Gautham Thomas

A pharma giant just completed a major programmatic ad buy, aiming to reach a rarefied audience: the small population of American oncologists. Through the exchange, the ads land on Oncology Tomorrow, a brand-new and fast-growing website. After a month, Google Analytics shows, the website had gathered more than 100,000 visitors, a similar number of search referrals, and 250,000 page views.But virtually all of Oncology Tomorrow’s traffic is fake. A follow-up analysis estimates that 0.03% of the site’s impressions were human—only 76 of roughly 220,000—with bots making up the rest. These are the automated programs that simulate ad impressions, click-throughs, and even profiles of high-value visitors like the oncologists targeted by this fictional pharma company.Oncology Tomorrow, however, is real. Yet it is not the work of a malicious hacker. Wei Han Frank Lin, chief technology officer at DMD Marketing, built the website and its army of bots. Now he points to the experiment as a compelling demonstration of how easy it is for healthcare companies to lose advertising dollars to high-tech ad fraud. “When we looked at the actual data, only 1 physician had ever visited the fake experimental site,” he said.The scale of ad fraud is striking. The third annual ad fraud report from the Association of National Advertisers and the cybersecurity group White Ops shows an estimated $6.5 billion lost to the practice in 2017, down from an estimated $7.2 billion the year before. The study used specially designed detection and tracking software in partnership with 49 major companies, including Unilever, Walmart, and AT&T. The report attributes the drop to increased awareness and better detection techniques from individual companies, but the overall decline in digital ad fraud appears slight.Oncology Tomorrow and the many sites like it are surprisingly difficult to detect. But with millions of dollars at stake, it is critical that decision makers across the healthcare field, from pharma to hospitals, understand the nature of this threat.At first glance, Oncology Tomorrow is indistinguishable from other medical information sites. There is nothing obviously fraudulent about it. It is well designed, with a fresh logo, catchy headlines, and colorful stock photos. Click a link, and visitors get a short blurb describing, for example, a recent Drexel University study showing that an increase in cigarette prices will lead to more smokers quitting.But it is a front, a ghost site not meant for human consumption. Any human visitors are unintended side effects. The site is an automated advertising money drain, crawling with Lin’s bots. Companies pay the rates for cost per click and cost per thousand impressions (CPM) but without actually reaching the humans they believe they are.Lin used multiple methods to load Oncology Tomorrow with bots. He harnessed traffic brokers, for which low up-front costs almost ensure that all subsequent activity will come from bots. Lin also used “click farms,” an arrangement in which human workers, often in third world countries where wages are low, click through sites over and over again. And Lin purchased bots from “the darker side of the Web” and customized them.“All websites love search term referral lending,” Lin said. “I created a bot that pretends to be a human being, submits a search for Oncology Tomorrow, clicks through on a [search] result, pretends to have mouse movement, and clicks on ads as a click-through.”Bots can also simulate demographic profiles used to target ads, said Augustine Fou, a fraud and cybersecurity researcher with Marketing Science Consulting Group. By visiting sites that physicians might visit and picking up cookies, bots camouflage themselves with a browsing profile identical to those of actual healthcare professionals.Bots, for instance, can visit the sites of prestigious medical journals. Based on a broad look at these medical publishers, Fou believes bot traffic to legitimate journals is small. “They go there first, collect a cookie, and it looks like they visited the journal, and then [the bots] go elsewhere and attract retargeting dollars,” he said. Companies “pay more money to try to retarget them when they show up elsewhere. Bots are making more money by posing as a valuable visitor and going elsewhere to cause the impression.”Or those bots collect cookies and use their profiles on traps like Oncology Tomorrow, what Fou called “fake cash-out sites.” Past reports suggest that bots and these honeypots have invaded the digital ad economy. And crawlers even earn higher click-through rates than humans.Another common ad fraud technique is “spoofing,” in which fraudulent publishers imitate the URLs of prestigious sites, using bots to simulate impressions and clicks. In December 2016, White Ops revealed a criminal bot network it dubbed Methbot, named for references to the drug meth in its code. The bot network was earning $3 million to $5 million per day. It spoofed more than 6000 “premium domains,” according to the company. The ads were real, but only bots were watching.In September, the Financial Times discovered that it was one of those premium publishers targeted by spoofers. Fraudulent ad inventory purporting to be from the Financial Times, according to a report, was worth $1.3 million per month.Pharma and other sectors of healthcare might face a greater challenge than the rest of digital marketing. This is because of higher ad rates paid to reach a more specialized audience, Lin and Fou said.To combat this, Fou suggested, companies should be wary of large numbers. “It’s trivial for bots to pretend to be whomever you want to see,” he said. When trying to reach oncologists, for instance, it is important to remember the small size of the desired audience. There are around 15,000 oncologists or hematologists and another 8500 subspecialists, according to American Medical Association listings. How could a legitimate site attract that total, let alone a larger audience?It is also key to search for “look-alike” audiences, Fou said: “They see if other users visit the same set of sites. If they did, we assume they are the same type of user.”The solution offered by Lin’s company, DMD Marketing, is an opt-in white list, a way to sidestep the technology arms race between bots and detection technology. The audience identity management platform “will allow us to authenticate and identify a physician in real time,” Lin said.For smaller audience targets, ad exchanges and publishers deserve high CPMs, Lin said. “How they are measured is the problem we think they need to fix. If the industry can do a deterministic way to identify actual targeted impression, we would advocate even higher pricing for that.”Fou, meanwhile, recommended that pharma and hospital marketers optimize for business outcomes to minimize risk. “Don’t go after reach and frequency. This is not a branding game,” Lin said. “It’s about niche and how tight your targeting is going to be for pharma marketers.” Asking for quantity where it doesn’t exist opens the door for fraud. To avoid being suckered by spoofed URLs on ad exchanges, he suggested replacing programmatic ad buys with direct buys and demanding transparency and more data from advertising agencies.In the end, this issue is not about fearmongering but vigilance. “The good news,” Lin said, “is that publishers, and especially reputable partners, are sincerely trying to get the best outcome for patients and the physicians.” The bad news is that hospitals and healthcare at large must continue to keep an eye out.