Adam Smart (Director of Product at AppsFlyer) and Piyush Mishra (Lead Growth Marketing at Product Madness) unpack the latest in mobile ad fraud with Inna Ushakova (Co-Founder and CEO of Scalarr) and Richard Palmer (Principal Software Engineer at King). Find out what ad fraud actually looks like, how it has evolved in recent years, how SKAdNetwork is affected, and how the industry tackles this huge issue.
In most contracts with ad networks it says that the traffic is not fraudulent. But there is no clarification of what is fraud, which can be very subjective. Example: ad network that increases clicking area from 30% to 90%. It increases CTR...Is this fraud?
If you’re seeing a case where you have a high CTR but not a high install rate, that might start falling under the categorization of ad fraud. Example: close/X button hidden, no clear way to exit from the ad.
You want a win-win relationship with your ad network: tell them if you’re ok or not with their practices (e.g. increased clickable areas, close button hidden, etc.). This is part of the negotiation.
Fraud is performed at each layer and can be performed by app game developers, SDKs, DSPs, or anyone else. You have to be careful when working with someone new.
A lot of UA managers are incentivized for volume over quality traffic. They might also be afraid of reporting big amounts of fraud within what they’ve already bought, because it makes it look like they’re not doing a good job. So some people do not speak up.
For traffic in China and Southeast Asia, sometimes it’s up to 70%-100% in fraud. You need to be particularly careful, especially if you’re a foreigner.
King has a lot of data and good insights on what fraud is on their platform: they have huge reach through their games, they see all the user events, etc. so they initially involved data scientists and put the basic tech in place in-house. But as an advertiser, you can’t detect sophisticated attacks that are cross-network. DSPs are much better positioned to look across the network and spot suspicious traffic.
There is a place for doing something in-house, but you have to understand that you’re only able to catch some of the fraud. On the other hand, buying an anti-fraud solution means that you have to send all your events/data to a 3rd party and processing all of this if you’re large can be very costly.
As fraud evolves, you need to evolve your method, your data science capabilities and the way you think about it. If you’re not willing to invest wholeheartedly then you’re better off getting experts to help you.
Paying for fraudulent installs also means there are lost opportunities. When you don’t stop fraudulent traffic sources, you don’t optimize ad campaigns which means you’re not necessarily moving in the right direction from a ROI perspective.
Smaller companies look at their MMP’s numbers for fraud, but some of the installs not flagged might not be actually appearing in their backend.
Always cross-reference the numbers (at least the installs), whether they’re coming from an external party or internal tracking. Create your own dashboard with these different sources to check that everything aligns and investigate when you see discrepancies.
Whenever you open a lot of data points to define and “argue” fraud with a partner, you also become very vulnerable. When Scalarr negotiates refunds on behalf of their clients they need to open some portion of data, which can allow fraudsters to reverse-engineer their fraud detection algorithm.
Apple has favored Scalarr (and other 3rd party anti-fraud solutions) by allowing them to see all the data from users (including fingerprinting data), with the exception of the IDFA for users that do not opt-in. They’ll see everything but others won’t (networks, customers, etc.) so the challenge will be to use the output/data to both prove fraud and help their customers optimize their campaigns.
With iOS 14.5 changes, there will be huge spikes in attribution fraud detected, at least if Apple is able to recognize some kind of primitive bots and device farms. Scalarr has been detecting that fraudsters are already doing something to be ready for the post-ATT area, and Apple should develop something internally to counteract that.
Right now a lot of anti-fraud solutions work through MMPs, but in the future they will need their own SDKs to get the data. They should start analyzing the data of users on-device (without the data leaving the device). However one of the challenges is the battery charge of the device, and it’s going to take time before this is possible.
In most contracts with ad networks it says that the traffic is not fraudulent. But there is no clarification of what is fraud, which can be very subjective. Example: ad network that increases clicking area from 30% to 90%. It increases CTR...Is this fraud?
If you’re seeing a case where you have a high CTR but not a high install rate, that might start falling under the categorization of ad fraud. Example: close/X button hidden, no clear way to exit from the ad.
You want a win-win relationship with your ad network: tell them if you’re ok or not with their practices (e.g. increased clickable areas, close button hidden, etc.). This is part of the negotiation.
Fraud is performed at each layer and can be performed by app game developers, SDKs, DSPs, or anyone else. You have to be careful when working with someone new.
