Bots have outnumbered humans on the internet for several years. But now the so-called 'inversion' has arrived, where bots are getting increasingly sophisticated at masquerading as humans, and going after premium environments like connected TVs that offer high CPMs. The only thing a bot can’t do is buy something, but they can extract hundreds of millions of dollars in ad revenue in a very short amount of time.
Where mitigating fraud should be considered an essential part of brand hygiene, being bundled up with brand safety controls means fraud and verification can get lost in the complexity of digital media. Education is a key priority in Asia, which is further behind on the global stage at countering fraud.
“In Asia-Pacific we are at stage one of the process, which is implementing a solution and learning about ethical ads,” explains Double Verify’s APAC managing director Jordan Khoo. “Stage two is reviewing and improving, and stage three is taking these insights and using them to inform your media trading strategy.”
More mature regions like Europe and the US are at stage three. To help plug the education gap, this article will explain some of the most common types of fraud, current challenges and solutions to avoid them.
Let’s dive in.
Types of fraud in Asia-Pacific
There isn’t a particular type of fraud that is only seen in Asia, because fraud is created with global scale in mind. But due to the high penetration of mobile in the region, mobile apps have become a breeding ground for fraud violations.
Asia-Pacific was exposed to US$650 million worth of app install fraud over a six-month period to April this year, with an average fraud rate that is 60% higher than the global average, according to a June AppsFlyer report.
“As APAC is full of mobile-first markets, ad fraud in the app ecosystem is an area that will be of concern for marketers,” says Essence VP of media operations APAC Shane Dewar.
Fraud in mobile is not typically caused by bots because it is more difficult to perpetrate in closed app environments. Instead, the majority of fraud involves ad impression fraud or invalid traffic practices such as misrepresentation (app name spoofing), laundering and hidden ads (ad stacking and invisible banners).
Connected TV apps are also increasingly being targeted by fraudsters looking to exploit premium, high-growth environments.
“Wherever the marketer dollars are, that is where the fraudsters will go,” explains Integral Ad Science managing director Southeast Asia Laura Quigley. “In places where there are higher CPMs like connected TV we will start to see new types of fraud being developed because it is a more lucrative for the fraudsters.”
There are three types of fraud that take place within the connected TV environment: fraudulent/malicious apps, server-side ad insertion (SSAI) abuse and bot fraud. On CTV, fraudulent apps often have little or no content. They might create automated, completely fabricated ad calls coming from non-existent devices, or play back-to-back ads and no other content. SSAI is the process in which ads are stitched directly into a video stream before ever reaching a user’s device, meaning ad content is delivered along with video content via proxy servers that stitch them together. As on other devices, bot fraud occurs when impressions are served to a fraudulent, non-human requestor. Often, bots will target CTV inventory by spoofing the device type to appear as if they are a CTV device.
Besides these two growing forms of fraud, location and domain spoofing are two of the most common forms of fraud that IAS records. Location fraud involves fraudsters sending false location information to agencies that pay a premium for location data; domain spoofing occurs in a real-time bidding (RTB) environment where the URL is used to fool an agency into thinking its ad is going to a premium site, when instead it is going to a low-quality website.
The lifespan of bot fraud is only three to five days, but the vast majority (70-80%) of the damage occurs in the first 24 hours, according to Khoo. That’s why verification partners like DoubleClick send updates to their demand side platform (DSP) partners every 15 minutes — so they can bypass the fake traffic before it balloons.
Metrics that facilitate fraud
Fraud occurs more easily in the mobile environment because a lot of mobile buys are being bought on a performance basis. Performance metrics like CPCs (cost per click), CPMs (cost per thousand) and cost-per-install don’t require adtech and are easily manipulated by fraud.
“A blind determination to get the cheapest CPM and CPC makes the work of the fraudster very easy,” says Dewar. “Metrics such as conversions and engagement, which are more results-based beyond the impression and click, may be better indicators of the quality of the media being bought, as there are still fraud types that can manipulate app installations, for instance.”
There are a lot of companies that want to drive app installs, especially in mobile-first markets like Indonesia and Vietnam that house a growing number of startups, but these budgets can be easily gamed. The total number of fraudulent apps increased by 159% from 2017 to 2018, according to DoubleVerify data. The majority (57%) of fraudulent mobile apps are categorized as ‘games’ and 'tools & utilities'. A BuzzFeed News investigation last year uncovered a sophisticated ad fraud scheme involving more than 125 Android apps and websites responsible for stealing potentially hundreds of millions of dollars, most of which were games, and utilities like a flashlight app and a healthy eating app.
