What is ad fraud, and how can we defend ourselves against it?

ad fraud

The landscape of the ad industry has had a massive change within the last 20 years, and with it came a new type of fraud.

About 20 years ago, the ad industry started to experiment with a new model.

The existing system was straightforward: Ad buying agencies would decide which broadcasters or publishing groups could best deliver their audience. They would have lunch with the agencies representing those broadcasters or publishing groups. They’d eat, drink, and make a deal. This is a radical simplification, but there’s some truth in it.

Then came digital – and mobile.

Suddenly, ads didn’t have to be booked in advance. They could be served in real-time. And there were new intermediaries around that knew a lot about the individual customer – age, gender, likes/dislikes. They could help with targeting.

So why bother with lunch? Instead, just build some algorithms and let them decide which ad to serve to a unique user in a few nanoseconds. This, of course, is programmatic advertising. It has brought with it fantastic targeting opportunities and lots of efficiencies.

But it has also brought a few problems. And the worse of them all: fraud. In a new report, the ad tech firm Mobvista sets out the extent of the issue. Its Mobile Ad Anti-Fraud White Paper 2.0 shows the current state of mobile ad fraud, the different fraud types, and the efforts to combat the problem.

Mobvista serves 10 billion impressions a day. It carried out an analysis of the total number of fraudulent installs between October 2019 and March 2020. It revealed that more than 10 percent of total global traffic was fraudulent.

In five countries – Pakistan, Italy, France, Spain, South Africa – the total was over 20 percent. In terms of OS, Android was much more frequently targeted. It accounted for 59.8 percent of fraudulent installs, against 40.2 percent for iOS.

Interestingly there was also a strong variation in fraud targeting by app category. Reading apps are by far the worst affected, with 28.6 percent fraudulent installs. Needless to say, criminals use many different techniques in their attempts to defraud ad networks, publishers, and developers.

However, these methods can be grouped into three broad categories: attribution fraud, fake traffic, and illegal traffic.

Attribution fraud happens when fraudsters attempt to steal the income generated by organic app installations. Fake traffic reports clicks, installs, and any in-app activity that doesn’t exist. As a result, advertisers pay out money but they fail to acquire real users.

Illegal traffic is perpetrated by unscrupulous publishers. They use illegal methods to acquire users – incentivized traffic, prohibited ad materials, pay-per-click/install/event scams, deceptive clicks, background trojan installations, and more. The users are not organic and deliver no long term revenue.

Here are some of the more common scams relating specifically to apps:

  • Unviewable ads
    Here the advertisement is loaded, but never displayed to the end-user.
  • Fraudulent traffic/impression laundering
    Ads appear on a site, which is not the one the advertiser paid for.
  • Clickjacking
    Malware hijacks the ad slot on a website and displays an ad, generating revenue for the attacker rather than the publisher
  • Click Flooding
    When a fraudster claims credit for an organic app install
  • Click Injection
    An app already on a phone knows when another app is being loaded and claims credit and payment for the new download.
  • SDK Spoofing/attribution fraud
    A bot sits inside an app and generates ad clicks from inside it.
  • Bot traffic
    Bots rather than people click on ads and perform fake installs. Fraudsters make bots ‘behave’ like real users.

Obviously, the battle to defeat the fraudsters is never truly won. These criminals make big money. They have every incentive to find new cheats and to invent new scams.

Still, industry bodies such as the IAB and companies such as Mobvista are working hard on deterrents.

Many of these defenses focus on the IP number. Since every connected device has one (not just phones and laptops but also ‘things’ such as alarms and smart speakers), this unique number can provide important clues.

So if a large number of clicks or installs originate from the same IP addresses, this could be fraud. Mobvista and others often compile blacklists of dodgy IP addresses they can refer to. They can also check whether the IP address of the device that clicked on the ad is the same that installed the app. Or if they are in the same geographical region.

Another indication of possible fraud comes from the time taken to click on an ad and then install the app. A bot will do this much faster than a human.

These are just some defenses. The Mobvista report describes many more.

It concludes that “it’s essential for all parties involved, including advertisers, media, ad agencies, third parties, and other key industry players, to come together and fight against fraud traffic in order to keep the industry growing.”

No one could argue with that. All successful apps are at some risk of fraud. Developers, stay vigilant!