A lot of UA managers are incentivized for volume over quality traffic. They might also be afraid of reporting big amounts of fraud within what they’ve already bought, because it makes it look like they’re not doing a good job. So some people do not speak up.
For traffic in China and Southeast Asia, sometimes it’s up to 70%-100% in fraud. You need to be particularly careful, especially if you’re a foreigner.
King has a lot of data and good insights on what fraud is on their platform: they have huge reach through their games, they see all the user events, etc. so they initially involved data scientists and put the basic tech in place in-house. But as an advertiser, you can’t detect sophisticated attacks that are cross-network. DSPs are much better positioned to look across the network and spot suspicious traffic.
There is a place for doing something in-house, but you have to understand that you’re only able to catch some of the fraud. On the other hand, buying an anti-fraud solution means that you have to send all your events/data to a 3rd party and processing all of this if you’re large can be very costly.
As fraud evolves, you need to evolve your method, your data science capabilities and the way you think about it. If you’re not willing to invest wholeheartedly then you’re better off getting experts to help you.
Paying for fraudulent installs also means there are lost opportunities. When you don’t stop fraudulent traffic sources, you don’t optimize ad campaigns which means you’re not necessarily moving in the right direction from a ROI perspective.
Smaller companies look at their MMP’s numbers for fraud, but some of the installs not flagged might not be actually appearing in their backend.
Always cross-reference the numbers (at least the installs), whether they’re coming from an external party or internal tracking. Create your own dashboard with these different sources to check that everything aligns and investigate when you see discrepancies.
Whenever you open a lot of data points to define and “argue” fraud with a partner, you also become very vulnerable. When Scalarr negotiates refunds on behalf of their clients they need to open some portion of data, which can allow fraudsters to reverse-engineer their fraud detection algorithm.
Apple has favored Scalarr (and other 3rd party anti-fraud solutions) by allowing them to see all the data from users (including fingerprinting data), with the exception of the IDFA for users that do not opt-in. They’ll see everything but others won’t (networks, customers, etc.) so the challenge will be to use the output/data to both prove fraud and help their customers optimize their campaigns.
With iOS 14.5 changes, there will be huge spikes in attribution fraud detected, at least if Apple is able to recognize some kind of primitive bots and device farms. Scalarr has been detecting that fraudsters are already doing something to be ready for the post-ATT area, and Apple should develop something internally to counteract that.
Right now a lot of anti-fraud solutions work through MMPs, but in the future they will need their own SDKs to get the data. They should start analyzing the data of users on-device (without the data leaving the device). However one of the challenges is the battery charge of the device, and it’s going to take time before this is possible.
In most contracts with ad networks it says that the traffic is not fraudulent. But there is no clarification of what is fraud, which can be very subjective. Example: ad network that increases clicking area from 30% to 90%. It increases CTR...Is this fraud?
If you’re seeing a case where you have a high CTR but not a high install rate, that might start falling under the categorization of ad fraud. Example: close/X button hidden, no clear way to exit from the ad.
You want a win-win relationship with your ad network: tell them if you’re ok or not with their practices (e.g. increased clickable areas, close button hidden, etc.). This is part of the negotiation.
Fraud is performed at each layer and can be performed by app game developers, SDKs, DSPs, or anyone else. You have to be careful when working with someone new.
A lot of UA managers are incentivized for volume over quality traffic. They might also be afraid of reporting big amounts of fraud within what they’ve already bought, because it makes it look like they’re not doing a good job. So some people do not speak up.
For traffic in China and Southeast Asia, sometimes it’s up to 70%-100% in fraud. You need to be particularly careful, especially if you’re a foreigner.
King has a lot of data and good insights on what fraud is on their platform: they have huge reach through their games, they see all the user events, etc. so they initially involved data scientists and put the basic tech in place in-house. But as an advertiser, you can’t detect sophisticated attacks that are cross-network. DSPs are much better positioned to look across the network and spot suspicious traffic.
There is a place for doing something in-house, but you have to understand that you’re only able to catch some of the fraud. On the other hand, buying an anti-fraud solution means that you have to send all your events/data to a 3rd party and processing all of this if you’re large can be very costly.
As fraud evolves, you need to evolve your method, your data science capabilities and the way you think about it. If you’re not willing to invest wholeheartedly then you’re better off getting experts to help you.
