Ten steps to help advertisers, agencies, ad platforms and publishers get on top of mobile ad fraud, with tips from the experts and guidelines to follow.
With mobile rapidly approaching half of digital advertising, the fraudsters that have plagued web advertising are now targeting mobile ads – particularly the “download or app” ads, which have become a cash cow for the ad industry.
In this column, we ask: what do advertisers, agencies, ad exchanges, ad networks, demand-side platforms DSPs and other adtech providers need to do to stop mobile getting to the same state as web ad fraud?
What is mobile ad fraud?
Mobile ad fraud occurs where mobile ads impressions or click-throughs are triggered by a robot.
This might be a piece of malicious code that is operating on a legitimate user device, maybe downloaded with a dodgy native app. Each time the ad is served/clicked the fraudulent ad network or fraudulent publisher makes money, even though no human has seen the ad.
Ten steps to spotting and combatting ad fraud.
Step 1. Get your head out of the sand
The industry is still divided between those that have a position on ad fraud and those that don’t. The nothing-to-say camp is still by far the biggest. In the interest of diplomacy, we will avoid naming and shaming the leading global media agencies, ad networks, et al that were contacted for comments, but delivered none.
Instead, here is a list of the companies that do have a position on mobile ad fraud, and helped with this column:
Yodel Mobile; M&C Saatchi Mobile; GroupM; Conversant Media; Voluum; JICWEBS/IAB UK; Integral Ad Science; Forensiq; MRC; WFA; Dhar Method / Botlab.io.
Step 2. Ad fraud is everyone’s responsibility – advertisers, agencies/intermediaries and publishers
With ad fraud, it’s too easy to point the finger of blame at someone else, but it is everyone’s responsibility to put measures in place in house to ensure fraud is kept to a minimum and to encourage, coax and force all partners to do the same.
Advertisers appear to be the least prepared to accept responsibility. This is crazy considering ad fraud is costing them money, business and, if they are collecting and pursuing fake leads, potentially harms reputation and causes privacy issues also.
A survey of US advertisers conducted by Association of National Advertisers (ANA) and White Ops for the Bot baseline report, published January, found that only 17% felt it was the advertiser’s responsibility to combat fraud; while 26% of respondents felt that combatting ad fraud was the joint responsibility of the publisher, agency and advertiser.
Only 40% of advertisers had an anti-fraud policy in place. 55% used an anti-fraud detection vendor and 43% used a fraud prevention vendor.
Step 3. Put an anti-fraud policy in place, put someone in charge
All parties in the digital ad ecosystem should appoint an anti-fraud manager – or an ad quality manager, if you want to extend this role to encompass viewability and content adjacency/brand safety. This person will be responsible for:
- Preparing the ad fraud policy.
- Setting the rules of engagement with partners; building an accredited list of partners.
- Keeping up to date with the various guidelines and initiatives.
- Education – internal/external – of ad fraud issues/prevention.
- Re-evaluating how ads are purchased and ROI (return on investment) is calculated – i.e. examining KPIs (key performance indicators).
- Evaluate measures, tools to detect and prevent fraud.
- Enforcement – refusing to pay for ads/leads that are suspect.
- Industry liaison – join the various cross-industry initiatives to reduce fraud.
Many of these points are explained in the steps below.
A great example of this is GroupM UK (which is the umbrella group for the WPP media agencies) where the anti-fraud / media quality strategy has been built and run by Digital Risk Director Bethan Crockett. She is also an active participant in industry anti-fraud initiatives.
GroupM now plans to duplicate the strategy devised in the UK in operations worldwide, across it various media agencies Mindshare, MEC, MediaCom, and Maxus.
Bethan Crockett, Digital Risk Director at GroupM UK, told ClickZ:
“At GroupM we are working towards a zero tolerance approach to online advertising fraud across the industry. We have invested in a comprehensive and proprietary approach to reducing ad fraud. We’re already seeing the fruits of these labours on our clients’ campaigns and we will continue to do everything in our power to protect our clients and our business.
We feel there is an industry-wide responsibility for inventory integrity and online ad fraud.
By working with industry partners and staying away from rogue inventory – we believe that we are succeeding to minimize the challenges of fraud and viewability. Our goal is to standardise this approach around the world.”
