The Biggest Threat of Ad Fraud is Oversimplified Solutions: Q&A with Asaf Greiner, Protected Media

Ad fraud remains a conundrum for the programmatic industry, threatening even perfectly legitimate publishers with losing their ability to fund their operations through advertising. As a result, large players could eventually be the only publishers left standing, leaving the internet with a limited number of content sources and access to information curtailed. Speaking to ExchangeWire, anti-ad fraud expert Asaf Greiner (pictured below), founder and CEO, Protected Media, discusses industry initiatives against ad fraud, and suggests steps to minimise fraudulent traffic.

ExchangeWire: As an expert in cyber security, where do you see the biggest fraud threat at the moment?

Asaf Greiner: The biggest threat is oversimplified solutions, where the cure is worse than the disease. The problem is big, complex, and growing, but solutions that are too drastic could be just as damaging as the crime. Ironically, the draconian requirements for 100% clean traffic, and advertisers limiting their publishers to a very short list of premium publishers, could cut off the supply of inventory and result in limiting the quantity and diversity of content available on the web.

Bots are multiplying quicker than they can be detected and shut down. Anyone, even those without vast experience in fraud, can rent a network of 200k bots, according to bleepingcomputer.

Bots are also mimicking human actions to successfully stay below the radar. They can fake movements within a game, such as opening an app, clicking, and moving around a card in Solitaire, to meet a specific KPI that results in charges to advertisers. At the same time, they make sure they don’t win too quickly to raise suspicion.

They can also tamper with viewability, time in-view, and engagement rates, so that when antifraud systems scan traffic everything will appear ‘normal’.

An atmosphere of doubt and fear is forcing advertisers to only invest in sites that they believe have squeaky-clean traffic. Some perfectly legitimate publishers will lose their ability to fund their operations through advertising. Some of these sites are popular sources for news, information, and entertainment.

As a result, the whole internet could eventually be dominated by the large players such as YouTube and Facebook. Everyone will be accustomed to having a limited number of content sources. Free access to information could be limited as the internet slowly shrinks and becomes smaller and smaller.

Advertisers won’t be the only players paying for ad fraud, publishers and the public will also feel the impact.

How far is the industry in battling fraud?

Asaf Greiner, Founder & CEO, Protected Media

The industry has several initiatives to collaborate and agree on traffic quality standards, but it’s not clear they are having any significant impact.

There are currently at least three separate organisations promoting their own antifraud certification processes, including the Media Rating Council, Trustworthy Accountability Group, and The Joint Industry Committee for Web Standards in the UK and Ireland.

The technical solutions that are dictated by standards are typically mediocre or vague. Vendors who sit on committees are not motivated to share their secret methods for detection fraud, since their unique intellectual property pays the bills. There is also a simple timing issue. By the time all the ruling committee members agree on which type of fraud should be addressed by their standard, the deceptive tactic has already been replaced by a more sophisticated method. There is also the risk that vendors will become complacent with their certifications and won’t be motivated to invest on improving on their fraud-detection and prevention capabilities.

In some cases, requirements favour larger companies and can stifle competition for antifraud solutions. For example, according to a recent standard, a compliant company must inspect all (100%) of its traffic to detect any potential bots. Sounds impressive, right? This is an important first step, but compliance may be out of reach for many digital advertising companies. Small and mid-sized players that have leaner budgets, and more limited computing resources, will find compliance more difficult. Thus, the standard serves as a de facto toll that cripples the competition.

In addition, by focusing on the quantity of traffic inspected and not the quality of the analysis, even for those companies that do comply, many sophisticated scams will run undetected, continuing to erode ad budgets.

Another initiative has emerged, ads.txt, from IAB’s Display Trading Council members: Adform, Index Exchange, IAS, PubMatic, and Rubicon Project. However, ads.txt is not getting the wide adoption it needs. Publishers are dragging their heels to get their tech teams to implement it. Even though it’s fairly simple, requiring only the dropping of a text file on publisher web servers listing companies authorised to sell their inventory, it requires coding and development teams have higher priorities, like developing revenue generating ad units. Adoption for medium-sized and smaller publishers will be low and, over time, fewer and fewer publishers will maintain it. Advertisers that limit themselves to ads.txt traffic will find scarcity of inventory, and the opportunities they do have will be more expensive.

Can ad fraud actually only be tackled reactively, resulting in an endless cat-and-mouse game where fraudsters come up with ever-new ways of circumventing fraud prevention?

Beating online ad fraud, like any other process for solving a complex problem, is an activity that involves constant analysis and learning from previous experiences. Having good clean traffic is a result of good habits.

The process of improving ad quality needs to begin with a better understanding of criminal behaviour. Blocking bad traffic is not enough. You need to be able to identify and shut down the source. This can be achieved by having botnet experts perform an in-depth analysis of threats, which can include going undercover and interrogating suspicious traffic sources.

To minimise damages, it’s a good idea to include a mechanism that works as close as possible to real time, so before ad fraud grows to large sums of money, you can cut off the bad traffic. When you do find fraudulent traffic, it’s better to approach the problem as a process of negotiation to improve ad performance based on a trusting and cooperative business relationship. Many of the bad sources of traffic are just conduits and aren’t doing it deliberately. But once you have clear benchmarks, and actionable real-time data to mitigate risk, you have a toolbox to manage traffic quality to meet your business goals, with the traffic source as a partner working side by side with you.

What can advertisers, publishers, and ad tech providers do proactively to fight ad fraud?

Every ad tech player needs to have a formal ad-quality programme.

How you manage your traffic quality should follow directly from your business objectives and not be decided without looking at the broader context.

If your goal is to increase the lifetime value of online customers as a performance marketer, your objectives for your quality programme will be different than if you are a brand advertiser who wants the cleanest possible traffic to meet a ‘no fraud’ squeaky-clean standard. The goals should influence benchmarks, sampling methods, and reporting parameters so you can achieve traffic quality that meets your business objectives.

You need to know technically where you are; and only then you can define where you want to be. After defining the current state, you need to decide how much of an improvement you expect, and how long do you have to achieve your ultimate objective. Improving traffic quality has costs that need to be considered in context with the entire business plan.

It’s also important to decide what type of corrective action you are prepared to take if an alarm goes off when fraud is detected. Will you ask for a refund, or just eliminate the traffic source all together? Bad traffic sources can be several hops away from the original source, so you might decide to pinpoint and then cancel out the bad sources, while keeping the good traffic and a positive relationship with the exchange. If you are looking to partition the traffic, than you need to provide a level of granularity for your reporting so you can pinpoint exactly where the fraud takes place in an actionable way.

Are certificates and standards the only way forward?

Absolutely not! As noted above, they can even get in the way of preventing ad fraud. Players need to develop strategies based on their business plans and then implement methodologies and tools to regularly inspect, detect, and prevent fraud to keep ad traffic clean.