TechFirst >> Where billions go to die: a deep dive into ad fraud

ad fraud podcast

Ad fraud costs billions of dollars each year. Why does that matter to you … and how can we stop it?

In this edition of Tech First Draft we talk about the size of ad fraud globally — between $10B to even $40B a year — and dive into the types of ad fraud and how we can stop it. We also talk about how ad fraud, which seems to just impact marketers and brands, also impacts every average person. Our guest is Luke Taylor, the founder and COO of TrafficGuard AI.

  • See below for audio, full video, and links to subscribe to the podcast
  • Keep scrolling for the full transcript

What we chat about:

  • How much money can you make with ad fraud? What do the fraudsters make?
  • Relate this to the average person in technology who is wondering why they care … why does ad fraud matter to the average person?
  • Specific kinds of ad fraud
    • App install farms
    • SDK spoofing
    • Misattribution (i.e. click spam, click injection; where ~80% of ad fraud occurs)
    • Domain spoofing
    • Cookie stuffing
    • Hidden ads/ads stacking
    • Bots & servers
    • Malware engagement
  • What about attribution fraud?
    • What is it?
    • Talk about advertising attribution, post-attribution and measurement
    • Mobile measurement partners (MMPs)
    • Conflicts of interest that exist in the industry to watch out for
    • Real-time reporting
  • Who are the fraudsters?
    • How are they winning at ad fraud over and over again?
    • How are you using AI to find and prevent fraud?
    • How can you track down where malicious ads originated?

Listen to the podcast here

Or, listen and subscribe wherever podcasts are published:

Watch on YouTube >> Ad fraud: where billions go to die

Or, of course, you can read the full transcript here …

Read the transcript: ad fraud

John Koetsier: Ad fraud costs billions each year. Why does that matter to you … and how can we stop it?

Welcome to Tech First Draft, with John Koetsier. Ad fraud … we know it’s huge. I’ve seen estimates ranging from $10 billion to as high as $40 billion a year, globally. Just today, Google kicked out 600 apps with over 4.5 billion downloads out of Google Play.

We have Luke Taylor today with us, the founder and COO of TrafficGuard, and he’s going to tell us how it works, how to stop it, and yeah, even talk a little bit about how it impacts you, me and the average everyday person.

So let’s bring Luke in right now. Hello, Luke.

Luke Taylor: Hey, John. 

John Koetsier: Where are you joining us from? 

Luke Taylor: From Perth, Australia this morning. 

John Koetsier: Wonderful. So it’s your morning, my afternoon, perfect. You said you’re on your first coffee. I’m on my last if I drank coffee, we’re ready to go. 

Luke Taylor: Perfect. 

John Koetsier: Excellent. Let’s start here and let’s talk about the fraudsters, the people who are committing all this that’s costing $10 billion, $20 billion, $15 billion, whatever the real number is. How much money can you make as an ad fraudster? What are they collecting? 

Luke Taylor: Yeah, a lot. I think Juniper Research is projecting that it will be $100 billion by 2023. So these numbers are really getting crazy. For the fraudster it’s pretty easy picking, it’s an easy target and there’s lots of money there. There’s been reports that there’s more money to be made in ad fraud than there is in drugs currently. So it’s a pretty large target for organized crime and fraud. 

John Koetsier: So if you’re the average ad fraudster and you’ve got a medium-size campaign or “company” that’s in ad fraud, what are you making? Are you pulling in $5 million, $10 million, $20 million a year, something like that?

Luke Taylor: I’d think at the minimum. I think the scale of these fraudsters could be individuals that are pulling in that kind of money, to major corporations that are involved in fraud that are doing many multiples of that.

John Koetsier: Yes, exactly. And whether they are 100% fraudulent or not, we don’t really know, but Cheetah Mobile for instance, is a major corporation that Google has basically said, ‘you’re not welcome on Google Play.’ 

Luke Taylor: Yeah, that’s right. And so it’s not the typical kid at home kind of sitting behind his computer on his own that’s causing this, right? It’s people that have thousands of employees targeting advertising and stealing dollars away from advertisers. 

John Koetsier: Absolutely. Okay. So we’re going to get into different kinds of ad fraud. We’re going to get into a lot of those and how to stop them, how to find them, other things like that.

But let’s relate this, first of all, to the average person in technology who is wondering why they care? Okay, so advertisers are spending a lot of money, fraudsters are taking a bunch of it. It seems like a victimless crime to me if I’m not in the industry. Why does ad fraud matter to the average person?

