts of the interface.

Those tricky placements generate fake views and get a payout for impressions.

Install Hijacking

One of the most common types of fraud in the in-app environment is the install hijacking. This type of ad fraud involves deploying malware onto the user’s device to track activity within the app store. When a user downloads an app, the malware detects and sends the click to the MMP to get a revenue share for the install.

Without the appropriate precautions, malware can misrepresent attribution and score further CPA targets that users produce later, such as reaching a particular level in a game or completing an in-app purchase. Those actions promise higher rewards and lucrative payouts for fraudsters.

Which Environments Suffer The Most From Fraud?

Web fraud

Most fraudulent practices were born and reached their maturity on the web. However, since then, the industry has developed standards and protocols to detect misrepresented traffic, and the bulk of fraud has migrated to other environments. The mobile web accounts for 26%Opens a new window of fraudulent traffic, while the desktop web has 34%Opens a new window . In this environment, fraudsters prefer botnets, ad stacking, and forced redirects to generate fake traffic, most commonly for click fraud and impression fraud.

One of the pillars of web traffic fraud is video, which accounts for almost 64%Opens a new window of ad fraud. Video has recently become one of the more booming and highest-paying ad formats, and fraudsters rushed to generate fake impressions from fake users for their share of CPMs. The most widespread type of video fraud is when the publisher misrepresents their display units as video inventory in programmatic exchanges.

In-app fraud

According to PixalateOpens a new window , ad fraud in the app environment is more common than anywhere in the programmatic marketplace. While desktop bots are placed through malware, in-app fraud is deployed through apps downloaded from trusted marketplaces, such as the App Store. The traditional web tracking model is obsolete in this environment.

Recently, Google has removed close to 600 Android appsOpens a new window and banned their developers from the Play Store and its ad networks as part of a massive crackdown on ad fraud and “disruptive” mobile ads.

IOS vs. Android

Android dominates worldwide in terms of market share, making it the platform of choice for fraudsters. Indeed, the figures are stark: the app install fraud rate on Android is over 4.5 times higherOpens a new window than on iOS.

These significant differences can be explained by the strict walled garden approach of iOS, which does not give third parties leverage in the ecosystem and implements a strict vetting process. In contrast, Android supports out-of-store apps, which frequently carry malware that perpetrates fraudulent schemes.

But this may soon change as the upcoming iOS14 releaseOpens a new window is going to disable the advertising ID. The phase-out of the iOS ad identifiers can open the door to fraud. The iOS advertising ecosystem is a tidbit for fraudsters due to much higher CPMs than on Android devices. The loss of user IDs will affect anti-fraud solutions and may lead to the rapid growth of fraudulent actions across iOS apps.

Fraud by App category

Different app categories are prone to different kinds of fraud. In the fake click schemes, Gaming, Shopping, and Finance app categories are the most vulnerable to fraud.

Non-gaming apps

In the non-gaming segments, fake installs can account for 32% of fraud. Finance apps have the highest app install fraud rate at 48%Opens a new window , followed by travel apps, with 45%Opens a new window of invalid traffic.

Fraud in non-gaming verticals is based primarily on bots, which stay unnoticed by aiming at less visible zones of the app and are dependent on the in-app engagement measurements.

Mobile games

As for the fake installs, gaming is lagging, and only 3.8% of installs are fraudulent, according to AppsFlyerOpens a new window . The gaming category is notorious for fake supply. Advanced internal tools and methods have recently reduced their vulnerability to install fraud, but they still remain exposed to other kinds of malware.

Fake traffic and attribution are common across all game subcategories. This method is based on falsely getting the credit for real users with click spamming and attribution hijacking. According to AppsFlyer, 30% of fraud in this category comes from hijacking attempts, almost double the non-gaming apps rate.

Learn More: 3 Mobile Marketing Campaigns That Won Us Over in the First Half of 2020

How To Protect Your Ads From Fraud  

Anti-fraud vendors

Programmatic media trading is a constantly changing environment, with new protocols and practices introduced every quarter. Thus, it may be difficult to keep track of each new security breach, and it is prudent to find a partner for traffic validation.

 For example, Admixer has two traffic quality partners to guarantee brand-safety to the partners. Comparing the differences between the data from validators reinforces traffic analysis and allows us to derive more detailed insights and spot fraud very early.

 Having several anti-fraud vendors at your disposal helps assess traffic quality during the publisher initiating tests (which I recommend doing before every new launch).

