How firms cash in on ad fraud
AD fraud is where bots — software programs pretending to be real people — generate fake ad impressions, which are then purchased by unsuspecting digital marketers. It’s big business.
How big? Massive, according to Dr Augustine Fou, an independent cybersecurity and ad fraud researcher.
“Estimates of fraud range from 20pc to 50pc of digital ad spend,” he says. “Given that digital ad spend is estimated to be between $150 and $200bn worldwide, the problem of ad fraud is truly large.”
And recently, ad fraud has spawned some particularly notorious bots. First there was Judy. Sure, it’s an underwhelming name, but it’s a bot that packs a punch. It has been found on 40 apps — mostly games — and Fou estimates it can generate up to one billion fake ad impressions every minute. It recently caused Google to delete the relevant apps from its Play store. They had been downloaded 36 million times.
Then there’s Fireball, which is estimated to have infected over 250 million computers worldwide, and 20pc of all corporate networks. Fireball takes control of infected browsers, installing plugins to manipulate web browser configurations and generate fake traffic. Fireball makes Judy look like it deserves its mundane name. According to Fou, it can generate 30 billion fraudulent ad impressions a minute.
“This kind of fraud is hard to detect using fraud-detection technology so it keeps getting away with it at such a massive scale,” says Fou. “Of course, the bad guys committing fraud are getting better and better at hiding. So ad fraud is at its highest point ever. But yet, the industry trade associations report that it is at its lowest point ever. Most likely it is not that fraud is low, but that we are able to detect less and less of it.”
According to Fou the fraudsters are particularly hard to find on mobile devices, where fraud detection can be non-existent.
“Desktop fraud is relatively well known now and some detection and mitigation technologies exist,” he says. “In mobile, where ad impressions load inside mobile apps, there is no detection and no fraud mitigation tech. This is because bad guys’ apps don’t install fraud detection tech. Given that mobile is more than 50pc of digital spend in the US and even higher in other countries, this is a huge black hole where there is no visibility of the amount of fraud, compared to desktop ad fraud.”
So how does ad fraud still thrive, given that the promise of digital marketing is less wastage, more targeted messaging, more transparency? How has such a huge issue been allowed to persist? And why aren’t advertisers and advertising technology companies up in arms?
“As long as advertisers want to buy vast quantities of low-cost impressions, the bad guys will continue to thrive and generate as much inventory as they want to buy,” Fou says. “But real humans visiting websites is a scarce resource. If free market forces were at work, when demand goes up and supply is very constrained, prices should go up. But yet, in the last five years of programmatic ad tech growth, prices have gone way down. Why? It’s because unlimited and fake supply has been created by bots and other fraudulent activity.
“And all of the middlemen in the supply chain — from the media buying agencies to the ad tech companies — benefit from the flow ... so they have no financial motive to help solve fraud. Ad fraud makes them more money, and solving it will dramatically reduce their revenue.”
So if the ad tech companies aren’t going to do anything about it, who will? Well advertisers, for one. Fou recommends that advertisers buy only from reliable publishers and focus on real business outcomes rather than fluffy online metrics like reach and engagement. Fou also believes publishers have a role to play; they can protect consumers by reducing the ad tech trackers on their sites. He also believes that publishers can learn some anti ad fraud lessons from an unexpected sector: porn. Why? Because bots don’t watch porn, people do.
“Publishers with real content have real human audiences already, just like porn sites,” says Fou. “But some porn sites do more to protect their users — like scan all the ad creatives for malware, block data centre bots and crawlers. For example, Pornhub was the first site to adopt 100pc https on all connections, before most mainstream publisher sites. Those are technical best practices that mainstream publishers should adopt more of, and sooner rather than later.”