NOT Predictions for Digital Ad Fraud in 2019

Writing exclusively for ExchangeWire, cybersecurity and ad fraud researcher, Dr Augustine Fou, is bucking the '2019 predictions' trend, and reminding marketers to live in the present and keep a close eye out for fraudulent activity occurring in their campaigns right now.

Many have come out with their predictions and prognostications for what is to come in 2019. That’s cool and all. But I don’t know many folks who can actually tell the future.

So instead, let me spend a few minutes sharing some NON-predictions about digital ad fraud in 2019. What follows are not predictions, because they are already happening right now; but they are just not documented or publicly acknowledged. These forms of fraud may not even come to light publicly in 2019 through press releases and FBI arrests, but it’s worth looking out for in your own campaigns.

Mobile ad fraud is OMG

Mobile is nearly 70% of digital ad spend in the U.S., and is even higher in other regions. Ad fraud in mobile is more rampant than on desktop because of a number of factors. From the users’ perspective, there is far less mature anti-virus and anti-malware software for mobile devices compared with desktop and laptop computers. And some mobile anti-malware software have already been shown to be abusing admin permissions, collecting user data, logging keystrokes and gestures, and committing click fraud and ad fraud. From the ad tech perspective, most of the fraud-detection tech is lacking or completely blind in mobile, so they are not catching anything; and awareness of the fraud problem is nascent at best.

In mobile ad fraud, bad guys have every advantage. For example, when they use mobile emulators – software that simulates a mobile device – they can download and install apps, launch and interact with them, and pass in fake sensor data. This goes far beyond passing fake GPS locations for geolocation fraud (a device pretending to be in the U.S. or any market that buyers are targeting). The mobile emulators can pass fake gyroscope, accelerometer, and other sensor data to defeat any kind of fraud detection. They can also pretend to be iPhones to earn higher CPMs – they literally don’t even need to make real iPhone apps and get them approved in the iTunes app store (which is very hard).

Furthermore, the fake mobile devices can generate infinite numbers of fake deviceIDs. If fraud-detection tech has not seen a deviceID, their default action is to let it through, because they are afraid of false positives (what if the device were a real human’s device?). Also, fake deviceIDs are used to defeat frequency caps, because they can just create new ones once any cap is reached. You might be wondering if telecom carriers can tell real deviceIDs from fake ones. Sure they can. But bad guys can even defeat these telecom checks by copying off real deviceIDs and replaying them to make ad calls. Or malware hiding in real humans’ devices can make ad calls in the background, thus passing even telecom carrier checks.

CTV & OTT video fraud is WTF

What if you can simply say you are a connected TV or Roku streaming stick, or any other streaming device, and start making money from unsuspecting ad buyers who are desperate to buy such video ad inventory, because “go where the users are”, right? Well, that’s exactly what’s happening already. As more money shifts into CTV ('connected TV') and OTT ('over-the-top'), bad guys are already there waiting for the money to be handed to them, willingly. And despite the use of fraud detection for CTV, OTT, and VPAID/VAST video ads, fraud is getting through, like a walk in the park.

On top of this, misrepresentation of inventory and other simple arbitrage continues unabated. For example, it is well documented that high-CPM video ads are stuffed into low-cost display ad slots (misrepresentation), run continuously in hidden, pop-under windows, or displayed on subdomains that humans never visit, but that get all their traffic from page redirect networks (so called 'zero-click' traffic). And, finally, across hundreds of millions of impressions, we are seeing between a third to two-thirds of the ad impressions not even being served – by comparing DSP reports of bids won and ad server logs of ads served. This is especially bad in mobile, because the user continues scrolling past the ad slot – the ad call is made, but the user has already moved away before the ad actually arrives and is displayed. Fraud detection tech does not help in any of these cases.

Bots DO convert, FTW

Many have long believed that “bots don’t convert, right?”, but that only applies to real purchases in physical world stores. True, bots currently don’t buy stuff in stores (because they don't make money from that). But, bots easily perform other actions that are considered 'conversions' by advertisers, and get paid the CPA ('cost per action') for those. Many marketers think they are immune to ad fraud because they are only paying when they get these actions, as opposed to paying for impressions (CPM) or for clicks (CPC). But they would be wrong. Bots complete forms, surveys, or even college applications, so they can get paid the bounty for such actions. Fake mobile devices download and install apps, and then open them, so they can get the cost-per-install fees paid to them. And, finally, they can robo-dial the conversion phone number you are using in your CPA campaigns.

Bots also leverage millions of stolen credit card numbers to make millions of small, in-game purchases that get undetected by the cardholder. Mobile fraudsters can trick attribution systems to think there was a conversion and, thus, earn the revenue share or bounty without the transaction even occurring; they can also actually make the purchase with the forms of payment already associated with the device or app – and the human is left holding the bag – so the device appears to have made purchases in the eyes of the DMPs (data management platforms).

So... #marketers, in 2019, don’t be a n00b when it comes to ad fraud. Overturn your own assumptions and look in your own analytics to solve fraud (see DIY Fraud Reduction) because you can no longer say 'IDK'. Otherwise, 2019 will turn out to be yet another year where bad guys will be ROFLMAO all the way to the bank because they PWN your ad budgets. And I'll be SMH for another year.