Luke Taylor: Well, I guess many average people are business owners and any business owner that’s advertising is going to be affected by this. It’s not just affecting large brand corporations that are spending millions of dollars on advertising. It’s affecting everybody down to spending hundreds of dollars a week maybe on just local search and trying to advertise their business.

I guess more generally for the consumer here it’s their data, and it’s their battery life, and it’s their dollars. Ultimately they’re paying for all of this advertising somewhere. Much of the fraud is occurring on mobile devices, on their desktop, where malicious applications are running in the background producing all of this fraudulent activity. 

John Koetsier: Yeah, I believe I read or saw a study probably even a year ago by now, that something around 80% of the data that some people were using, I guess they weren’t heavy video users, was actually ads running in the background or other things like that. I assume another challenge here is that we rely on ad supported services.

I mean, I use Gmail, you use Gmail. I use Google, you use Google. I use Facebook. I don’t know if you do, other things like that. Those are ad-supported services and whether we like that or not, whether that’s done good things to our economies and our societies or not, if a lot of that ad revenue is getting taken off the top that’s got to have some impact. 

Luke Taylor: I guess for majority of the fraud we believe it’s at the far end of the funnel. So if you’re looking at Google and those kinds of platforms that are ad-funded, like it’s the publisher. It’s the person that Google is then paying that’s committing the fraud, and then everybody in between just takes a clip of it. So that’s where if we don’t do something about this then you know we’re all kind of involved in this process.

John Koetsier: Excellent, excellent. Okay, good. Let’s talk about some ad types specifically. So I’ll mention a type, I’ll throw it out there, you tell me what it is and how to prevent it. We’ll start with a really old one … app install farms. 

Luke Taylor: Right, so app install farms, you’ve seen the pictures. Lots of phones, big warehouse, could be operated by people or it could be automated, but really they’re just installing apps, removing those apps, reinstalling them, rinse and repeat, all day, every day. 

John Koetsier: Yeah, sounds like a lot of fun. That’s at the bottom end of technological sophistication, but the next one … SDK spoofing, that’s kinda more technical. 

Luke Taylor: Yeah, so SDK spoofing is really going hard against the mobile measurement platform right? It’s compromising the signal between their SDK and their application, and then reproducing, like creating a synthetic signal so that they don’t even need to install the application. So instead of having all of those real devices that they need to orchestrate, they can simply have a server, an application themselves that’s just sending, replaying data from somewhere else.

John Koetsier: Exactly, and so to give some context as well for people who are watching, SDK spoofing of course is ad fraud that’s happening when people are paying for app installs. And that’s big business, I mean there’s billions of dollars in just the US alone, and probably over $10 to $15 billion spent globally on getting people to install your apps.

So there’s a lot of misattribution or other SDK spoofing that goes on there. Actually, that’s the next one … misattribution. Talk about that one, click spam, click injection, that sort of thing. You’re saying that’s where 80% of the fraud occurs?

Luke Taylor: Yeah, for a lot of our clients that are running mobile, that’s where we see a lot of the fraud and we’re able to prevent a lot of that through mitigating at the click. So attribution relies on two components.

One is either an impression or a click that passes on some information that says who the traffic source is, who’s going to be rewarded for an install that might be generated from this. And then at the other end it’s the install, like the conversion point. And so attribution is tying those two things together. 

So what the fraudsters are doing is just sending so much signal with their own name stamped against it, so that they have the highest opportunity of then matching an install that comes in. And so we’re able to defend against that to prevent this type of fraud by mitigating at the click. You know 80% of the fraud that we see is through misattribution and 90% of that fraud we’re actually able to mitigate at the click level. So we’re blocking hundreds of millions of clicks on a daily basis that are attempting to cause this type of fraud. 

John Koetsier: It’s pretty interesting. I’ve consulted with Tune in the past which was an MMP. I’ve consulted and still do a bit of consulting with Singular which is an MMP. And sometimes in the data, I’ve seen platforms or networks where you saw literally tens of thousands of clicks per install and you’re pretty sure you’re seeing tens of … 80,000 clicks or 60,000 clicks for every one app install that those clicks generated. There’s something a little bit fishy going on. 

Luke Taylor: That’s exactly right, but trying to convince some people of just that basic observation is still difficult. There’s still lots of education that needs to be done on fraud in general. 