Paying for fraudulent installs also means there are lost opportunities. When you don’t stop fraudulent traffic sources, you don’t optimize ad campaigns which means you’re not necessarily moving in the right direction from a ROI perspective.
Smaller companies look at their MMP’s numbers for fraud, but some of the installs not flagged might not be actually appearing in their backend.
Always cross-reference the numbers (at least the installs), whether they’re coming from an external party or internal tracking. Create your own dashboard with these different sources to check that everything aligns and investigate when you see discrepancies.
Whenever you open a lot of data points to define and “argue” fraud with a partner, you also become very vulnerable. When Scalarr negotiates refunds on behalf of their clients they need to open some portion of data, which can allow fraudsters to reverse-engineer their fraud detection algorithm.
Apple has favored Scalarr (and other 3rd party anti-fraud solutions) by allowing them to see all the data from users (including fingerprinting data), with the exception of the IDFA for users that do not opt-in. They’ll see everything but others won’t (networks, customers, etc.) so the challenge will be to use the output/data to both prove fraud and help their customers optimize their campaigns.
With iOS 14.5 changes, there will be huge spikes in attribution fraud detected, at least if Apple is able to recognize some kind of primitive bots and device farms. Scalarr has been detecting that fraudsters are already doing something to be ready for the post-ATT area, and Apple should develop something internally to counteract that.
Right now a lot of anti-fraud solutions work through MMPs, but in the future they will need their own SDKs to get the data. They should start analyzing the data of users on-device (without the data leaving the device). However one of the challenges is the battery charge of the device, and it’s going to take time before this is possible.
Notes for this resource are currently being transferred and will be available soon.
Inna
Ad fraud is: generating fake impressions, fake leads, conversions, data events, stealing organic traffic, etc.
Richard
There has been a constant evolution of fraud. Fraudsters have kept one step ahead. It started with click spamming/stuffing, click injection, device spoofing and emulation, etc.
Adam
Ad spend has gone up over the years, too. Capturing just .1% from ad spends is already huge.
Piyush
Almost 30% of global ad tech can be categorized as fraudulent (or at least stealing organics).
Inna
30% of mobile marketing spend goes to fraud. Numbers depend on what is fraud: fake installs? Fake user activity? But often there is manipulation with ads e.g. triggering automatically the ad page without consent which fires a click, which is then used for attribution, which then “steals” organic. Is this fraud? It drives real users, but you shouldn’t pay for some percentage of that user.
Also: geo mismatch. When you buy traffic from the US but get traffic from Saudi Arabia. Is it fraud? They are still real users.
Sometimes it’s clear fraud, sometimes it’s something between, sometimes it’s more like a scam, etc.
There are a lot of cases from resetters: reset the settings (user identity) to install the app one more time.
Piyush
[💎@09:04] In most contracts with ad networks it says that the traffic is not fraudulent. But there is no clarification of what is fraud, which can be very subjective. Example: ad network that increases clicking area from 30% to 90%. It increases CTR...Is this fraud?
Richard
Is it timely, relevant and genuine? In the example above it does seem relevant. It depends if you see a high impression-to-install rate or if it’s just the CTR that increases.
[💎@10:30] If you’re seeing a case where you have a high CTR but not a high install rate, that might start falling under the categorization of ad fraud. Example: close/X button hidden, no clear way to exit from the ad.
Inna
You have the right to tell the ad network that you don’t want users to be redirected automatically to your app when they see an ad (can steal organic).
[💎@12:05] You want a win-win relationship with your ad network: tell them if you’re ok or not with their practices (e.g. increased clickable areas, close button hidden, etc.). This is part of the negotiation.
[💎@13:14] Fraud is performed at each layer and can be performed by app game developers, SDKs, DSPs, or anyone else. You have to be careful when working with someone new.
Adam
You don’t necessarily have a strong enough way to detect fraud so you keep paying for fraudulent installs.
Richard
Even the best may not detect 90% of fraud when working with anti-fraud partners.
Inna
[💎@16:03] A lot of UA managers are incentivized for volume over quality traffic. They might also be afraid of reporting big amounts of fraud within what they’ve already bought, because it makes it look like they’re not doing a good job. So some people do not speak up.
The situation is much better now than a few years ago in the US and Europe (not Asia) but there isn’t so much transparency in the market.
