Why CPA campaigns don’t protect you from fraud

By Michel Hayet
cpa campaigns fraud protection

“Nothing truly great ever came from a comfort zone.”

When studying fraud in its various forms and methods you quickly learn that fraudsters, by nature, don’t let themselves get comfortable. They can’t afford to remain in their comfort zone, as they know they’re being pursued: they’re constantly on the move, looking for the next gap or loophole to exploit.

Advertisers, however, have a tendency to get comfortable.

Whether knowingly or unknowingly, many advertisers find themselves putting too much trust in outdated methods, which at the time of implementation may have indeed provided some level of improved performance, protection or assurance. 

The evolution of mobile advertising models

When mobile app advertising first hit the market, advertisers were introduced to the Cost Per Install (CPI) model – rewarding publishers with a payment per each install they managed to generate.

The advertisers’ approach at the time was, “get me the install and I’ll take care of retention”. This worked well for a while.

As fraudsters started targeting CPI campaigns and generating fake users or hijacking real ones, user quality started deteriorating and the focus shifted towards LTV-centric campaigns, birthing in-app event measurement and the CPA model – Cost Per Action.

CPA-based campaigns were the next step in the evolution of app promotion, with some advertisers even going as far as abandoning CPI promotions altogether, focusing solely on in-app events. 

By keeping an eye on in-app events an advertiser could differentiate quality users from less quality ones by measuring engagement, progress and in-app purchases. 

Advertisers were now optimizing not just by their media partner’s CTR but also by their ability to deliver quality users.

As user quality started improving the common belief was that running with cost per action campaigns actually protected advertisers from fraud.

CPA campaigns were believed (and rightfully so) to produce higher-quality, more engaged users, especially when compared to users coming from CPI-only campaigns. 

Well… sorry to be the one to burst that bubble, but this couldn’t be further from the truth.


The state of mobile ad fraud


Fraudsters can have a field day with CPA-based campaigns

Going back to the way fraudsters operate, this blind faith in the power of CPA as a fraud preventing method is exactly where fraudsters want you to be, as they’ve already caught up.

Utilizing sophisticated bots for their activity, fraudsters have managed to go far beyond the install, faking in-app events and purchases deep within the app.

In an extensive fraud data study conducted this year, we found that the average fraudulent install generated around 0.9 in-app events on average in Q4 of 2018. During Q2 of 2019, this figure tripled to 2.7 events per every fraudulent install, showing a clear path of where fraudsters are focusing their efforts.

Gaming apps, which rely heavily on measurable in-app events, are the ones who suffer the worst from this fraud. This issue, however, is hardly exclusive to the gaming vertical.

In-app purchases, which many verticals rely on in one form or another, are also becoming a target for sophisticated fraud.  A record 2% of all in-app purchases in Q2 of 2019 were identified as fraudulent – 10x more than Q1 of 2019.

It’s all about the $$$

While the average CPI stands at about $1.7, cost per action rates can be as high as $4.58 for a registration event (beginning of user journey), and up to $40 or $87 for purchase or subscription events, respectively. 

The potential reward for fraud, based on these numbers, is therefore significantly higher. Even though CPA-based campaigns are not as common as CPI-based ones, the reward for a successful infiltration beyond the installation point, going under the radar of standard fraud protection tools, would mean a highly rewarding payday from CPA events.

 The fake sense of safety some marketers feel with CPA campaigns along with the high rewards involved make this a win-win situation for fraudsters.

“The only thing necessary for the triumph of evil is for good men to do nothing.” – Edmund Burke

Fraud is not taking a break. If there’s money to be made, fraudsters will surely try and find a way to get a piece of it. We must always examine the current situation and evaluate our next steps, staying put will give bad actors the small advantage they seek.

When looking at the evolution of online advertising models, fraud actually has an integral part in the industry’s development, as it comes up with creative methods to eliminate fraud, improving its positioning and performance in the process.

It’s now time to move ahead once again by protecting our investments, by looking for fraud where it’s uncomfortable to look, beyond the install and attribution point. 

Post-attribution fraud detection is an integral part of AppsFlyer’s fraud protection suite, Protect360, as we look to identify sophisticated fraud which is not identified in real time, but it doesn’t stop there.

As we look forward and develop our existing and future methods of fraud protection we take a look at events, post install behavior and user biometric data as we go beyond our comfort zone and uncover fraud where we once thought it was safe.

Michel Hayet

A former digital entrepreneur, Michel has experienced all aspects of the mobile marketing ecosystem. Studying the intricacies of the digital advertising space, Michel explores technology innovations surrounding mobile ad fraud, predictive analytics, and various tech-stack solutions that make mobile marketing safer and more efficient.

Follow Michel Hayet

Ready to start making good choices?