Many performance marketers still insist they are immune to ad fraud. They say it’s because they don’t pay for ad impressions (CPM – cost per thousand) or even for clicks (CPC – cost per click). They only pay upon success — e.g. the sale happened (affiliate revenue share) or the mobile app got installed (cost per install, CPI, campaigns). Of course, by not paying for the ad impressions or clicks, they avoid ad fraud and click fraud, but that doesn’t mean they are not still the victims of fraud — like affiliate fraud or app install fraud.
A quick trip back memory lane will remind you that affiliate fraud has a long and storied history — e.g. eBay’s two largest “super affiliates” achieved that title by cheating. They “stuffed cookies” on millions of users’ browsers without their knowledge or consent, in order to earn revenue shares from eBay on sales that they didn’t drive, or would have happened anyway. This cost eBay millions of dollars that they shouldn’t have had to spend. A more recent example in the CPI category comes from Uber suing 100 mobile exchanges for falsifying ad placement reports or fabricating them entirely to make it appear that ads ran, clicks happened, and installs were made – when none of these actually occurred.
Common Sense Solved These Fraud Cases
This week comes the curious case of T-Mobile Tuesdays promotional contests. It appeared that people from a tiny town — Chadds Ford, Pennsylvania — kept winning the gift cards, cash, and other prizes. “In one of the contests, nearly a third of the publicly listed winners came from a Pennsylvania town with a population of less than 4,000.” This was not caught by bot detection tech, but by common sense when looking at the data. Turns out, the automated entries on the official sweepstakes website were created by bots – software programs designed to do just that, automate repetitive tasks like filling out online forms. By doing this thousands of times, the bot maker increased the chances of winning a random drawing sweepstakes. This case, however, was the work of an amateur scammer, who also wanted the convenience of all the gift cards delivered to local addresses for easy pick up.
Wouldn’t captchas (the grids that make you select fire hydrants, cars, traffic lights, etc to prove you’re human) solve this? Well no. College recruitment campaigns are constantly ripped off by bots creating fake leads; the leads even appear to contain accurate data, but when contacted by the college, the high school students said they never applied to that college. Bots are everywhere and by some estimates 3/4th of all the traffic on the internet is automated, and not humans. Of course not bot are used for fraud; some are simply search crawlers that are indexing webpages. Other bots automate repetitive tasks like checking if a website is down or not.
Affiliate Fraud is So Easy; Why Not Automate It Too?
The performance marketers above learned their lesson. Even though they were paying for “performance” only – leads and sales, they were still being ripped off. The Uber case is more clear cut – the app installs were faked and didn’t even happen. But affiliate fraud, or performance fraud, as it is now known usually involves some real sales and leads, with a whole bunch of fake ones mixed in.
Recapping how affiliate tracking works: when a user clicks a specially crafted url, one that contains an affiliateID, the attribution platform sets a cookie in the user’s browser designating which affiliate helped to drive the sale, and therefore who should get paid the revenue share. If an affiliate wanted to cheat and earn more revenue shares, even ones that they don’t deserve, they can automate the clicking of the special urls. In fact, this has been done since the early days of affiliate marketing; fraudsters would load the urls in hidden iframes or pop-unders; or use browser plugins, toolbars, or extensions to do the same. Once the url loads, the cookies are stuffed into the browser, without the users’ knowledge or consent. Fraudsters only want to stuff cookies in real humans’ browsers, because the human needs to eventually buy something, so the scammer can claim credit for the sale and earn a share of the revenue.
The #FouAnalytics chart above shows what a cookie stuffing attack looks like in the data. This is one page loaded in a browser, and about 60 additional domains loaded in hidden iframes — note all the consumer-facing domains like macys, hilton, marriott, hotels.com, etc. that were loaded. All of these urls contained affiliateIDs of the fraudster, so they could get paid later, even on sales or bookings the user would have done anyway. This is known as “organic stealing.” Just like many of the app installs of Uber are done by users who wold have installed the app anyway, fraudulent affiliates and mobile exchanges claimed credit for organic sales or app installs so they could get paid.
Automated Attacks with Bots or Attacks Using Human Sweatshops
Call it what you will —- click fraud, “organic stealing,” cookie stuffing, click flooding, attribution fraud, performance fraud —- advertisers are still getting ripped off in this way. They are paying marketing fees to retargeting vendors or performance networks for sales that would have happened anyway. That’s why retargeting looks so awesome in the click data — it appears you are getting tons of clicks and the sales are attributed back to the retargeted display ads. What is much harder to calculate is the true incrementality of the campaigns – what additional sales did these campaigns drive, above and beyond what would have happened anyway?
Data from Arkose Labs Fraud and Abuse Report shows that different industries are under various rates of attack — with gaming being the most targeted (27% attempted fraud). The attacks can be fully automated with bots, like some of the examples above, but can also “originate from sweatshops, where low wage workers are paid to do specific tasks, like click affiliate links, download and install apps, open and play hyper casual games, create Facebook and Instagram accounts, all using racks of real mobile devices.”
The moral of this story? Performance marketers should not assume they are immune to fraud; if they do, they are “willing victims” of fraud. Bad guys love targeting marketers who think there’s low to no fraud – because they keep paying and never look too closely anyway. Common sense (T-Mobile case) and checking your analytics regularly (Uber case) meant that marketers can spot the fraud if they looked. Additional tools and fraud detection technologies can help too, but again only if marketers chose to use them and to look closely at the data. The most advanced marketers run their own incrementality tests, with hold-out groups, and pauses in ad spend (that’s how Uber found the fraud – they paused CPI ad spend, and the app installs continued at the same rate).
Are you an advanced marketer or a victim, willing to look the other way when it comes to affiliate and performance fraud?
Please read the original article by Dr. Augustine Fou on Forbes, here.
