Ad fraud affects the entire supply chain, but at varying degrees and with different outcomes. How are publishers affected by ad fraud and is it a bigger issue for them than they think? ExchangeWire speak with Dr Augustine Fou (pictured below), a cybersecurity and ad fraud researcher, who advises advertisers, publishers, and agencies on the technical aspects of fighting digital ad fraud and improving the effectiveness of digital advertising. Here, Dr Fou explains how publishers are affected by ad fraud and how bots can, and will, continue to flout the code of advertising.

ExchangeWire: Is there a lack of awareness about ad fraud among publishers? Is it due to a lack of education or a lack of assumed responsibility?

Dr Augustine Fou: Yes. Publishers have all heard the term 'ad fraud', but most of them assumed it doesn't apply to them because they only observe a small percentage of bots on their own sites. What they don't realise is that bots don't go to their sites to make money; they go to their sites to collect cookies and then go elsewhere to cause the ad impressions to load – thus, siphoning ad revenue away from the publishers.

Where is the advertising budget going and how does that affect how bots operate?

Ad budgets usually chase the latest craze, like mobile, and video ads. This causes the demand to far outstrip the supply. And when such a condition exists, normal market forces would dictate that the CPM prices should go way up. But the reality is it hasn't gone way up. This is because bad guys can generate as many bot impressions on mobile and video ads as they want, to absorb all the new money flowing to these areas. The bots are smart – they go where the money is. And so they focus on very high CPM video ads (10-20x higher than display ads) and also on mobile ads, especially with extra targeting like geolocation.

Are premium publishers affected by bot fraud in the same way as publishers that use ad networks?

Premium publishers are less impacted by bots on their sites, because the bots can't make money when the ads are served on the publishers' sites; the publishers do. But on long-tail sites, that sell their ad inventory into the wild west ad exchanges, they have every incentive to 'source traffic' to increase their own ad revenue. So, it is not that long-tail publishers are affected by ad fraud; they may in fact be the very ones supporting it by paying to buy traffic to their sites. Think about it this way: there aren't a whole bunch of humans sitting around with nothing to do but to hit the webpages you tell them to go to. So how is all that traffic created? Right, bots.

Can we trust our measurement parameters, with fraud so prevalent in the background?

Nope. Very simply, if a portion (possibly a large portion) of the traffic, impressions, and clicks are created by bots and not by humans, those parameters get faithfully recorded by analytics platforms and measurement systems. When the advertiser does not know what portion is fraudulent, how would they know how far off their analytics are from reality? So, we can safely assume that all measurement is messed up. And the only way to remedy it is to directly measure for bot and fraudulent activities and scrub those out of the analytics so we finally have something reliable to use.

Is technology enough to be able to recognise humans over bots?

Dr Augustine Fou, cybersecurity & ad fraud researcher

Not really. Many companies have tried and continue to try. Yet bots and fraud continue to GROW, not shrink. And, furthermore, any technology arms race that pits the good guys against the bad guys (hackers) will mean the good guys will lose. We are, after all, dealing with hackers who are very advanced in the use of technology AND who don't play by the normal rules of engagement. The good guys are at a disadvantage before the race even starts. Something other than technology must be applied at the same time – like changing the financial motives or changing the metrics used to calculate ROI. For example, rather than use quantity metrics – such as number of impressions, traffic, and clicks – that are easily faked, if advertisers focused on actual sales or other 'conversion events' that only humans would do, they would be far better off, and less prone to fraud stealing their ad dollars.

How do the bots cheat the system? What aren’t they capable of?

They are able to everything a human can do online in a browser. The bots ARE automated browsers. These tools are normally used by developers to test their websites or mobile apps before launch. But now they are being used for nefarious purposes – the automation of the commission of ad fraud. Millions of these automated browsers are programmed to hit tens of millions of webpages and generate billions of fake ad impressions on sites that no human would ever find or go to. It is literally a money mint for the bad guys because the cost of running millions of bots in a data centre is pennies compared to the millions they can make by generating more ad impressions.

When linking bot fraud to ad blocking – a link that isn’t necessarily obvious – are traffic volumes that aren’t ad blocked skewed by bot traffic? How big of an issue is this? Where does viewability come into the mix?

Very simply, humans use ad blocking. Bots don't. This is because the bots actually want the ads to load so they can commit ad fraud. So if you just measure ad blocking, and you see a low overall rate of ad blocking, is that because it is low ad blocking or is it because you have a large population of bots? That's why measuring ad blocking must also include measuring for bots at the same time. Note that bad guys' sites will have abnormally low rates of ad blocking because they have abnormally high populations of bots coming to it. And those same sites will have abnormally high viewability because they just cheat and stack all ads above the fold and viewable. Bad guys cheat in every way possible, while the good publishers may only have average viewability rates because they don't cheat and actually have to put some ads above the fold and other ads below the fold.