Brands Can Avoid Ad Fraud by Understanding Its Ever-Changing Nature

When new detection methods come about, fraudsters learn how to sidestep them

a man sitting in a small home on his computer with lines branching out of his computer and various items on those lines
Being prepared as fraud detection changes can help brands combat fraudsters. Getty Images
Headshot of Melinda Han Williams

It’s been several years since brands and agencies were made aware of the size of digital advertising’s fraud issue. Despite increased scrutiny from ad buyers and efforts across the industry to filter out nonhuman traffic, fraud persists. While many are aware of the problem, very few have a deep knowledge of fraud, much less about what to do beyond the fact that they should avoid it at all costs.

One major reason why fraud is still misunderstood is that fraudsters are constantly finding new ways to sidestep detection mechanisms, creating an arms race between them and the fraud prevention tools deployed on advertisers’ behalf. While fraud techniques haven’t necessarily changed, the way fraud is executed is constantly evolving. Fraud can take different forms and look quite different from case to case, requiring new ways of thinking.

Here’s how brands need to think about fraud so that they can not only keep up with the changing landscape but actually get one step ahead of the fraudsters.

Picturing fraud 

Part of the issue with fighting fraud is that, as difficult as it is to visualize something that happens in a digital environment, many members of the advertising industry have an image in their mind of what a fraud operation looks like. Many probably picture a server rack in a data center or a system of phones laid out in an empty office space, constantly pinging websites to generate nonhuman traffic and the resulting ad impressions.

Sometimes fraud is as simple as one person looking to drive more traffic to a series of websites to drive up ad revenue.

While that’s how some fraud schemes still operate, it’s not how they all work. For all of the money a fraud ring can bring in, fraudsters can be incredibly sloppy. Operations like MethBot have created this perception of fraud schemes being conducted in sterile office spaces by smart individuals, possibly with affiliations to organized crime. But sometimes fraud is as simple as one person looking to drive more traffic to a series of websites to drive up ad revenue and the sites are simply recreations of the same site, but with different URLs.

What’s most important for advertisers isn’t what fraud looks like in the real world but what it looks like in the digital realm, where cookie activity is the biggest giveaway of suspect activity.

Spotting fraud 

Recently, we’ve seen suspect activity take on remarkably different shapes. In one case, a dramatic increase in suspect devices was the result of nearly 1 million cookies all visiting the same set of sites. Some of the sites in the set were high-quality, well-trafficked news sites that you’d expect real people to visit. Others were poor-quality and not exactly brand safe. In all likelihood, the traffic going to the quality sites was an attempt to mask the suspect behavior, but it ultimately failed because there’s no way that 1 million users would have such similar browsing habits every single day. This “cover your tracks” approach is a sign of a sophisticated operation.

It’s also important to know that fraudulent traffic can come from devices that are regularly used by real people, but the consumers simply don’t know that their device is visiting sites against their will. One trend we’re seeing is browsers infected by some kind of virus or malware that drives a cookie to sites where fraudsters can profit. These are often smaller in scale than the larger operation, and the goal of the operation is likely to drive as much traffic to the set of sites to bring in as much revenue as possible before getting caught.

Tackling the problem

Both of these forms of fraud raise questions. How do you handle a legitimate site with high-quality content when it appears to be the target of nonhuman traffic? How do you separate activity from a real consumer from nonhuman traffic coming from the same device?

The best way to deal with this issue is to take a broad brush to suspect traffic. It pays to be conservative and treat the parties as guilty until proven innocent. When legitimate sites experience spikes in suspect traffic, it’s in the advertiser’s best interest to treat every cookie that hits that site that day as fraud. If the site is clear of nonhuman traffic the next day, advertisers can feel safe buying there again. If daily analysis finds the problem persists, it’s best to avoid it.

There is so much audience available online that advertisers can easily wait a day for inventory from a compromised publisher to become safe again. It’s better to cut out parts of the universe for a short period of time in order to avoid fraud than it is to lose budget to bots.

The important thing here is the daily analysis. The old tactic of whitelists and blacklists doesn’t cut it today because fraud changes daily. Cutting out a massive news site for one day makes sense. Removing that site from all media buys in perpetuity because of what may have been a one-day spike is not the best approach. When advertisers start blacklisting every site that experiences a brief fraudulent traffic bump, they’ll lose scale quickly. A day-by-day approach ensures advertisers are operating on the latest intel.

The evolving world of fraud requires continuous monitoring and daily evaluation. Fraudsters are constantly evolving their efforts in their attempts to skim money from the digital ad industry, and the comparison to Whac-a-Mole is apt. It’s no longer a matter of exposing a fraud ring and then feeling safe. Legitimate sites get hit with fraudulent traffic all the time, and fraud traffic may come from devices that are owned by real people.

Melinda Han Williams is the chief data scientist at Dstillery.