In what many would call a ‘controversial week’ for the advertising industry, with the ANA releasing its findings about media rebates, plus the WFA issuing warnings over the extent of fraud. Below The Drum speaks with one of the online advertising industry’s leading security experts to discuss how verification can be ‘gamed’ and why advertisers should be wary of 'fraud-free' guarantees.

Earlier this week, the World Federation of Advertisers (WFA) issued a report warning that levels of ad fraud could potentially become so rampant, that criminals could be extracting as much as $50bn of value out of the industry by 2020.

Addressing the problem is not an easy endeavour due to (as raised by UK trade body JICWEBS) the authorities are woefully underfunded when it comes to pursuing such criminals. Meanwhile, the WFA advised advertisers to apply caution when it comes to monitoring how their online budgets are used, especially when working with partners.

The Drum has since spoken with Mikko Kotila, author of the WFA report, and co-founder of Botlab.io­, on how advertisers can best equip themselves with the knowledge necessary to keep on top of the problem.

Are you able to describe (in simple terms) some of the more common techniques used by fraudsters - and how they are able to game security providers?

The most common approach, that makes the bulk of ad fraud today, is to go to sourced traffic sellers [i.e. companies that literally ‘sell traffic’], buy verification vendor verified clicks at sub-penny CPC, and monetise it through your site(s) as CPM. This is referred to as ‘arbitrage’ and there are already hundreds of companies doing it. In effect it’s like printing money out of thin air.

One of the issues ad fraud verification vendors have is their focus on ‘botnets’ or specific techniques that can be used to create fake traffic. It makes your company sound ‘cool’ but has very little actual use in the fight against ad fraud. In the sourced traffic market, you go to a LinkedIn group, or do some Google searches, buy the traffic, and monetise it on your site. Because the traffic sellers guarantee that it’s verified by one or more verification vendors, it makes no difference how that traffic is generated.

The only parties benefiting from verification companies’ focus on botnets are traffic sellers and arbitragers making money with all that fake traffic on their sites.

In terms of passing the filters of the major verification companies, there is not much ‘gaming’ needed to pass their filters. In our research we’ve found that most of the well-known vendors are actually more-or-less incapable of detecting even the most obvious forms of ad fraud.

Indeed, how would you advise brands on how best to 'spot check' their anti-fraud solution's vulnerabilities to such fraudsters?

This is not easy for me to say, but within our network of researchers, we’re not so sure, anymore, about who are actually more of a ‘scam’, arbitragers or some of the better known verification companies.

When I talk with an arbitrager, he is not trying to tell me he is playing an important role in the supply-chain. I’ve researched ad fraud since 2006, and I’ve never seen evidence of a campaign or platform with exposure rates as low as these vendors are consistently reporting. Not once.

One of the vendors is actually claiming, quarter after quarter, that ad fraud is going down. As a researcher I can’t the claims they make. There is very rarely any mention of methodology to back up the claims that are being made, and I have never seen anyone mention that their method would have any caveats. False sense of security is probably hurting the advertisers more than traffic arbitrage is.

Can you go further into some of the industry dynamics at play, which allows the (currently widely known about, but rarely spoken of) levels of ad fraud to continue to exist?

In the sub-prime mortgage crisis, one of the key factors was how ratings agencies were making their money from business that came through the investment banks. When investment banks hired the ratings agencies to rate their sub-prime products (which essentially were later found to be fraud) the ratings agencies gave them all AAA ratings - regardless of how poorly they understood what it actually was.

We have this same dynamic with DSPs [demined-side platforms] going to the buyers with ‘ad fraud-free guarantees’ and verification companies backing it up, knowing there is a steady supply of business coming from that DSP as a result. Not sure how that’s going to work in a way where the buyers' interest is appropriately looked after.

AppNexus has made much effort to combat fraud in the last 12 months or so, but some criticise its approach as being too reactive. Can you advise brands on how best to be more pro-active in their bids to combat ad fraud?

AppNexus has been one of the more open players in terms of admitting the problem, which in my view is far more helpful than going around telling buyers that there is no problem, or that it’s a 5-to-10 per cent problem. This shows they are not ignorant about the problem, which is more than I can say about many of their competitors.

My advice to brands is to reduce reliance on verification vendors by working closely together with independent consultants and non-ad tech security companies instead. Trading log analysis is by far the most potent method for identifying issues in media spend. Stop thinking that because an ad tech company gives their buyers a ‘fraud-free guarantee’, that it means something.

Sub-prime mortgage products had AAA ratings leading to the meltdown, with those products proving completely worthless. The bigger the buyer of those products, the bigger their losses were. I can’t stress enough how important vigilance is in this market is.

Finally, your report says that fraudulent impressions could cost brands up to $50bn by 2025. What, in your opinion, is the most realistic number this could be reduced by, and what would the online advertising industry have to do to achieve it?

It’s hard to find causes in the current market place that would suggest it would not end up actually being much higher by 2025. If we think that programmes like TAG’s [Trustworthy Action Group] Certified for Ad Fraud are going to help do it, the question is that if TAG, which essentially is an IAB spin-off, is supposed to be watching the vendors, who is watching TAG? Then you look at TAG’s committees, and you find the same companies that are being certified. We’ve gone too long thinking that the IAB actually knows how to deal with this. It is precisely under their watch, that the industry is now being slaughtered.

I’m not sure anymore if it’s all the conflicts of interest, or that they are genuinely lost, but in either case major intervention from advertisers is needed. That, or heavy-handed government regulators will have to step in. In the meantime, the only sure way to slow down growth of ad fraud is to slow down growth of digital, or even shrink digital investment in absolute terms from where it is now.

Click here to see more about the claims Kotila was taking issue with