Online advertising has a fraud problem. Millions of ad impressions are being served to bots and non-human traffic, and ad tech companies are doing little to stop it. Digiday spoke with a former publishing executive who said he knowingly purchased fraudulent traffic and sold it on to advertisers in the past year. In fact, it was his former company’s business model. Here’s what he said:

How and why were you buying non-human traffic?

We were spending anywhere from $10,000 to $35,000 a day on traffic. My conversations with [these ad networks] were similar: They would let me decide how much I was willing to pay for traffic, and when I told them $0.002 or below, they made it clear they had little control over the quality of traffic they would send at that price. Quality didn’t really matter to us, though. As a website running an arbitrage model, all that mattered was profit, and for every $0.002 visit we were buying, we were making between $0.0025 and $0.004 selling display ads through networks and exchanges. The biggest determinate of which traffic partner we were spending the most money with was pageviews per visit. Since we were paying a fixed cost per visit, more pageviews equaled more ad impressions. Almost none of these companies were based in the U.S. While our contacts were in the US and had American names and accents, most of the time we found ourselves sending payment to a non-US bank.

How did you know the traffic was bots?

These vendors offer a range of services and traffic types – everything from $2.00 CPC traffic sourced from Google, Yahoo, and Bing, to $0.002 CPC from god knows where. When we told them we were looking for the cheapest traffic we could possibly buy there would be sort of a wink and a nod, and they’d make us aware that for that price the traffic would be of “unknown quality”. How much you pay determines how much bot traffic you’re getting, so when you’re paying $0.002 a click, you’re getting mostly bots. You can tell it’s bot traffic just by looking at the analytics. We’d see a traffic spike in our real-time analytics dashboard and then we would see all of our traffic for the day serve in a couple of hours, Or it would all come from users using the same really old version of Internet Explorer. Almost all our users had Flash versions from 2003, according to Google Analytics. That just doesn’t happen with real users.

Were you just serving display ads to this traffic?

We tried playing around with video a little. A network came to us said they’d pay $4 CPM for 2 million daily autoplay impressions. While we were eager for the chance to make an extra $100,000 of incremental profit per month, it turned out the bots couldn’t render video players. We’d send bot traffic to pages with video content but they couldn’t load our player. They were set up to fool display ads, but weren’t as tuned for other types of advertising. It seemed as if they were optimized to load pages, load display ads and not much else.



Can you prove categorically that you were buying bot traffic?

Unfortunately we couldn’t go out and prove categorically that these were bots. We couldn’t find a smoking gun. We knew beyond a doubt that it was non-human traffic, but we just couldn’t find a conclusive way to prove it.

Do you think publishers know when they’re buying fake traffic?

Publishers know. They might say “we had no idea” and blame it on their traffic acquisition vendor, but that’s bullshit, and they know it. If you’re buying visits for less than a penny, there’s no way you don’t understand what’s going on. Any publisher that’s smart enough understand an arbitrage opportunity is smart enough to understand that if it was a legitimate strategy that the opportunity would eventually disappear as more buyers crowded in. What we were doing was 100 percent intentional. Some articles revolving around bot traffic paint publishers as rubes who were duped into buying bad traffic by shady bot owners. Rather, I believe publishers are willing to do anything to make their economics work.

Do networks, exchanges and other ad tech companies do anything to stop this from happening?

We worked with a major supply-side platform partner that was just wink wink, nudge nudge about it. They asked us to explain why almost all of our traffic came from one operating system and the majority had all the same user-agent string. There was nothing I could really say to answer that question. It was their way of letting us know that they understood what was going on. It wasn’t just our account rep, either. It was people at the highest levels in the company. Part of me wished they’d said “You are in violation of our TOS and you have to stop running our tags.” I would have been happy with that. But they didn’t; they were willing to take the money.

Do you consider buying suspect traffic fraud?

I consider it fraud. It violated the terms of service in our contracts with our partners. When you begin a relationship with ad exchanges and other partners normally you have to identify the sources of your traffic and disclose if you are doing any traffic acquisition. In theory they maintain the quality of their traffic. In reality they just turn a blind eye.

How common do you think this is?

I think there are a lot of people who knowingly do it. If you can do it with one site you can do it with 10 sites, which means a lot of traffic and ad impressions. For ad exchanges and networks it’s a meaningful part of their business, and that’s what’s more egregious to me. It’d be so much easier for them to see which publishers are doing this if they wanted to. If they just looked for sites where traffic increased 500 percent from one hour to the next, that’d be a good place to start. There are so many ways they could police this, but the incentive just isn’t there.