Inna
[💎@18:54] For traffic in China and Southeast Asia, sometimes it’s up to 70%-100% in fraud. You need to be particularly careful, especially if you’re a foreigner.
A lot of “Asian” installs our “out-of-store” (i.e. outside of the main app stores).
Richard
There are more controls in place when downloads come from the App Store or the Google Play Store vs. “out-of-store” apk: you can check the time, the validity, etc. But you can still check if the person is active in the product, engaging with it, etc.
Richard
[💎@21:51] King has a lot of data and good insights on what fraud is on their platform: they have huge reach through their games, they see all the user events, etc. so they initially involved data scientists and put the basic tech in place in-house. But as an advertiser, you can’t detect sophisticated attacks that are cross-network. DSPs are much better positioned to look across the network and spot suspicious traffic.
[💎@23:06] There is a place for doing something in-house, but you have to understand that you’re only able to catch some of the fraud. On the other hand, buying an anti-fraud solution means that you have to send all your events/data to a 3rd party and processing all of this if you’re large can be very costly.
Now, they’ve partnered with companies and no longer have their system in-house.
[💎@23:59] As fraud evolves, you need to evolve your method, your data science capabilities and the way you think about it. If you’re not willing to invest wholeheartedly then you’re better off getting experts to help you.
Executive management plays a big role in the decision to do something about fraud.
Piyush
At Product Madness it was hard to show the return on investment that comes from building an anti-fraud tool, because fraud can take many forms and the lines are blurred.
Inna
When you have a lot of fraud, there is a direct loss because you pay a cost for these fraudulent installs.
[💎@26:40] Paying for fraudulent installs also means there are lost opportunities. When you don’t stop fraudulent traffic sources, you don’t optimize ad campaigns which means you’re not necessarily moving in the right direction from a ROI perspective.
One of Scalarr’s clients was buying 80% of their traffic from a “strategic partner”, and that traffic was 80% fraud even though they were seeing revenue coming from it. It turns out that they were actually not able to see those installs and that only 5% of the transactions were valid.
You need to ask yourself what you want: top of free charts or top of grossing charts? Do you want a return on investment and at which rate?
Adam
[💎@30:00] Smaller companies look at their MMP’s numbers for fraud, but some of the installs not flagged might not be actually appearing in their backend.
Richard
[💎@30:52] Always cross-reference the numbers (at least the installs), whether they’re coming from an external party or internal tracking. Create your own dashboard with these different sources to check that everything aligns and investigate when you see discrepancies.
You don’t need to invest heavily to surface that sort of numbers. It can be a dashboard, it can be a chart.
Piyush
While you can agree internally that there is fraudulent behavior, each time you discuss it with DSPs to get a refund they “look into it” and it always turns out to be a subjective criteria.
Is there a future with automatic rejection of fraudulent installs?
Inna
[💎@33:30] Whenever you open a lot of data points to define and “argue” fraud with a partner, you also become very vulnerable. When Scalarr negotiates refunds on behalf of their clients they need to open some portion of data, which can allow fraudsters to reverse-engineer their fraud detection algorithm.
Inna
There is a period of transition right now because of the privacy changes which impact everyone in the market. Right now, Scalarr’s customers still use probabilistic attribution (i.e. “fingerprinting”) but that won’t work forever because Apple won’t allow it. How to analyze the data then?
[💎@35:51] Apple has favored Scalarr (and other 3rd party anti-fraud solutions) by allowing them to see all the data from users (including fingerprinting data), with the exception of the IDFA for users that do not opt-in. They’ll see everything but others won’t (networks, customers, etc.) so the challenge will be to use the output/data to both prove fraud and help their customers optimize their campaigns.
[💎@38:29] With iOS 14.5 changes, there will be huge spikes in attribution fraud detected, at least if Apple is able to recognize some kind of primitive bots and device farms. Scalarr has been detecting that fraudsters are already doing something to be ready for the post-ATT area, and Apple should develop something internally to counteract that.
If you rely only on your own data, you might not be able to see the whole data sets behind what you receive. If you had a 3rd party anti-fraud solution you’d have access to at least the output (not the data).
[💎@41:54] Right now a lot of anti-fraud solutions work through MMPs, but in the future they will need their own SDKs to get the data. They should start analyzing the data of users on-device (without the data leaving the device). However one of the challenges is the battery charge of the device, and it’s going to take time before this is possible.