John Koetsier: It’s amazing. Talk about domain spoofing. 

Luke Taylor: So, domain spoofing, we spoke about the malware or toolbars that’s something recent. Google just removed a whole load of browser extensions, Firefox last month. This type of malware resides on people’s local computer and then as they navigate through different websites it’s able to then change up the domain. So a site that is not premium can be represented as one that is, or a site that’s just covered solely in ads says that it’s the New York Times.

John Koetsier: Exactly, yeah. You think you’re buying ads on the New York Times, you’re actually buying ads on or something like that, some total made up domain.

Luke Taylor: And you know this is typical of pretty much everything in what we do is that you can’t trust any piece of information that you receive. So a large part of detecting fraud is trying to determine through the data that we’ve collected over a large period of time through further enrichment, which things we can have some trust in and which things are likely, so that we can determine whether it’s a real engagement or a fraudulent one.

John Koetsier: Exactly, so obviously we’ve moved from the mobile app install world to the web world. Let’s continue and stay there a second and talk about cookie stuffing. 

Luke Taylor: So cookie stuffing is a decade old technique. Amazon, eBay, Google have all had lawsuits against their companies in the past for exactly this, and it basically is to place a cookie on a consumer’s browser from multiple sites, so that then when they go and convert at one of these places they get the reward. So, very similar to the techniques of click spam from mobile, just a really old method from the browser world, and you know, this is still ongoing. All of those big guys that I mentioned have closed out their affiliate campaigns. They don’t run this type of advertising anymore, but there’s still lots of people that are running this and they’re susceptible to this kind of very trivial fraud.

John Koetsier: Exactly. So a little more context around there what might be happening is you go somewhere and you buy something, maybe it’s on Amazon, maybe it’s somewhere else, but somebody is getting a commission on that, or somebody is getting even a bounty on that. You buy an information product for instance, and there’s a $50 bounty or a $20 bounty or something like that, and somebody who has stuffed cookies all over the place gets credit for that, rather than the actual place that you clicked on to go buy that thing. Very insidious stuff, and ancient as you’re talking about.

Luke Taylor: Yeah.

John Koetsier: This one is also ancient, hidden ads or ad stacking. We’ve seen that for a long time, we now see it in mobile as well, correct? 

Luke Taylor: Yeah, there’s some apps that we’ve been looking into lately and within three seconds of opening the app you get 10 ads. A couple of those are full screens just overlaid over themselves, so this is definitely starting to happen more in mobile. But it’s just increasing inventory, like when you’ve got a website that’s only got a certain amount of space to display ads, if you want to increase the amount of ads that you can display to a user you just put 10 of them in the same spot. You know that consumer is never going to see the other nine, but they still charge for them nonetheless. 

John Koetsier: And all of a sudden your browser is just using up all your CPU and you have no idea. 

Luke Taylor: You know this is why people should care, right? ‘Cause they wonder why their brand new phone or laptop doesn’t last more than a couple of hours. It’s unfortunately due to ad fraud. 

John Koetsier: Exactly, cool. Let’s move up the ladder a little bit in terms of sophistication and talk about bots and server-based fraud. 

Luke Taylor: So server-based fraud, less sophisticated in their approach. It’s pretty trivial to determine if something’s operated from a server nowadays and it should be something that everybody is protecting against. Bots can range from something that is good, so it might be that you see a certification bot or a Google bot or some good bot that’s actually performing some kind of service across the advertising. Obviously you don’t want to pay for that as an advertiser, but that’s an example of something good that we might see. And then there’s the bad bots and they can range from pretty trivial examples to highly sophisticated bots that can download an application, install it, play the game for days through that to be able to really produce an outcome. Many of these games might be paying for purchase after a level seven say, and the reward for that is far greater right? They might earn tens of dollars for that kind of a conversion and so they’re incentivized to put in this effort. 

John Koetsier: That’s super interesting of course because what we’ve seen in the industry over the past few years is people moving from a pay-per-install CPI type model, or at least for an app install model, to CPA you pay-per-activity or engagement or something like that happening in your app, a level being passed or something. So you had some, it was sort of downfunnel, you sort of had some idea that there was an actual person there, they were actually playing the game, or using the app, and actually created an account maybe, or other things like that. And now sophisticated fraudsters are mimicking that and that’s pretty hard to tell. 

Luke Taylor: Yeah, definitely, they have all of the same tools at their disposal that we do on the other side of the fight, and you know they’re highly financed right? They’re hundreds of millions of dollars…

John Koetsier: Self financed, yes!