Impression scanning

It is important to compare the number of impressions between you and the validator statistics and analytical data. There may be cases when you see an acceptable level of publisher invalid traffic since validators cannot scan all traffic. Scammers can remove the validator pixel and leave impressions to get a reward for a fraudulent click or action. The only correct way is to scan each impression with your validator pixel. Frequently, pixels are set to scan every second or third impression to save on the monthly limit, but fraudsters can detect and mimic this frequency:

For example, our team not only tracks the difference in impressions but also makes deep integration with our validators who are using their pixel on our domain. I saw a case when the frequency was changed from 2 to 1, and it led to a dramatic increase in the publisher’s invalid traffic level.

Blocking multiple requests

Tracking the number of requests and blocking multiple requests, also known as rate limiting, can stop certain bot activity types. It also helps to reduce the load on web servers and prevent API overuse.

Usually, rate-limiting involves tracking IP addresses of the requests and recording time between individual requests. An IP address is a primary way to identify the source of the request. If there are too many requests from the single IP within the standard timeframe, rate limiting will not fulfill the IP address’s requests for a certain amount of time. Rate limiting is an effective solution to safeguard your ads against DoS and DDoS attacks, web scraping, and botnets.

Blocklists

Another important practice in anti-fraud management is prebid blocklists. These are lists of compromised parties, vendors, and platforms, which were caught spreading fraud. Adopting prebid blocklists stops fake traffic at the entrance to the ecosystem.

For example, Admixer has internal blocklists and regularly updates them. We also use 3rd-party vendors to reduce the fraudulent request by checking against databases of parameters like IP, device, bundle, domain, high-risk apps, etc.

Detecting fake data and attribution

Fraudsters frequently attack the data returning to the buyer and compromise the measurements to show more impressions, higher engagement or viewability, and fake good campaign performance.

Unfortunately, in most cases, only after the impression was reimbursed you can understand that it was fraudulent, and then find the source of the breach. The speed of your reaction comes first in post-bid detection. The faster you understand that traffic from a particular source is fraudulent, the faster you will block it on your side and minimize the damage to your partners.

Attribution fraud is less apparent and may require time to investigate data and learn its patterns. To identify the misrepresented data, advertisers should clearly set campaign KPIs, examine mid-flights and postflight analytics, and identify any outliers that signal fraudulent activity. This way, they will not miss the attribution fraud attempts.

Implementing industry standards

One of the most common types of fraud is fake supply. This kind of ad fraud happens when advertisers bid on illegitimate placements thinking that they were authentic. There are a variety of approaches that fraudsters use when faking the supply, but most of them can be counteracted with the implementation of industry standards.

The Interactive Advertising Bureau (IAB) Tech Lab introduced ads.txt, a text file that publishers can place on their sites to show ad buyers a list of the authorized vendors allowed to sell their inventory. Another important tool is sellers.json that allows you to check sources of the inventory, direct publishers, and traffic resellers of the Adtech platforms, SSPs, and ad networks. These initiatives provide additional transparency and data layers that advertisers can use to check if their supply was tampered with. In March 2019, IAB Tech Lab released the next iteration, called app-ads.txt, created to support mobile apps, OTT, or any other app inventory.

RTB 3.0

Furthermore, IAB has already developed a more advanced programmatic protocol to filter out supply fraud – RTB 3.0, which is awaiting its industry-wide adoption. It has a safety hatch – Ads.cert that can help detect more advanced fraud types, such as ad injection.

Ads.cert makes an extra step in verification. It can validate data that passes between the buyer and seller at every stage of the programmatic ad supply chain, making sure it is not modified or forged. This solution is a lot like digital signatures that let buyers verify inventory regardless of how many resellers it already passed through.

Learn More: Increased Mobile Shopping Is Here To Stay – How Should Retailers Adapt?

To Sum up

• Traffic fraud accompanied digital advertising from the moment of its inception. It previously dominated the web. Now it is more prevalent in the app environment, mostly on Android, which accounts for almost 90% of fraud due to the Google Play Market’s lax security standards.
• Among the app categories, Finance, Travel, and Shopping are the most prone to click and impression fraud. Gaming is immune to this type of fraud due to the dominance of the CPA model. However, most Gaming categories are highly susceptible to install hijacking.
• Video advertising is another environment plagued with ad fraud, both in web and in-app environments. The most common tactic here is misrepresenting ad placement as the video inventory in the bids put forward.
• The key to combating fraud is to set up advanced analytics and partner with traffic quality vendors that can provide additional data layers to gather a comprehensive attribution picture. By juxtaposing data from different sources, it is easier to spot outliers and detect fraud.
• Advertisers should implement a rigorous vetting process, with blocklists of fraudsters and suspicious traffic, which they should regularly update and compare with corresponding lists of third-party vendors. Impressions scanning and tireless filtering are paramount to keeping your traffic safe.