Step 4. Read and adhere to the ad fraud guidelines
There are no guidelines for preventing mobile ad fraud, but there are several for web fraud. There are some differences between online and mobile ad fraud, particularly mobile ad app fraud, but many of the principles are the same:
- Invalid Traffic Detection and Filtration Guidelines – Media Ratings Council (MRC), October 2015 (PDF)
- Good Practice Principles for Reducing Risk to Exposure to Ad Fraud – JICWEBS, May 2016 (PDF)
- UK Traffic Taxonomy for Digital Display Advertising – JICWEBS, October 2015 (PDF)
- Compendium of Ad Fraud Knowledge for Media Investors – WFA, June 2016, subscription required)
- Understand ad fraud like a pro in eight short videos – Botlab.io, Jan 2016. Not industry guidelines, per se, but a useful resource.
Step 5. Ensure that partners adhere to industry guidelines and have sound policies in place
When you ask experts for tips on preventing ad fraud, they don’t tend to focus on the ad verification tools/services available. Instead they focus on company policy and ensuring that partners have the right policies in place.
Shailin Dhar, ad-fraud consultant, Dhar Method:
Advertisers: Ask your agencies for a detailed plan of how they are preventing your budgets from being compromised by fraud. Also remember, cheap media is not conducive to good, effective media.
Agencies: Audit the supply partners of your trading desks and DSPs (demand side platforms). Ask where they get their traffic.
Publishers: Don’t buy cheap traffic from random networks.
As industry certification programs (Step 10 below) become more established, these could also help with the approval of partners.
Step 6. Insist on transparency and traffic being verified.
The problem is that advertisers rarely buy direct from a publisher anymore. Buying ads – particularly programmatic buying of ads in real time via ad exchanges – today taps into a complex web of intermediaries, where advertisers have little visibility of where their ads run, or which ad networks are fulfilling the placement.
Alex Hewson, head of media EMEA, M&C Saatchi Mobile:
“Programmatic, when run in house, does allow for greater control and therefore greater protection from fraudulent activity – network buys are riskier for advertisers especially where the inventory is not owned and operated by the network themselves, as they may be relying on exchange or affiliate traffic over which thy don’t exert the same control.
Paramount to this is their processes by which this external traffic is vetted and analyzed on an ongoing basis to minimize any issues. It’s worth noting that no solution or process is perfect and that we as the agency must work in partnership with our suppliers to tackle this together through an open and consistent dialogue.
We have a thorough approach at M&C Saatchi Mobile which is anchored in a rigorous data analysis process to look for suspicious patterns in the data – very low eCPC’s or high click to install rates, for example. This is powered by the reporting solutions offered by the mobile measurement partners (e.g. Tune) where the findings are then shared as part of our partnership with suppliers. Simply put, it is key to have a robust process in place underpinned by technology.”
As advertisers and agencies become more alert to the risk of ad fraud and better at detecting it, they have started to refuse payment and blacklist business when there is evidence of fraud.
Some ad platforms are now offering money-back guarantees but this is met with some skepticism by peers.
Gavin Stirrat Managing Director at Voluum, a performance tracking solution:
“There are many companies that offer post-impression analytics or cash back guarantees. We believe this is an unacceptable compromise that continues to line the pockets of fraudsters and further damages mistrust in the medium.
Our recommendation to agencies and brands is to demand high standards of their buying platform partners such as the pre-bid filtering of inventory for fraud, as we do at Voluum.”
Step 7. Rethink how you purchase mobile media and measure ROI
As mobile ad fraud has become increasingly clever, advertisers have moved away from pay per click/cost per click CPC to more sophisticated cost-per-acquisition (CPA) (e.g. pay-per-subscription) or cost-per-app-installation (CPI). But ad malware is increasingly capable of filling out forms or downloading applications to compromised devices or to a mobile emulator.
This means advertisers have to be more intelligent about how they reward agencies and how they set KPIs for their campaigns.
Jason Cooper, general manager, mobile at Integral Ad Science.
“Globally we have seen that mobile ad fraud has become increasingly sophisticated, for example, methods that go beyond the click and now include location and app install fraud which may have a greater impact on campaign reporting.
Performance advertisers rarely now pay out on a CPC basis with CPI and CPGP (cost-per-game-play) becoming the norm. Uber will only reward a user once they have installed the app and taken their first ride which requires a valid credit card, while Candy Crush only pays media owners once a new user reaches a pre-determined game play point.
For brand advertisers that pay on a CPM (cost-per-thousand-impressions) basis, a higher CTR might lead to incorrect campaign measurement but there will no impact on spend.”
