ComScore recently estimated that "50% of Web traffic is non-human and mostly malicious," meaning that over $25 billion in digital ad spend was wasted globally in 2012. As users and advertising migrate rapidly to mobile platforms, the problem only gets more severe — mobile is a very complex environment with far less standardization than desktop web and more vulnerable than ever to ad fraud.
While it is a step in the right direction that the ad industry has embraced 'viewability' as a key metric to ensure ad budgets are not wasted, this is just a small step that needs to be taken much further and continually improved upon. Why? Because viewability is only one metric of hundreds that need to be measured, and the perpetrators of fraud have already developed ways to engineer around solutions that check for viewability.
Take for example “bots” — computer software designed to specifically mimic online human behavior and programmed to browse, click, register, and even sometimes makes purchases (with stolen credit card numbers) just as a real human being would. These bots are now so sophisticated that they do take the time to ‘view’ Web sites and ads, fully rendering them in a browser window before clicking or moving on. This type of behavior easily overcomes viewability measurement tools and has allowed fraudsters to rack up billions in earnings.
The increase in social media activities like registration, voting, commenting and sharing have only made the matter worse as these are all typical human behavior that are easy for bots to mimic. In fact, the ease with which botnets can mimic real Twitter and other social media accounts unfortunately allows them to easily establish credibility for their ‘users’. (Do an experiment as you read this article and type in “buy Twitter followers” into Google … how many of those followers do you think are real and how many are bot accounts?)
Bots typically begin as some form of malware that users "catch" from a site they visited or comes bundled with a free application or video they download. Millions of users have infected browsers and never know it, unwittingly taking part in botnets. In other cases, bots could in theory be banks of computers that were set up for the sole purpose of mimicking human browsing behavior. However, actually operating a computer is a more expensive option than is secretly taking over an existing one that someone else is operating.
Botnet or fraudulent behavior could also come from ‘click farms’ — quite literally human sweatshops overseas where employees are paid or forced to browse Web sites, click on ads, and register for product offerings. This type of activity easily defeats viewability standards (since humans are actually looking at sites) and even defeats tools that check for USA-based IP addresses since the fraudsters use VPN’s (virtual private networks) to act from within USA-based addresses.
A comScore vCE study, which measured validated ad campaign delivery against human audiences, showed that just 2.8% of ads co-occurring with malware processes running on user’s machine were viewable to an actual web user. Moreover, a study last year found that for very small sites -- those with fewer than 2,500 monthly visitors - 83% of their traffic comes from non-human sources (bad bots and good bots -such as search indexing) with bad bots accounting for 49 percent of traffic.
What can we do to prevent ad fraud if basic tools like viewability metrics and geographic/IP restrictions don’t work? We have to stop treating the issue like an advertising problem and realize it’s a cyber-security issue.
Cyber-security companies have been fighting issues with spam, malware, viruses,
and even botnets that target e-commerce sites for years. The key difference here is that, unlike most ad agencies, security companies realize that this is an arms race, a competition that will
never end but always evolve. The digital ad industry has to continually invest in new solutions, both through internal engineering and by using third-party vendors, and realize that as soon as a
new solution is launched there will be a “blackhat” attempting to reverse-engineer and defeat the solution.
Advertising agencies need network security engineers and vendors just as much as their clients (brand advertisers) like Nike, Ford, and American Express do -- but many do not.
While this may sound like a grim prognostication, it is also realistic and positive in that we can see a road map to a solution. Once we stop viewing ad fraud as a problem that will go away once the right, single solution is found the sooner we can get on to winning the ad security arms race.
Perhaps the arms race should be amongst ourselves – between sell side and buy side platforms – so that we continue to push each other forward in developing solutions that always keep us a step ahead of ad fraud perpetrators. And while IAB’s TOGI task force was recently established to develop and recommend solutions, many ad tech players – including exchanges, DSP'S, networks, and publishers – have already been making strides in both, rooting and keeping out fraudulent inventory. Marketers can take action too. The first step for them is to ask some key questions to ensure they are partnering with the best providers in the market. Download the questions here: http://bit.ly/16oAWIk
Great post Timur. You’ve succinctly and accurately surmised that this is a significant cyber-security issue, representing billions of lost dollars in advertising, impacting brands, publishers, data owners and consumers alike. And the goalposts are constantly moving…
Viewability is one part of the solution of course, but as you say we need to look to others to find a more comprehensive and systemic cure. The financial and ecommerce industries have been working with solutions to combat this kind of fraud for almost a decade. At the core of any fraud mitigation solution is device recognition; the ability to accurately recognise a phone, tablet, laptop as being a genuine singular entity, over a bot sitting in the cloud.
Secondarily, we need to work more cohesively with those who have the closest relationships with the consumer to enhance this recognition with relevant data. And all of this needs to be done in a way that respects consumer choice as well as their privacy, protects their data and honours government and industry regulation.
The one thing that hasn’t changed since the inception of digital advertising is our reliance on a single identification technology. As an industry we have been mainlining 3rd party cookies from as early as 1995. We need to kill an 18-year addiction to a technology that facilitates fraud, malware, data leakage and almost every other nefarious form of Internet activity that you can conceive of. Like most addictions it’s not good for us and we’re made to believe we’re reliant; there are plenty of pushers who make a great deal of money out of this dangerous and expensive habit, who would be just as happy to see it stay.