Opening Up the Black Box of Ad Fraud Prevention

Ad fraud is one of the fastest growing cybersecurity issues in the world today. 2019 data showed that ad fraud is now costing advertisers between $23 Billion to $30 Billion a year and is expected to surpass the $50 Billion mark by 2022. A 2020 study by fraud expert professor Roberto Cavazos of the University of Baltimore suggested that 14% of all ad clicks are non-human, fraudulent or just completely invalid. For obvious reasons, this criminal activity continues to grow as it is a high-reward low-risk endeavor for hackers and fraudsters. Another reason the problem is spiraling out of control, is the fact the traditional legacy ad fraud and click fraud prevention companies are essentially AdTech companies, who lack cybersecurity expertise. In this blog, we’ll detail the 3 key failures of legacy ad fraud / click fraud prevention and explain how cybersecurity is being utilized effectively to replace these dated practices.

1. Impression sampling | Using probabilistic methods over deterministic methods

Before we even touch on the quality of ad fraud analysis out there, it is absolutely crucial to understand that many vendors don’t even examine all of their clients’ incoming traffic. In fact, they don’t even analyze most of it. Many companies will only take a small sample of the impressions (as little as 1%- 5%) and perform their analysis on that sample. From this analysis, they will derive an estimated fraud rate and report back to the client. From a cybersecurity perspective, this is a very bad practice leading to highly inaccurate results. After all, this is not an election poll. Ad fraud and click fraud are highly volatile activities, differing vastly between different geos, devices, browsers, times and even dates. For example, ad fraud typically rises around the end of the quarter, while advertisers are looking to more actively spend their budgets and ensure there is no surplus. Different devices attract different levels of attention from fraudsters, as an iPhone is often viewed as a more lucrative target, commanding higher CPMs. Even the time of day during which you take your sample matters, as some activities tend to spike late at night rather than during peak daytime hours. The problem with sampling, is that it is almost impossible to build a sample that assigns accurate weight to each one of these factors, making most samples completely irrelevant and out-of-touch. When CHEQ entered the space, we brought with us one of the most common principals in cybersecurity and bot mitigation – Check every impression, every time. Why do many vendors avoid this? Because they lack the technology to accurately analyze users at scale and in absolute real time, within the real-time-bidding protocol of 120ms. This is exactly why it is important to entrust your ad fraud and click fraud prevention to a real cybersecurity company, not an AdTech company.

2. IP blacklists | Blocking based on procured IP lists, rather than real user analysis

This is probably the largest gap in the ad fraud / click fraud prevention space. The problem is that legacy AdTech vendors are not performing little to no analysis on the actual user. In fact, the industry’s best practice till this day, is the deployment of IP blacklists, procured from 3rdparty vendors like IP2Location. So much is wrong with this practice, that it’s hard to know where to even begin. But let’s try. First off – IP blacklists age very fast, within days or weeks, due to the dynamic nature of IP addresses. So essentially, your putting your blocking in the hands of a dated, inaccurate list that will not only miss most of the fraudulent traffic but will likely also include large blocks if legitimate user IPs. For example, data centers usually get marked automatically as fraud on these lists, but many users could be using a data center IP and still be legitimate. So inevitably, you’re not only missing a ton of fraud, you’re also blocking real paying customers. Another problem is, that these lists aren’t even vetted by the vendor – which means there is no way for you to rely on their accuracy. Moreover, if this is your vendor’s main filtration method, you might as well procure the blacklists and run them yourself, saving you the cost of an intermediary. At CHEQ, we have repeatedly campaigned against this harmful practice, instead deploying over 1,000 JavaScript challenges to the user’s browser to validate their authenticity in real-time. How do these JavaScript challenges work? In principal, when a user generates an ad request, our JS tag will challenge the data being transmitted from their browser. So, if the user’s browser lists IOS as the operating system, we will challenge that, prompting to the browser to respond to certain tests. Based on the browser’s response to these tests, we can see if the user is in fact using IOS, or if there has been a data manipulation, indicative of fraud. This is of course one example of over 1,000 such challenges applied in real time to ensure accurate ad fraud and click fraud prevention.

3. Zero Transparency | Ad fraud detection and prevention is a complete black box

Finally, there is an issue of trust, as ad fraud prevention vendors typically operate as a complete black box. One thing any advertiser should be privy to, is the data and reasoning behind the blocking. When you entrust your traffic in the hands of a 3rdparty vendor, giving authority to block users they deem invalid, you should have maximum transparency into that process, without of course divulging the actual filtration techniques. Yet legacy ad fraud / click fraud prevention vendors do not disclose any of this information to their clients. When a vendor tells you that 10% of your traffic was invalid, you just have to take their word for it. Was it higher and the missed a ton of fraud? Was it actually lower and they’ve been accidently blocking real authentic users? Without transparency, these questions remain unanswered and the client is left in the dark. We realized at CHEQ that transparency is everything, so we built all of our products with this principal in mind. We let our clients download raw, log-level data directly from the platform, so that they may vet our decision making externally. We provide granular and detailed fraud reasoning behind every single blocked user, to make sure the client understands why we blocked certain users. This is crucial in building trust around such a sensitive topic.

Ultimately, it’s all about technology. To ad fraud and click fraud prevention properly, you need a vendor with real cybersecurity and bot mitigation expertise, not an AdTech company that runs IP blacklists. With the technological accuracy comes the transparency, as companies who are doing a good job, typically don’t mind sharing data and showing the clients how they operate.