Marketers who use fraud verification vendors should not assume that those vendors’ technology can even detect ad fraud or stop it.

This is because the technology is tuned to look for bots - otherwise known as IVT (invalid traffic) or NHT (non-human traffic). While there are still botnets causing ad fraud, the majority of fraud is no longer caused by bots hitting web pages. There are other vast forms of ad fraud that are not detected by verification tech.

For example, flashlight apps that load billions of ads in the background continuously or page redirect fraud where web pages automatically redirect to other webpages in infinite loops. Furthermore, in mobile apps, there are technical limitations to what can be detected by javascript tags.

Even though these fraud detection vendors are “accredited” or “certified” by one or more ad tech trade bodies, that fact doesn’t mean they can detect fraud correctly. To be specific, “accreditation” means that an accounting firm interviewed the specific vendor and confirmed on a check list that each company was doing what they said they would do. This process does not determine whether the measurements are accurate or not. The trade bodies wouldn’t know because they don’t have their own technology and they do not collect any data. Therefore they do not have a truth set of data against which they can compare to know whether the measurement is correct. And, oh by the way, the vendors that got accredited are not required to disclose their “secret sauce.” What a convenient loophole for all of them.

What follows are common-sense questions that you can ask of your fraud verification vendors to determine if they even know what they are talking about or if they are outright ripping you off.





Do they have separate tags for in-ad measurement versus on-site measurement?

Javascript tags can either 1) “ride along” with ad impressions in the ad iframes - locations on the webpage where the ads go, or 2) be installed on the page, just like Google Analytics. The former is called in-ad measurement, and the latter is called on-page measurement. There are technical limitations and differences between these two kinds of measurements.

Using a simple example to explain, javascript code on the page can detect mouse movement, page scrolling, typing and clicks that happen on a page when the user navigates a site. But javascript inside the ad iframe cannot look outside of the iframe - which is like a little window on the page. Javascript code in this little window cannot see outside of itself; it can only see mouse movements or clicks when the user moves the mouse into the area of the ad.

When a vendor is used by the website publisher, the code is on the page. But when a vendor is used by the marketer, the code is in the ad iframe. This is why measurements from the same vendor, on the same website, in the same campaign come out different.

If vendors do not have separate in-ad versus on-site tags, then they do not even understand the basic technical limitations and differences between the two measurements. How could their measurements possibly be accurate?





Do they measure for both bots and humans?

All fraud verification vendors report on IVT/NHT. They may even break out GIVT (general IVT) versus SIVT (sophisticated IVT). But they do not also measure for humans. Why is this important? Let’s use a simple example to illustrate.

When a vendor reports 10% IVT, most people assume that the other 90% is humans, which is not the case. A portion of the data could be not measurable - like when bots block the tags of the fraud vendor to avoid getting caught. Another portion could have too little data to be labelled as “bot” or not. There are technical limitations to what javascript can collect, depending on the browser used. There are even more severe limitations in mobile apps. So the other 90% may not be human at all.

It is also important for any measurement vendor to report what portion of the data was not measurable and what portion did not have enough data for labelling. It is critical that they also measure for human-like actions because “not bot” doesn’t automatically mean it is human. If they don’t do this, how could their measurements possibly be accurate?





Do they show their work?

When someone says, “Trust me, our numbers are right because we’re accredited,” don’t you have the urge to ..... scream? Well, that’s what happens all the time. Fraud verification vendors provide post-mortem campaign reports (reports prepared after campaigns are over) that show the rate of IVT in a spreadsheet. They don’t provide supporting details or explanations of why something is fraud or isn’t fraud. When asked, they just push back and hide behind their “accreditation.” It’s well known that the sales people who sold you on using their tech, and the account people who call you up for renewals know little to nothing about the tech, how it works, and what its limitations are. They are also not qualified to do any analysis of the data to look for any other forms of fraud. So they are of no help whatsoever.

If a fraud verification vendor does not, or cannot, show their work so you can understand why something is labeled fraud or not, and then do something about it, then you’re definitely not getting what you paid for. Post-mortem fraud reports may not show all the fraud; and trying to get your money back after it’s been wasted during the campaign is usually time consuming and futile.

What you need are supporting details -- evidence that explains why a site or an app is fraudulent -- while the campaign is still running. Then you can turn off those sites and apps so they stop stealing your ad budgets before the campaign is over. This way, the rest of the campaign can run more cleanly.





Still don’t believe me?

If you still choose to believe that fraud verification technology vendors work, ask yourself this - why are there literally thousands of traffic sellers selling “valid” traffic? They are selling traffic that gets marked as “valid” by all the fraud verification vendors -- i.e. they didn’t catch the fraud and mark it as invalid traffic.

Also, consider this. Fraud detection technology companies don't want to solve fraud; they really really really want fraud to continue so they can continue to make money from detecting it for you.

Do YOU want to solve fraud, or at least reduce it reliably in your own marketing campaigns? You can do so yourself. Start by looking in your own analytics for anomalies and strangeness. Here are some ideas for where to look and what to look for.





Cases of Ad Fraud NOT Detected by Verification Tech

Of course fraud detection tech can't catch everything, but shouldn't they have caught these "largest ever" bad things? What if these things are not the things that the technology was designed to detect?

May 2019 - https://www.buzzfeednews.com/article/craigsilverman/vidmate-app-download

April 2019 - https://www.buzzfeednews.com/article/craigsilverman/google-play-store-ad-fraud-du-group-baidu

March 2019 - https://www.buzzfeednews.com/article/craigsilverman/in-banner-video-ad-fraud

November 2018 - https://www.buzzfeednews.com/article/craigsilverman/android-apps-cheetah-mobile-kika-kochava-ad-fraud

October 2018 - https://www.buzzfeednews.com/article/craigsilverman/how-a-massive-ad-fraud-scheme-exploited-android-phones-to

June 2017 - Fireball Malware on 250 Million Devices https://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/

May 2017 - Judy Malware "The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean company" https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/





Here's What People Think, Do You Agree?









About the Author: “I advise advertisers and publishers on the technical aspects of fighting digital ad fraud and improving the effectiveness and transparency of digital advertising. I help audit their campaigns and show them detailed data so they can verify for themselves what is fraud and what is not fraud.”

Follow me here on LinkedIn (click) and on Twitter @acfou (click)

Further reading: http://www.slideshare.net/augustinefou/presentations