Scalarr has started working with a SDK.
The biggest challenge still remains: what do they do with the output of “there is fraud”?
Richard
The ones you’re blown away by are usually not the most technically advanced one but the ones where fraudsters thought they could get away with. Example: serving deep link click as an impression on an off-screen ad, which is instantly detectable.
Inna
Have already gathered 500 million various samples of fraud. One of the most sophisticated and ridiculous examples was fraudsters trying to defraud Google by injecting fraudulent traffic in various traffic sources, including Google. Which is very smart because a lot of developers use Facebook and Google traffic as a benchmark for other traffic sources.
Adam mentioned Richard’s talk JVM Roundabout #10 hosted by King - Realtime Fraud Detection
Richard
It’s a fine line, especially when there are prizes to win like in esports or games where there is trading involved between players.
Inna
Already doing something on the “cheating” side and hope to enhance that soon.
Cheating is something that should be treated as scam or fraud when it impacts other players.
Richard
In 2019 when he did his talk, they didn’t have that many tournaments between players. Now if there are players that cheat and have incredible scores, their accounts will be removed.
Inna
Ad fraud is: generating fake impressions, fake leads, conversions, data events, stealing organic traffic, etc.
Richard
There has been a constant evolution of fraud. Fraudsters have kept one step ahead. It started with click spamming/stuffing, click injection, device spoofing and emulation, etc.
Adam
Ad spend has gone up over the years, too. Capturing just .1% from ad spends is already huge.
Piyush
Almost 30% of global ad tech can be categorized as fraudulent (or at least stealing organics).
Inna
30% of mobile marketing spend goes to fraud. Numbers depend on what is fraud: fake installs? Fake user activity? But often there is manipulation with ads e.g. triggering automatically the ad page without consent which fires a click, which is then used for attribution, which then “steals” organic. Is this fraud? It drives real users, but you shouldn’t pay for some percentage of that user.
Also: geo mismatch. When you buy traffic from the US but get traffic from Saudi Arabia. Is it fraud? They are still real users.
Sometimes it’s clear fraud, sometimes it’s something between, sometimes it’s more like a scam, etc.
There are a lot of cases from resetters: reset the settings (user identity) to install the app one more time.
Piyush
[💎@09:04] In most contracts with ad networks it says that the traffic is not fraudulent. But there is no clarification of what is fraud, which can be very subjective. Example: ad network that increases clicking area from 30% to 90%. It increases CTR...Is this fraud?
Richard
Is it timely, relevant and genuine? In the example above it does seem relevant. It depends if you see a high impression-to-install rate or if it’s just the CTR that increases.
[💎@10:30] If you’re seeing a case where you have a high CTR but not a high install rate, that might start falling under the categorization of ad fraud. Example: close/X button hidden, no clear way to exit from the ad.
Inna
You have the right to tell the ad network that you don’t want users to be redirected automatically to your app when they see an ad (can steal organic).
[💎@12:05] You want a win-win relationship with your ad network: tell them if you’re ok or not with their practices (e.g. increased clickable areas, close button hidden, etc.). This is part of the negotiation.
[💎@13:14] Fraud is performed at each layer and can be performed by app game developers, SDKs, DSPs, or anyone else. You have to be careful when working with someone new.
Adam
You don’t necessarily have a strong enough way to detect fraud so you keep paying for fraudulent installs.
Richard
Even the best may not detect 90% of fraud when working with anti-fraud partners.
Inna
[💎@16:03] A lot of UA managers are incentivized for volume over quality traffic. They might also be afraid of reporting big amounts of fraud within what they’ve already bought, because it makes it look like they’re not doing a good job. So some people do not speak up.
The situation is much better now than a few years ago in the US and Europe (not Asia) but there isn’t so much transparency in the market.
Inna
[💎@18:54] For traffic in China and Southeast Asia, sometimes it’s up to 70%-100% in fraud. You need to be particularly careful, especially if you’re a foreigner.
A lot of “Asian” installs our “out-of-store” (i.e. outside of the main app stores).
Richard
There are more controls in place when downloads come from the App Store or the Google Play Store vs. “out-of-store” apk: you can check the time, the validity, etc. But you can still check if the person is active in the product, engaging with it, etc.
