Mobile advertising is getting bigger. So is mobile ad fraud. Ad fraud has been a menace to digital advertising that shows no sign of abating. A report last year by the Association of National Advertisers and ad-detection firm White Ops found ad fraud costed the industry $7 billion last year. The rate of such fraud was “relatively unchanged” from 2014.
Against this bleak backdrop comes some good news: The center of gravity for digital advertising is shifting to mobile. By 2019, eMarketer expects the mobile ad spend to account for 72% of the U.S. digital ad spend.
That’s a welcome development because so far it’s harder to commit fraud on the most popular form of mobile advertising — in-app ads. But it’s not impossible by any means and the larger stakes will probably mean more fraudsters are entering the fray.
The biggest threat to in-app advertising: Device hijacking
So far, the biggest tactic used to perpetuate fraud on mobile is device hijacking. That technique, identified by ad fraud prevention firm Forensiq, loads as many as 700 hidden ads an hour onto an app. Apps can also simulate clicks and load an advertiser’s landing page without the user’s knowledge.
In a report last year, Forensiq estimated that more than 12 million devices in the U.S. (roughly 1%) had been hijacked and that the tactic affects 13% of all in-app ad impressions. Usually it’s publishers who carry out such fraud in an attempt to inflate metrics.
Device hijacking isn’t hard to foil because it’s easy to detect. However, advertisers should choose a reliable SSP partner that has measures in place to detect this type of fraud. In some self-service exchanges, no one is checking the quality of the apps so publishers can create a profile and start monetizing their apps right away. It is of utmost importance to work with a platform that has strict publisher onboarding standards. Furthermore, advertisers should choose a partner that takes viewability seriously, as it is one of the ways to detect fraudulent impressions.
Automated Traffic Issue
Much of the mobile fraud is associated with automated or non-human traffic. Ad requests come from bad IPs, hosting providers (where servers rather than users trigger ad requests), anonymous proxy servers or TOR network nodes, or spoofed user agents or device IDs.
Ever Smarter Bots
The bots are becoming tougher to detect by simulating normal user behavior. Smartbots often change their browser agent string and cookies under the same IP. They alternately create low- and high-volume traffic under configuration that looks like a busy enterprise network.
The Oldest Trick in the Book: Click Farms
One of the oldest types of fraud, click farms started out as manual enterprises in Russia, Vietnam, and China but have since became automated and highly sophisticated. Two types are worth mentioning: dummy click farms keep the same cookie but change the IP address after a few clicks, while smart click farms change both cookie and IP address after each click.
What Advertisers Can Do
Marketers can rely on partners to a certain extent to ensure that traffic is legitimate. However, advertisers usually have more data than their partners. To keep things honest, marketers need to ensure that the traffic they’re seeing is real. If not, they need to tell their partners.
Rather than say “your traffic is really poor and I don’t want to work with you,” advertisers should have an open, honest discussion about how much of the traffic appears to be fraudulent.
Something many advertisers don’t understand is that they are often placing ads via blind traffic. Blind traffic is made up of ad requests that come without a referred domain so you don’t know where the ads are running. Marketers shouldn’t tolerate blind traffic and should know where their ads are going.
Overall, mobile advertising is more fraud-proof than desktop advertising, but part of the reason is that it’s new and fraudsters are still figuring out ways to scam the system. As mobile ad fraud grows, the industry will once again have to band together to stay on top of the latest techniques. The members of the mobile ecosystem should and will learn from desktop to make sure that the same mistakes will not be made.