Digital ad fraud has been documented for over a decade now, but still no one can agree on how much of it there is. Some say it’s low to "non-existent" while others say fraud is at its highest point ever. Who is right? To find out, we have to dig deeper to understand who is saying what and what their hidden motives are.
Some of the earliest documented examples of digital ad fraud include Mike Shield’s Adweek piece in 2013, which identified networks of sites with massive traffic, but that had abnormally high audience overlap, despite being entirely different in subject matter. (This was due to the sites all using the same botnet for traffic.)
Then came the story in Bloomberg about Boris in Brooklyn, in which he boasted about making tons of money by selling traffic created by bots. He noted that "that’s what they wanted to buy" and no one ever asked him if the traffic was from real humans.
Fraud was already no small matter back then. But as programmatic buying started to take off in earnest in 2013, fraud also ramped up even faster with dollars and ads flowing to hundreds of thousands of websites no one even knew existed.
By 2016, three-quarters of all digital ads were bought programmatically. The proliferation of ad exchanges and networks meant it was easier for anyone to start up a site, or thousands of sites, and start making money selling ads to the biggest spenders through the exchanges. Everyone loved the massive volumes of ads and low CPMs. But ad fraud was an increasingly inconvenient topic. Clients were asking about it more often as they were worried that their ads were being shown on fraudulent, long tail sites.
So in early 2017, industry trade groups like the Interactive Advertising Bureau (IAB) Australia started to make statements about fraud, calling fraud in mobile "practically non-existent".
The Association of National Advertisers (in the US) continued with annual studies that claimed the industry was "winning the war on fraud" with fraud down in 2017 by 8% and "even more notably" down by 11% in 2019. TAG (Trustworthy Accountability Group), a certification body created and funded by the ANA, IAB, 4As and GroupM in 2016, also started to make claims that a "monumental breakthrough" had reduced fraud by 88% to 1.48% in 2017, 1.68% in 2018, and even lower to 1.41% in 2019 – because it solved fraud with its self-attested certification programme. GroupM, the largest digital media buying agency, published its own study in 2019 saying invalid traffic (IVT) was only 1% to 3% worldwide.
During the same period of time, cybersecurity companies documented some of the largest cases of malware ever discovered. In 2017, Check Point published its research on the Judy malware, "possibly the largest malware campaign found on Google Play", and the Fireball malware, which "infected an estimated 250 million computers worldwide".
Malware on devices was and is the preferred tool of hackers and criminal enterprises for making money. Big money. The malware creates massive quantities of ad impressions (sold through programmatic exchanges), and tricks fraud detection technologies so the ads appear "valid".
Year after year, "largest ever" botnets made from malware on millions of devices have been documented to be successfully making money through ad fraud – eg Methbot in 2016 targeting high-value video ad inventory, Hyphbot in 2017 active on 14 ad exchanges, and 3ve in 2018, rotating among more than one million IP addresses to stay hidden for years. The malware also clicks on ads to simulate high "engagement", thus causing marketers to allocate even more dollars to low-cost fake sites and apps and away from real publishers’ sites and apps.
Aside from malware and botnets, independent journalists and researchers outside of the establishment continued to document massive cases of fraud. Craig Silverman published articles showing traffic sourced from porn sites and pop-unders, fake news sites monetising through adtech, and families of mobile apps with billions of downloads (emoji keyboard apps, flashlight apps, selfie-camera apps, VPN apps, cleaner and anti-malware apps) committing ad fraud, click fraud, and attribution fraud.
Even mainstream sites, like Newsweek.com, were caught using malicious code to alter viewability measurements, making non-viewable ads appear to be viewable (and therefore sellable). Even more recently disclosed was the example of Kevin Frisch discovering that dozens of mobile exchanges were ripping off Uber in their paid app-install campaigns by falsifying transparency reports and fabricating placement reports for ads that never even ran.
See hundreds more articles from 2008 to present: History of Ad Fraud Spreadsheet
This leads us back to the original question in the article title – whether industry reports are downplaying the scale and impact of ad fraud and what their motives are for doing so. Of course we have to consider the possibility that the trade association leaders are truly uninformed about digital ad fraud. On the other hand, who is to say they are not deliberately misleading their own members so they don’t worry and keep spending? Their messaging year after year in press releases, publications, and presentations at their own conferences certainly appears to be wilful and systematic.
So when someone tells you fraud is low, you must consider who is telling you, and why they are telling you it is low. On the flip side, if they accuse independent researchers of "fear-mongering to get more business" you should see if there is concrete supporting data that you can review for yourself. It’s only fear-mongering if they are crying wolf.
Augustine Fou is an independent ad fraud investigator and consultant
This story was originally published on campaignasia.com