Richard
[💎@21:51] King has a lot of data and good insights on what fraud is on their platform: they have huge reach through their games, they see all the user events, etc. so they initially involved data scientists and put the basic tech in place in-house. But as an advertiser, you can’t detect sophisticated attacks that are cross-network. DSPs are much better positioned to look across the network and spot suspicious traffic.
[💎@23:06] There is a place for doing something in-house, but you have to understand that you’re only able to catch some of the fraud. On the other hand, buying an anti-fraud solution means that you have to send all your events/data to a 3rd party and processing all of this if you’re large can be very costly.
Now, they’ve partnered with companies and no longer have their system in-house.
[💎@23:59] As fraud evolves, you need to evolve your method, your data science capabilities and the way you think about it. If you’re not willing to invest wholeheartedly then you’re better off getting experts to help you.
Executive management plays a big role in the decision to do something about fraud.
Piyush
At Product Madness it was hard to show the return on investment that comes from building an anti-fraud tool, because fraud can take many forms and the lines are blurred.
Inna
When you have a lot of fraud, there is a direct loss because you pay a cost for these fraudulent installs.
[💎@26:40] Paying for fraudulent installs also means there are lost opportunities. When you don’t stop fraudulent traffic sources, you don’t optimize ad campaigns which means you’re not necessarily moving in the right direction from a ROI perspective.
One of Scalarr’s clients was buying 80% of their traffic from a “strategic partner”, and that traffic was 80% fraud even though they were seeing revenue coming from it. It turns out that they were actually not able to see those installs and that only 5% of the transactions were valid.
You need to ask yourself what you want: top of free charts or top of grossing charts? Do you want a return on investment and at which rate?
Adam
[💎@30:00] Smaller companies look at their MMP’s numbers for fraud, but some of the installs not flagged might not be actually appearing in their backend.
Richard
[💎@30:52] Always cross-reference the numbers (at least the installs), whether they’re coming from an external party or internal tracking. Create your own dashboard with these different sources to check that everything aligns and investigate when you see discrepancies.
You don’t need to invest heavily to surface that sort of numbers. It can be a dashboard, it can be a chart.
Piyush
While you can agree internally that there is fraudulent behavior, each time you discuss it with DSPs to get a refund they “look into it” and it always turns out to be a subjective criteria.
Is there a future with automatic rejection of fraudulent installs?
Inna
[💎@33:30] Whenever you open a lot of data points to define and “argue” fraud with a partner, you also become very vulnerable. When Scalarr negotiates refunds on behalf of their clients they need to open some portion of data, which can allow fraudsters to reverse-engineer their fraud detection algorithm.
Inna
There is a period of transition right now because of the privacy changes which impact everyone in the market. Right now, Scalarr’s customers still use probabilistic attribution (i.e. “fingerprinting”) but that won’t work forever because Apple won’t allow it. How to analyze the data then?
[💎@35:51] Apple has favored Scalarr (and other 3rd party anti-fraud solutions) by allowing them to see all the data from users (including fingerprinting data), with the exception of the IDFA for users that do not opt-in. They’ll see everything but others won’t (networks, customers, etc.) so the challenge will be to use the output/data to both prove fraud and help their customers optimize their campaigns.
[💎@38:29] With iOS 14.5 changes, there will be huge spikes in attribution fraud detected, at least if Apple is able to recognize some kind of primitive bots and device farms. Scalarr has been detecting that fraudsters are already doing something to be ready for the post-ATT area, and Apple should develop something internally to counteract that.
If you rely only on your own data, you might not be able to see the whole data sets behind what you receive. If you had a 3rd party anti-fraud solution you’d have access to at least the output (not the data).
[💎@41:54] Right now a lot of anti-fraud solutions work through MMPs, but in the future they will need their own SDKs to get the data. They should start analyzing the data of users on-device (without the data leaving the device). However one of the challenges is the battery charge of the device, and it’s going to take time before this is possible.
Scalarr has started working with a SDK.
The biggest challenge still remains: what do they do with the output of “there is fraud”?
Richard
The ones you’re blown away by are usually not the most technically advanced one but the ones where fraudsters thought they could get away with. Example: serving deep link click as an impression on an off-screen ad, which is instantly detectable.
Inna
Have already gathered 500 million various samples of fraud. One of the most sophisticated and ridiculous examples was fraudsters trying to defraud Google by injecting fraudulent traffic in various traffic sources, including Google. Which is very smart because a lot of developers use Facebook and Google traffic as a benchmark for other traffic sources.
