Everything You Need to Know About the Current State of Mobile Ad Fraud

34% of programmatic traffic is bogus

Some bots can hijack mobile apps. Getty Images

Over the past few years, cyber criminals have cost advertisers billions of dollars from "non-human" traffic on digital ads. Today, Forensiq and AppLift are releasing a report suggesting that fraudsters are gaining traction with mobile ads.

"In some exchanges and traffic sources, the amount of mobile fraud that we've seen has actually eclipsed desktop fraud," Matt Vella, chief technology officer at Forensiq, told Adweek. "Whether it's desktop or mobile, we're talking about different vehicles to perpetrate advertising—criminals will follow the money."

Vella's team analyzed more than 60 million mobile programmatic ad impressions on AppLift's DSP during 30 days this fall. Each impression was given a score to determine if it was fraudulent. Bogus traffic was then divided into two categories—"high risk" or "suspect" traffic.

Thirty-four percent of the mobile inventory overall—which includes banners, interstitial and video ads—was at risk of fraud. Twelve percent of those ads measured were deemed a high risk, meaning that there is a "high certainty" that the impressions are fake. The other 22 percent of impressions were considered suspect traffic, meaning that the team wasn't as certain that the ads were fake, but they still looked suspicious.

"As the mobile market grows and becomes more effective from an overall market side, the fraudsters are also orienting themselves towards this," said AppLift CEO Tim Koschella. "The loopholes and tricks that they use to game the system are much more effective than desktop because desktop has been around for a while and most of the market has learned over time how fraud works [and] how to fight it."

Interestingly, there wasn't a difference between fraud on Apple or Android devices, despite Apple's walled-garden reputation that makes it harder for fraudsters to sneak through.

Which ads are at risk?

There were notable differences in how the ads were purchased, though. Promos bought using CPM (cost per thousand) tactics were three times more likely to be fraudulent compared to CPC (cost per click) models.

That's because mobile CPC campaigns typically have more steps involved, like downloading an app, which makes it harder for fraudsters to find loopholes.

"This is not about the actual pricing of the inventory, but it's about what the advertiser is looking to get out of the campaign," Koschella explained. "If you're optimizing for a campaign goal that goes way beyond the impression, you will be less exposed to fraud because you automatically cut out these fraud units from your buying."

Still, fraudsters are stealthy in tactics that they use to infiltrate mobile ads. A recent study from the Interactive Advertising Bureau estimates that mobile fraud costs advertisers nearly $1.3 billion while desktop ads costs the industry almost $3.2 billion.

In one example, Koschella said he's seen fraudsters steal credit card data to make a slew of in-app payments quickly from an advertiser that promoted app downloads.

"The fraudster had purchased a database of stolen credit card data and [used it] to create micro transactions in the app to make the traffic look like high-paying users," he said. "Ten days later, Google called the advertiser and said, 'We have about $40,000 of transactions in your app, and all of them are coming from non-valid credit cards.'"

The credit-card example is a type of sophisticated fraud called post-install, which is when fraudsters sneak into apps after an advertiser has run a campaign promoting app installs.

3 common types of fraud

In addition to post-install tactics, the report outlines three other types of mobile fraud that are common.

Impression fraud occurs when publishers stack multiple display ads on the same piece of Web real estate so that only the promo on top is seen by consumers, while all advertisers are charged. Cyber criminals can also "hijack" apps that consumers have downloaded—even if they are not open—so that ads are constantly loaded, which not only forces advertisers to pay, but also eats up consumers' data.

There is also click fraud, which entails bots that generate a massive number of clicks on ads, similar to desktop fraud. On mobile, it can also include obtrusive ads that require someone to click in order to close it and remove it from the screen.

The final type of fraud is install fraud, which is when cyber criminals stimulate downloads of apps that are never actually acquired by a consumer.

And as mobile advertising becomes more integrated into wearables, TV and hardware, Forensiq's Vella warned advertisers about the long-term implications from mobile-generated fraud, including significant security concerns from consumers.

"As the Internet of Things grows and you start thinking about Internet-connected home security devices or smart TVs, any device could evolve to penetrate fraud," Vella said.

Adweek Blog Network