Published May 2015
A lot of ink has recently poured onto the subject of digital advertising fraud—which is a great thing. Fraud is a real and serious problem, but some, we think, still hold a mental image of fraudsters as one-off bad actors sitting in a dark room racking up clicks on ads on their site to make a few extra bucks. The truth is far more troubling: the majority of ad fraud today is perpetrated by sophisticated organizations that devote vast resources to build and operate large scale botnets run on hijacked devices, to reap multi-million dollar payouts [1,2].
Stopping these bad actors requires an industry-wide, long term commitment to identifying and filtering fake traffic from the ecosystem. This is not a task any one company can take on alone. We need everyone across the industry to take steps toward making digital advertising more secure and transparent. Here are some actions we’re taking to help move the entire industry forward. (We hope others join us.)
Describing threats in common, precise language
Many of the statistics and headline-grabbing disclosures in the market today do a great job of creating panic, but share very little detail to help anyone actually solve the problem.
Imagine if police officers looking for a bank robber could only describe the criminal as “suspicious”. The robber would be free for life. And yet this is disappointingly how advertising fraud is policed today. “Fraud” and “suspicious” are seen as synonymous and applied to everything from completely legitimate ad impressions to fake traffic generated by zombie PCs infected with malware. Before we can stop advertising fraud, everyone needs to start using common, precise language to disclose fraudulent activity.
The IAB introduced its Anti-Fraud Principles and Proposed Taxonomy last September providing the industry with this common language and we strongly support these standards. But these are early steps – as an industry we can’t stop there. When fraud is identified it should be shared in a clear structured threat disclosure, mirroring how security researchers release security vulnerabilities. By increasing the amount of data we share in a transparent, helpful way, others in the industry will be able to corroborate any claims being made, remove the threat from their systems, removing it from the ecosystem. Further, if a public disclosure could lead to further damage, then vulnerable parties should be notified in advance.
Ensuring bad actors can't hide: Supplier Identifiers
If you bought a designer scarf in a store only to find out it’s a knock-off with a fake label, you’d expect a refund. You’d also know which store to avoid in the future. The same should hold true for fraudulent inventory. When fraud is identified, it should also be possible to identify the seller or reseller who should take responsibility for the inventory.
Today this doesn’t hold true. As an illustration of the problem, we are currently finding significant volumes of inventory misrepresenting where the ads will actually appear and in many instances there is no reliable and verifiable mechanism to identify who in the supply chain is responsible for this misrepresented inventory.
To address this problem, we propose that the buyer of any branded (non-blind) impression should be passed a chain of unique supplier identifiers, one for each and every reseller (exchange, network, sell-side platform) and one for the publisher. With this full chain of identifiers for each impression, buyers can establish which supply paths for inventory can be trusted and which cannot. If a buyer finds a potential issue, and it’s clear where the problem lies in the supply path, then there should be an unambiguous process for refunds. It will also be easy to avoid this supply path in the future.
Ultimately the burden for ensuring the quality of online inventory starts with those who sell it. To this end, we submitted a proposal to create an industry managed supplier identifier to the IAB Anti-Fraud Working Group in February, and we’ve heard others in the industry support this call for more transparency. We've come to take this type of guarantee for granted when we shop in a store – let's work together and make it a standard for digital advertising as well.
Cleaning up campaign metrics
Before investing your hard-earned money in a local business, you’d definitely review their financial reports to understand if it’s a good investment or not. In digital, campaign metrics are the record of truth. They help advertisers evaluate which inventory sources provide the greatest value and outline a roadmap of where ad spend should be invested. But if these metrics are polluted with fake and fraudulent activity, it’s impossible to know which inventory sources provide the best return on spend.
Now, imagine if you invested in that small business only to find out it was actually a fictional front created by an organized crime ring, complete with receipts and a cashier, to cover up their back office money laundering operation. Fraudsters work hard to disguise their bot traffic as being human by having them do things like go window shopping or plan a vacation to create a whole world of made-up conversions and interactions before directing them to their final destination.
As long as fake traffic still appears to be delivering value, advertisers’ spend will continue flowing to the operators of fake traffic sources. Of course our industry should push for 100% fraud free ecosystem. The reality, though, is that some will likely always slip through. When it does, it's also our responsibility to keep it from skewing marketers' metrics. If we can keep reporting systems from giving credit to fake traffic, this removes the incentive for publishers to buy this bad traffic from bad actors.
As an industry, we owe it to our clients and ourselves to ensure that metrics are clean and accurate. Let’s work together to identify fraudulent traffic and invest in systems to filter it out of campaign metrics.
A fraud-free ecosystem?
Advertising fraud is a real and serious problem, one that creates significant costs for advertisers, takes revenue from legitimate publishers, and enables the spread of malware to users, among other harms. To eliminate it, we must take action to remove the incentive for bad actors to create and sell fraudulent traffic. The steps I’ve outlined above seek to do this by cutting off their access to advertising spend and making it difficult for fraudsters to hide.
Over the coming months, we’ll be taking these steps and working with the industry to help others clean bad traffic from the ecosystem.