Adam mentioned Richard’s talk JVM Roundabout #10 hosted by King - Realtime Fraud Detection
Richard
It’s a fine line, especially when there are prizes to win like in esports or games where there is trading involved between players.
Inna
Already doing something on the “cheating” side and hope to enhance that soon.
Cheating is something that should be treated as scam or fraud when it impacts other players.
Richard
In 2019 when he did his talk, they didn’t have that many tournaments between players. Now if there are players that cheat and have incredible scores, their accounts will be removed.
Inna
Ad fraud is: generating fake impressions, fake leads, conversions, data events, stealing organic traffic, etc.
Richard
There has been a constant evolution of fraud. Fraudsters have kept one step ahead. It started with click spamming/stuffing, click injection, device spoofing and emulation, etc.
Adam
Ad spend has gone up over the years, too. Capturing just .1% from ad spends is already huge.
Piyush
Almost 30% of global ad tech can be categorized as fraudulent (or at least stealing organics).
Inna
30% of mobile marketing spend goes to fraud. Numbers depend on what is fraud: fake installs? Fake user activity? But often there is manipulation with ads e.g. triggering automatically the ad page without consent which fires a click, which is then used for attribution, which then “steals” organic. Is this fraud? It drives real users, but you shouldn’t pay for some percentage of that user.
Also: geo mismatch. When you buy traffic from the US but get traffic from Saudi Arabia. Is it fraud? They are still real users.
Sometimes it’s clear fraud, sometimes it’s something between, sometimes it’s more like a scam, etc.
There are a lot of cases from resetters: reset the settings (user identity) to install the app one more time.
Piyush
[💎@09:04] In most contracts with ad networks it says that the traffic is not fraudulent. But there is no clarification of what is fraud, which can be very subjective. Example: ad network that increases clicking area from 30% to 90%. It increases CTR...Is this fraud?
Richard
Is it timely, relevant and genuine? In the example above it does seem relevant. It depends if you see a high impression-to-install rate or if it’s just the CTR that increases.
[💎@10:30] If you’re seeing a case where you have a high CTR but not a high install rate, that might start falling under the categorization of ad fraud. Example: close/X button hidden, no clear way to exit from the ad.
Inna
You have the right to tell the ad network that you don’t want users to be redirected automatically to your app when they see an ad (can steal organic).
[💎@12:05] You want a win-win relationship with your ad network: tell them if you’re ok or not with their practices (e.g. increased clickable areas, close button hidden, etc.). This is part of the negotiation.
[💎@13:14] Fraud is performed at each layer and can be performed by app game developers, SDKs, DSPs, or anyone else. You have to be careful when working with someone new.
Adam
You don’t necessarily have a strong enough way to detect fraud so you keep paying for fraudulent installs.
Richard
Even the best may not detect 90% of fraud when working with anti-fraud partners.
Inna
[💎@16:03] A lot of UA managers are incentivized for volume over quality traffic. They might also be afraid of reporting big amounts of fraud within what they’ve already bought, because it makes it look like they’re not doing a good job. So some people do not speak up.
The situation is much better now than a few years ago in the US and Europe (not Asia) but there isn’t so much transparency in the market.
Inna
[💎@18:54] For traffic in China and Southeast Asia, sometimes it’s up to 70%-100% in fraud. You need to be particularly careful, especially if you’re a foreigner.
A lot of “Asian” installs our “out-of-store” (i.e. outside of the main app stores).
Richard
There are more controls in place when downloads come from the App Store or the Google Play Store vs. “out-of-store” apk: you can check the time, the validity, etc. But you can still check if the person is active in the product, engaging with it, etc.
Richard
[💎@21:51] King has a lot of data and good insights on what fraud is on their platform: they have huge reach through their games, they see all the user events, etc. so they initially involved data scientists and put the basic tech in place in-house. But as an advertiser, you can’t detect sophisticated attacks that are cross-network. DSPs are much better positioned to look across the network and spot suspicious traffic.
[💎@23:06] There is a place for doing something in-house, but you have to understand that you’re only able to catch some of the fraud. On the other hand, buying an anti-fraud solution means that you have to send all your events/data to a 3rd party and processing all of this if you’re large can be very costly.
Now, they’ve partnered with companies and no longer have their system in-house.