Step 8. Tell tail signs that ad fraud is present
The most obvious tell tail is price. If the costs of ads is cheaper than the going rate, there’s a higher chance that it is fraudulent.
The problem comes when advertisers place pressure on agencies to buy cheaper media. Which makes it very important that agencies educate their clients as to:
- a) The risk of click fraud, particularly with pay-per-install/cost-per-install ads for mobile applications.
- b) The real cost of legitimate CPI media.
But there are many more tell tail signs that fraud is present, explains
Ijah Miller, Director, from mobile media specialist Yodel Mobile. He offers the following tips:
Tips for spotting/preventing mobile fraud:
- Look for valid/invalid/fraudulent clicks according to analysis of IP address – e.g. detecting web hosting, VPN endpoints and repeated IP addressed, as well as irregular country/city origin.
- Analyse hourly clicks and install behaviour and distribution: clicks and installs are distributed in a known pattern during the active hours of the day, between the busiest hours and the less busy ones. Deviation from the pattern such as detection of just few very active hours in the day can be a result of incentivised traffic or fraud.
- Analyse hourly conversion ratios: Conversion through ratio (CTR) should normally be stable in the hours of the day. A sharp increase of hourly CTR can point towards incentivised or fraud traffic.
- Look for valid/invalid/fraudulent installs in line with targeting parameters and click-install delay: Click to install delay varies from app to app, from one tracking vendor to another, from country to country. Yodel partners measure delay for each campaign and detect deviations between traffic sources.
- Continuously scan known incentivized apps and web sites to make sure that our campaigns are not presented there: Develop an App and Web site scanning process to run checks. You can then open the apps/sites, click on ads and track the redirect chain.
- Analyse the post-install events behaviour: It’s vital for app businesses to share the pattern of behaviour of users that install their apps. Then if CPA results are significant lower than the expected/known post-install events behaviour, it will suggest that the traffic is from incentivised or fraud source.
Step 9. Be vigilant (publishers)
The same vigilance should also be applied by the publishers that are showing the ads.
We have already touched on the perils of buying cheap traffic. Some publishers boost their visitor numbers by buying traffic, from intermediaries, who may use incentives to entice visitors. But there is no certainty this traffic is not simply robots.
Another way for mobile publishers to avoid robots – according to the ANA Bot baseline report – is to block desktop traffic to mobile pages. The report points out that a lot of fraudulent mobile traffic is really desktop traffic.
Step 10. Get certified as compliant with guidelines / only use certified ad partners
Three of the associations behind the guidelines included in step 4 above, now have certification programs. But some are still at nascent stages. Criteria varies, compliance may be through self-certification or independent verification, and certification costs are also unclear.
The most established of these is MRC’s US-based program to certify companies that measure, verify and filter out general invalid traffic (GIVT), which includes ad fraud. The MRC recently started accrediting vendors for Sophisticated Invalid Traffic Detection/Filtration (SIVT) – which so far includes comScore, Integral Ad Science and White Ops Fraud Sensor, all three of which cover also cover mobile web traffic (but not apps of yet).
Companies that are evaluating ad fraud detection companies will find this list of GIVT accredited companies (PDF), very useful. It includes details of areas of expertise, including whether they cover mobile web and mobile app traffic. Also check the compliant versus self-asserted list (PDF) to find who has been independently verified.
In July 2016, the US-based Trustworthy Accountability Group (TAG) announced it had registered 100 companies, including advertisers, agencies, adtech companies and publishers, as “verified as legitimate participants in the digital advertising industry through a proprietary background check and review process powered by Dun & Bradstreet and approved by TAG.”
In November 2016, TAG has also launched a “Certified against malware” seal and malware threat sharing hub to provide intelligence on attacks to industry and law enforcement.
The UK’s certification initiative – launched August 2016 – is led by The Joint Industry Committee for Web Standards in the UK and Ireland (JICWEBS).
As these certification programs become more established and more stringent, it will hopefully reduce the requirement for advertisers/agencies to independently audit each one.
This is Part 37 of the ClickZ ‘DNA of mobile-friendly web’ series. Here are the most recent chapters:
- The future of mobile local search part three: tradesmen, home services, verification and guarantees.
- Where is Google heading with mobile local search?
- Is Google killing mobile organic search?
- Accessibility: which Paralympics sites passed the test?
Read the reports:
- DNA of a Great M-Commerce Site Part 1: Planning
- DNA of a Great M-Commerce Site Part 2: The 12 Pillars of Mobile Design