Luke Taylor: And as we mentioned at the beginning, some of these are corporations that have thousands of people working for them. So these things can get very sophisticated. 

John Koetsier: Yes. One other that you added to our list here is malware engagement. Talk to me about that. 

Luke Taylor: So, becoming more prevalent I think, because it’s become easier to identify things that are happening from servers, then this malware is getting pushed out to the consumer level. Trying to operate through proxies or rotating IPs is difficult, so just moving out to domestic IPs through using the consumer’s own browser you know it’s cheap. They don’t have to pay for their resources, and so we’re seeing that malware is more prevalent, especially in mobile. There’s been nearly every month a huge number of apps that Google has removed due to malware and lots of this is just on the ad fraud.

You know, obviously there’s other impacts there. So stealing data, and other things that consumers would be concerned about, but nearly every single one of them has a component of ad fraud because that’s how they monetize all of this. 

John Koetsier: Exactly, or stealing the data of course as well. And then one key factor you can look for there if you’re looking to install an app, if it wants every permission possible … 

Luke Taylor: That’s right.

John Koetsier: … for a flashlight, maybe not a good idea. 

Luke Taylor: Yes. 

John Koetsier: Let’s talk about attribution fraud a little bit and maybe give a 30 second intro to, first of all, what is attribution? Why does it matter? Why has an attribution area even come up? And then what’s attribution fraud? 

Luke Taylor: So I guess attribution is the advertiser determining who they should reward, who they should pay for the effort of engaging the consumer. So they want to acquire new users to their mobile application. They engage a number of parties to be able to send them those users and they need to determine which party sent which users, and so they employee a mobile measurement platform who’s able to do the attribution between the click of an ad and the install of the application. 

John Koetsier: Yeah, exactly, and of course there’s a broader area of attribution as well, right? For every advertiser you want to know what ads worked, what audiences resonated, where did I … when I put ads in 15 or 500 different places, which ones of them should I continue buying in? That sort of thing. But in the mobile space specifically, we’ve had these MMPs come up, these mobile measurement partners who will then kind of arbitrate that and look over at both and say, ‘hey, this ad was clicked on here and created that result.’ Talk about some of the fraud that happens there. 

Luke Taylor: Yeah, so unsurprisingly as the mobile measurement platform is the decision maker in who gets rewarded, who gets paid, they have been the target of much of this fraud. So we mentioned click spam and click injection earlier, these techniques are highly focused at the attribution to be able to overwhelm the MMP, so that they can’t make the correct decision. In the industry broadly, last click is still the method of attribution. That means that the source that sent the last click engagement, prior to the install, gets the reward. And so, it just keep sending clicks and then hopefully you’re the last source and you get the reward. 

John Koetsier: Yeah, exactly. You talked about some conflicts of interest in the industry … explain a little bit more about that? 

Luke Taylor: So the conflict, especially with the MMP if they’re charging for paid sources but they’re not charging for organic installs, it makes it very difficult for them to not attribute an install to a paid source right? They can’t say that every … 

John Koetsier: Exactly, especially if they’re charging per attribution. 

Luke Taylor: Yes. So then many of them just pay a charge per paid source attribution. And so if they say that it’s organic they don’t get paid. So they’re kind of incentivized to find a source that is appropriate and you know that makes it a hard judgment. They need to make money in their prices. 

John Koetsier: Absolutely. And just a note here, having actually consulted with two attribution providers over the past probably decade or something like that. There are some attribution platforms that do charge per attribution, and there are some that are kind of a software as a service platform and you pay a flat fee for an attribution service. So that could have some impact in those decisions and in that conflict of interest or perceived conflict of interest. Okay cool. So let’s talk about you a little bit, and let’s talk about what you do and how you find the fraudsters. What are you looking for? What technology do you employ? And tell us a little bit more about that. 

Luke Taylor: So TrafficGuard is ad fraud prevention. We’re a multipoint, multichannel solution. That basically means that we’re analyzing signal across the entire consumer engagement funnel, so right at the impression, click, install or conversion, and then any post activity. So whether that be inside the application or across the website, and prevention being that as early as possible we’re looking to mitigate that. Mitigation in most cases means that it just doesn’t get into the attribution pool. We’re not looking to defend the website against these users. We are looking to defend the attribution against these fraudulent engagements so that these sources can’t get rewarded. How we do that … lots of lots of domain knowledge I think is highly relevant to fighting this issue, and lots of data science and engineering.