[💎@23:59] As fraud evolves, you need to evolve your method, your data science capabilities and the way you think about it. If you’re not willing to invest wholeheartedly then you’re better off getting experts to help you.
Executive management plays a big role in the decision to do something about fraud.
Piyush
At Product Madness it was hard to show the return on investment that comes from building an anti-fraud tool, because fraud can take many forms and the lines are blurred.
Inna
When you have a lot of fraud, there is a direct loss because you pay a cost for these fraudulent installs.
[💎@26:40] Paying for fraudulent installs also means there are lost opportunities. When you don’t stop fraudulent traffic sources, you don’t optimize ad campaigns which means you’re not necessarily moving in the right direction from a ROI perspective.
One of Scalarr’s clients was buying 80% of their traffic from a “strategic partner”, and that traffic was 80% fraud even though they were seeing revenue coming from it. It turns out that they were actually not able to see those installs and that only 5% of the transactions were valid.
You need to ask yourself what you want: top of free charts or top of grossing charts? Do you want a return on investment and at which rate?
Adam
[💎@30:00] Smaller companies look at their MMP’s numbers for fraud, but some of the installs not flagged might not be actually appearing in their backend.
Richard
[💎@30:52] Always cross-reference the numbers (at least the installs), whether they’re coming from an external party or internal tracking. Create your own dashboard with these different sources to check that everything aligns and investigate when you see discrepancies.
You don’t need to invest heavily to surface that sort of numbers. It can be a dashboard, it can be a chart.
Piyush
While you can agree internally that there is fraudulent behavior, each time you discuss it with DSPs to get a refund they “look into it” and it always turns out to be a subjective criteria.
Is there a future with automatic rejection of fraudulent installs?
Inna
[💎@33:30] Whenever you open a lot of data points to define and “argue” fraud with a partner, you also become very vulnerable. When Scalarr negotiates refunds on behalf of their clients they need to open some portion of data, which can allow fraudsters to reverse-engineer their fraud detection algorithm.
Inna
There is a period of transition right now because of the privacy changes which impact everyone in the market. Right now, Scalarr’s customers still use probabilistic attribution (i.e. “fingerprinting”) but that won’t work forever because Apple won’t allow it. How to analyze the data then?
[💎@35:51] Apple has favored Scalarr (and other 3rd party anti-fraud solutions) by allowing them to see all the data from users (including fingerprinting data), with the exception of the IDFA for users that do not opt-in. They’ll see everything but others won’t (networks, customers, etc.) so the challenge will be to use the output/data to both prove fraud and help their customers optimize their campaigns.
[💎@38:29] With iOS 14.5 changes, there will be huge spikes in attribution fraud detected, at least if Apple is able to recognize some kind of primitive bots and device farms. Scalarr has been detecting that fraudsters are already doing something to be ready for the post-ATT area, and Apple should develop something internally to counteract that.
If you rely only on your own data, you might not be able to see the whole data sets behind what you receive. If you had a 3rd party anti-fraud solution you’d have access to at least the output (not the data).
[💎@41:54] Right now a lot of anti-fraud solutions work through MMPs, but in the future they will need their own SDKs to get the data. They should start analyzing the data of users on-device (without the data leaving the device). However one of the challenges is the battery charge of the device, and it’s going to take time before this is possible.
Scalarr has started working with a SDK.
The biggest challenge still remains: what do they do with the output of “there is fraud”?
Richard
The ones you’re blown away by are usually not the most technically advanced one but the ones where fraudsters thought they could get away with. Example: serving deep link click as an impression on an off-screen ad, which is instantly detectable.
Inna
Have already gathered 500 million various samples of fraud. One of the most sophisticated and ridiculous examples was fraudsters trying to defraud Google by injecting fraudulent traffic in various traffic sources, including Google. Which is very smart because a lot of developers use Facebook and Google traffic as a benchmark for other traffic sources.
Adam mentioned Richard’s talk JVM Roundabout #10 hosted by King - Realtime Fraud Detection
Richard
It’s a fine line, especially when there are prizes to win like in esports or games where there is trading involved between players.
Inna
Already doing something on the “cheating” side and hope to enhance that soon.
Cheating is something that should be treated as scam or fraud when it impacts other players.
Richard
In 2019 when he did his talk, they didn’t have that many tournaments between players. Now if there are players that cheat and have incredible scores, their accounts will be removed.
