Ad fraud is a game where losing can look like winning, our Singular Fraud Index says. That’s why you need the latest intel — and the best fraud protection suite in the attribution industry — to protect you.

And understanding the enemy is the first step in winning the fraud war.

Or at least … not losing it.

At our recent UNIFY conference, IronSource’s Vice President for Growth Yevgeny Peres unpacked the science and data behind how fraudsters win. This was new intel to some of the world’s top digital marketers (not an easy task) and showed attendees how fraud was happening live in their campaigns right from the most innocuous, trustworthy, and high-quality apps.

Now we’re sharing the insights with you.

How fraudsters win: Outsourcing fake clicks to real people

“Assuming you have a phone and you’ve engaged with ads and you have some apps installed, fraudsters have access to your phone: your device ID,” says Peres. “And that device ID … once a fraudster has it, it’s not that complicated to start using it to manipulate attribution.”

Here’s how it works.

Peres demonstrated with a mobile app on a phone that he connected to desktop technology to read and display all internet traffic. The app, a household name and top-60 grossing app, is perfectly legitimate and aboveboard. It would look like a quality publisher and a quality traffic source to any advertiser.

But it happens to show banner ads.

And fraudsters have managed to get their banner ads displayed on the app.

One of them is running code in Javascript behind the image. That code contains a long list of click URLs and opens multiple iFrames: mini virtual web browser windows. The URLs are tracking links, potentially from multiple tracking and attribution vendors, but they’re wrapped links that obscure exactly what they are and where they’re going.

The result: many advertisers, including multiple UNIFY attendees, see potential customer activity on mobile web that turns out to be completely fake.

“This was in-app banner traffic that’s going to be reported by tracking companies as if it were mobile web,” says Peres. “[These were] various websites that were not open on the phone … you would assume you’re buying from these guys when actually it was driven from the app.”

In one fell swoop you have multiple forms of fraud:

Ad stacking: multiple ads stacked where one appears Click spamming: 50 clicks fired for one banner view Domain spoofing: clicks are reported as coming from sites that no-one ever visited Fingerprint manipulation: device fingerprints are faked to look like real devices

“This looks like great quality … but there’s zero intent,” says Peres.

How the fraudsters win: SDK spoofing

“The first thing to understand about SDK spoofing is that it’s much bigger than you think,” says Peres.

SDK spoofing requires some serious technical chops. If fraudsters have access to real device IDs, they could simply engage in click spamming. But why wait for people to install an app or convert in a campaign randomly or organically?

In SDK spoofing, fraudsters employ code in one app to send fake install and conversion signals on behalf of another app: an advertiser’s app.

Fraudsters can vastly multiply their ill-gotten earnings by faking conversion events.

“If I know what the tracking company’s SDK reports on app open, I might as well intercept that, replace the device ID, play around with the other parameters, and send it again,” says Peres. “A couple minutes later, I can orchestrate a beautiful KPI curve … I can [even] inflate organics to make sure this channel [looks like it] has an organic uplift.”

How the fraudsters win: Click spamming

The good guys in adtech have access to hundreds of millions if not billions of device identifiers. The bad news: so do the bad guys.

That’s a problem.

“All we need to do is gain access to a campaign and start running a script and fire a click every morning, randomly,” says Peres, mimicking a fraudster’s thought process. “[You’re] hoping that one of these guys will generate a conversion … that’s probably a $50K income a day, just doing that.”

On an ad exchange, once you gain access to a device ID you can do whatever you want with it, technically speaking.

“Once you have access to it, anyone can report a click,” Peres says. “It’s how the design of our stats-serving ecosystem is … that’s the bad news.”

How the fraudsters win: No incrementality analysis

Fraudulent activity isn’t just something on top of your standard organic marketing results or even just your paid marketing campaigns.

Some fraudulent channels eat organics.

Some fraudulent channels eat other paid channels.

“It’s very important to understand the difference between channels that are incremental to you and channels that are not,” says Peres. “This is the biggest challenge for a marketer.”

Marketers may perceive fraud as a 20-30% problem, but much of it is not incremental. It’s cannibalistic. That means that marketers absolutely must test each channel for incrementality, ensuring that each channel really does independently drive business results.

How the fraudsters win: Fraud looks so juicy good

Some fraud has excellent camouflage. Here’s one example: check out the average revenue per user (ARPU) for these two campaigns.

Campaign 1 and 2 have identical cost per install (CPI) and near-identical impressions, plus near-identical real clicks. But campaign two is a video ad that is either auto-redirecting to the App Store or Google Play after every view.

“When you look at the funnel, the CTR is almost 100%,” Peres says. “This is by the design of their product where they report a click for every completed view … so once the video is over, they have to report a click because they redirect the user to the App Store.”

The ARPU looks great — better than a clean campaign — so it’s very tempting for marketers to keep spending there. Especially if they’re not closely checking the other parameters such as the impossibly-high click-through rate.

This is an example of something that completely breaks the mobile advertising model, says Peres.

“These channels … if they’re manipulating attribution, their media costs are very low,” he says. “Other DSPs are competing with these guys. You have a 1% CTR rate for playing a clean game; these guys on a single impression generate 50 clicks. That’s 5000X stronger. That’s something you cannot outbid no matter which data scientist you hire.”

How the fraudsters win: Marketers don’t monitor key indicators

There are many key indicators that marketers who care about limiting fraud need to pay attention to, says Peres. Here are some of them (watch the full video for the complete list).

Good ad fraud prevention enables you to see:

Channel metrics versus attribution metrics (look for discrepancies) Percentage of clicks without a device/advertising ID (Android should be about 1%; iOS should be about 20%) Percentage of view-through attribution (VTA) versus click-through attribution (CTA) conversions Number of clicks per device ID (high is suspicious, shockingly) Number of views per device ID (again, high is suspicious) Percentage of clicks without a prior view … in some cases, 65% or more of clicks happen without a view: this is suspicious Very low eCPM Short, very regular, very long, or otherwise improbable or unnatural click to install times Attribution analytics versus iTune Connect and Google Developers Console numbers Incrementality

That’s not a small number to keep track of, but savvy marketers who don’t want to get burned by fraud will need to stay on top of these key indicators.

Summing up: One thing you must do

Fraudsters are smart, they’re technical, and they’re always working hard to separate you from your hard-earned ad dollars.

They also hide in plain sight, as sub-publishers and lower-tier ad networks or sources of supply.

You need a partner who stays on top of ad fraud for you.

“My single advice is … make sure you work with a tracking company that invests a lot on research,” Peres says. “Singular obviously invests a lot on research and has a lot of knowledge there … they update their SDK a lot, the security of their SDK. Make sure you have the latest version of the SDK and keep updating … it’s a must, every time it comes out.”

Our investment in mobile ad fraud prevention protects you from donating to organized crime … and shooting your paid promotion campaigns in the foot.

What to do now: Get the hard numbers on fraud … and the top fraud-free networks.