We have some really great people that have been looking at this problem for a long time and continue to hunt down these things every day. And then of course technology. When we first started this things were a lot harder, but technology as we know constantly evolves a whole range of ability now to run ML that we didn’t have before. And you know these things streamline our processes. They allow us to do it across more data, in quicker turnaround. So where we might have run something in batch, we can now run that in real time which really helps our ability to then prevent in real time. And we can start focusing on a surgical approach, so we can evaluate every single transaction in real time on its own merits using ML techniques, rather than having a batch process that just classifies a whole traffic source and just box them at the end of the day.

So we’re providing the protection, but we’re also providing our clients the ability to scale. We’re not just telling them, ‘guys, just stop advertising, that’s the solution.’ We’re looking at every interaction and just mitigating their risk to ad fraud. 

John Koetsier: And it’s really critical to find where you’ve got good ads and where you’ve got bad ads coming from, right? Because you’re making future allocation decisions on marketing budget based on the results you’re seeing right now. And if those results are skewed, so if you’re seeing that channel X is really working … we’ve got like 300% return on ad spend there, this is awesome … and you throw the rest of your budget there, you might be throwing that into a black hole. It’s really, really important to get it right. 

Luke Taylor: That’s right. And some of our clients, the service we’re providing to them is not … they’re not in performance advertising. And so it’s not the attribution component but it’s the clarity of data. So they’re still running analytics, they’ve still got a CRM, they’re still looking at their sales funnel, and if it’s polluted with all of this fraudulent engagement then they’re looking at the wrong stats, like all of their KPIs are affected. And so that’s a component of the service that we provide as well.

John Koetsier: Interesting, interesting. Okay, cool. So let’s say we’ve implemented a solution, we’re finding the bad ads, we’re finding the fraud. It’s wonderful, we’re super happy, we’re excited. Google kicks a bunch of apps out of Google Play, some of the ad networks kick out some of their publisher sources that sort of thing. What happens the next day, the next week, the next month, something else pops up right? 

Luke Taylor: Yeah, and you know that’s the nature of this. I think the advertising ecosystem has so many layers that the ultimate fraudster at the top of the funnel could be sitting behind many networks. So when they get blocked at one they’re still running with hundreds more so they’re not affected as much. For our solution, and I think the real point of difference in how we apply this is that we’re not looking in post to try and remove these sources, by applying this prevention in real time this is all automated right? So what we see is that those traffic sources are unable to make money or are impeded from making as much money. And so naturally in the optimization of campaigns they drop out. They don’t continue to send fraud, so nobody has to actually go remove them, but they’re just the people you never hear from again. 

John Koetsier: You’re removing the economic incentive. 

Luke Taylor: Exactly, and so I think that’s the biggest way to tackle this problem is disrupt their ability to make money and then their problem will be removed. 

John Koetsier: Interesting. I think what’s also interesting, I’ve seen a lot in terms of fraud and fraud solutions and other things like that. A lot of the companies that I’ve consulted with have had solutions like that as well. But you’re over mobile and desktop, you’re kind of omnichannel, correct? 

Luke Taylor: That’s right, yeah, so mobile is a large component. There’s a lot of fraud there, but desktop as well. And so many of our clients in e-commerce, like traditional e-commerce, and they’re still running web properties where is the majority of their traffic. But we’re also in channels like PPC, so where smaller advertisers may be with only thousands of dollars budget are advertising their local services. And even in those areas if they’re running across a display network we see like one in three engagements as being fraudulent.

John Koetsier: Wow.

Luke Taylor: And you know if the type of fraud changes there that could be just your competitor down the road clicking your ads and exhausting your budget, rather than somebody with his bot empire. But it’s fraught nonetheless and it should still be tackled. 

John Koetsier: There have been cases where competitors have sent bots to click on ads for their competitors and just increase their marketing costs. So that does happen too, it’s pretty dirty pool, but it does happen. Interesting. Well, thank you so much for joining us, Luke. It’s been a real pleasure. 

I’d like to thank everybody who is joining us on this show as well. If this is the first time you’ve been on a Tech First Draft, great. Please like it, subscribe, share, comment, or all of the above. If you’re on the podcast later on, great. Please rate it and review it, that would be a massive help. Thank you so much. Until next time … this is John Koetsier with Tech First Draft.