While third-party vendors are perhaps the most effective way for brands to mitigate fraud, few make use of them in Asia-Pacific, according to the IAB Southeast Asia & India’s recent regional brand safety study. Instead, the most commonly reported tools used to prevent fraud was whitelisting and blacklisting, which are less sophisticated.
“You need machine learning to catch these types of fraud at scale. If you take the manual route you will be there all day,” says Quigley.
According to Quigley and Khoo, there are two things brands and agencies should look out for in their verification partners: laying out the difference between unrefined fraud (GIVT) and sophisticated fraud (SIVT), and avoiding false positives.
General invalid traffic (GIVT) is traffic generated by known industry crawlers (such as search engine crawlers) and bots doing the kind of things that real humans would probably never do, like switching between websites every 10 seconds for hours on end. GIVT is easier to spot and can be identified using routine methods of filtration.
Sophisticated invalid traffic (SIVT) is more difficult to detect because fraudsters are actively trying to avoid simple patterns that would raise a red flag. These fraudsters are making an extra effort to mask their behavior as legitimate so it requires a combination of advanced analytics, multi-point corroboration/coordination, and human intervention to detect. SIVT generates the most money and is ever-evolving to evade detection.
Often agencies choose verification vendors based on how granular their reporting of SIVT is, as this helps them take action quicker.
“Whilst having top-level domain or app-level breakdowns is very helpful in optimising away from malicious inventory, being able to report on click- and impression-level events with a breakdown of the sophisticated invalid traffic (SIVT) detected allows agencies to work better with publishers to improve the quality of media being bought,” says Dewar.
Khoo also believes it is important for advertisers to choose a solution provider that protects them from ‘false positives’ — that is falsely identifying a human as a robot.
“As fraud partners we tag each impression as human or robot, if we tag it wrong by accident you will have lost a potential customer. False positive has always been a problem but a lot of companies don’t think about it too much,” he says.
However, Quigley suggested it is more important to train technology to find new types of fraud, than focus on falsely blocking benign bots.
“It is more about making sure we continue to leverage machine learning to block at scale,” she says.
Would an industry standard for fraud help?
Ad fraud experts are split on whether an industry standard for fraud is both possible and a relevant solution.
Quigley believes commonly agreed standards ensure the industry “takes things seriously”, as it does viewability since the Media Ratings Council (MRC) standard was released.
However, the standard would have to be tailored to particular regions to take into account the disparate levels and types of fraud occurring across the world. She suggested a standard of 1-2% fraud in Asia could be an acceptable starting point.
“At a very minimum agencies should be guiding advertisers by looking at their data and setting an acceptable benchmark on how they can reduce it,” she says. “If the industry is not going to standardise it should be up to the agency and advertiser to set an acceptable range.”
But Dewar thinks the constantly changing nature of fraud makes standardisation of any kind difficult: “If all fraud is easily detectable and measurable, then an industry standard would be great, but unfortunately it is not. Unlike a metric like viewability, which is clearly defined, fraud comes in many forms that are constantly changing as fraudsters adapt their methods to avoid detection and remain profitable.”
“In a perfect world, marketers should only be paying for valid activity, but while there is money to be made in ad fraud, the threat will remain,” he adds.
Khoo’s slightly more controversial view is that standards create more loopholes for fraudsters to take advantage of.
“Standards like ads.txt help to a certain extent, but when you put it out in the marketplace the fraudsters will find ways to take advantage. The assumption is when you integrate ads.txt it is checked off the box and done, but there are other ways to game the system,” he says.
“There is no standard for fraud because the problem isn’t with the advertising industry like it is with viewability — it is with the fraudsters,” he adds.
As a starting point, Khoo suggests there are a couple of key questions brands should be asking their agencies and adtech partners to ensure they are mitigating fraud (in addition to whether they're using an ad verfication partner, which both he and Quigley represent):
- What are you doing to drive greater media quality for my campaign?
- Do you have an existing policy for media make-good (recompensation), if certain supply partners are not delivering an appropriate level of quality media to my campaign?