Setting sights on remarketing fraud

By Michel Hayet & Ohad Sela
remarketing fraud - square

There are two common marketing methods of approaching your audience:

  1. The cold approach, where you aim to get a new customer interested in your product
  2. Remarketing campaigns, that aim to reignite an existing or previous relationship between a user and a product

Remarketing is a clever route for advertisers to gain additional revenue from advertising efforts that were carried out previously. This is further supported when these efforts prove to be successful.

A user that has already shown interest in using an app, will most likely require less convincing than a new one. The existing user is more likely to have a previous positive experience of engaging with the app. Thus, making this potential target audience greatly more appealing for future promotions or touch points, but also, unfortunately a target for fraudulent activities.

The above listed benefits make these users prime candidates for bad actors to try and exploit.

The fraud appeal in remarketing traffic

There are multiple reasons for fraudsters to set their sights on remarketing campaigns. Let’s take a look at what makes these campaigns particularly attractive.

Pre-approved traffic

Remarketing traffic is compiled of users who have already proven to be legitimate, active users. These are users who have already managed to “pass” the fraud identification test, at least once. Previously, they may have displayed good LTV, otherwise they would not have been approached again by the advertiser.

This could often result in advertisers lowering their shields, as they believe they’re dealing with legitimate traffic. However, the credit for legitimate traffic can still end up in the wrong hands.

Fraudsters have full awareness of this loophole and will not hesitate to exploit this situation, deploy attribution hijacking techniques, and steal credit from legitimate partners who have in actual fact delivered these conversions. 

Better statistics: 

Remarketed traffic is traditionally chosen from the overall advertiser’s audience segmentation groups as it holds greater ROI potential. Great effort goes into identifying this audience group, which in turn, enables the fraudsters’ mission.

For example, instead of aiming at general traffic (using random click flooding) fraudsters would focus on remarketing traffic for greater intent and return. 


The state of mobile ad fraud


Higher pricing:

CPA campaign rates are often priced significantly higher than CPI, which makes perfect sense, as an engaged-user is worth a lot more to the advertiser than a simple app installation. These users are more likely to make in-app purchases, view ads, and generate revenue for the advertiser.

When aiming to attract users to return and re-engage with an app, many advertisers will try to gain their attention and push them towards one of these CPA events.

In-app purchases, bookings, and other actions can lure a user to re-engage with the app and generate immediate value in the process. This is a more profitable target for attribution hijacking attempts, as the potential return on fraudulent action could include a higher and more lucrative CPA rate.

Greater investments lead to greater impact

An advertiser’s remarketing database is perhaps the most prized possession in their user acquisition arsenal. Some companies, potentially would even invest significant resources in constructing this audience segment. Using third-party services to help identify these valuable users, or alternatively invest in internal BI teams and tools. 

This makes the re-acquisition of a user a significantly more expensive process, with each acquired user being that much more valuable.

Once fraudsters enter this equation their negative impact amplifies as a result. 

Standard attribution hijacking methods like, install hijacking, and click flooding mean that the credit for an acquired user goes to the fraudster instead of a legitimate partner. When these fraudulent actions are not blocked, the fraudster will feel encouraged to proceed in these actions, resulting in the legitimate partner’s dwindling motivation, as they are not receiving payment or acknowledgment for their hard work. 

Remarketed users cost significantly more to identify and purchase, making each successful fraudulent attempt dramatically more damaging to an advertiser’s marketing efforts. 

Prevention techniques

Although fraudsters can try and fake re-attribution installs, currently the majority of such traffic originates from self reporting networks (SRNs). In fact, 80-87% is derived from Google Adwords, Doubleclick, Snapchat, and/or Facebook.

The above ad networks are considered fraud-free and generally trustworthy. However, overall fraud trends continuously prove that fraudsters are always seeking new methods to obtain additional conversions. 

With the majority of remarketed installs coming from trusted sources, the immediate focus should be on preventing hijacking attempts. Specifically with fraudsters who attempt to steal credit for users who either re-install or re-engage with an app.

In some cases, app engagement hijacking could be easier than hijacking install attribution. A user’s interaction with an app is an ongoing process, while the installation is a one-time (or very few times) occasion. Theoretically,  every active user installation could generate numerous in-app events that could be hijacked. 

Clinging to installations that have already occurred, and monitoring the user’s activity is easier than predicting when a user will install an app.
A recent growth of remarketing click volumes indicates that this is a direction fraudsters are definitely looking into.

Remarketing clicks volume growth in 2021

Protect360’s (AppsFlyer’s fraud protection solution) recent addition of dedicated remarketing fraud detection algorithms and blocking logic are set to prevent these attempts at their earliest stages. These algorithms are designed to identify and block click-flooding attempts, looking to steal credit for remarketing campaigns.

Key takeaways  

While remarketing campaigns are seemingly the sensible choice, previously engaged users are also prime candidates for potential fraudulent attacks.

Fraudulent hijacking methods are a serious threat for advertisers who put their faith in the remarketing route. This threat should be an integral consideration in every experienced marketer’s marketing strategy.

Protect360’s ongoing mission is to address and protect all possible threats within the app attribution ecosystem. The introduction of an additional line of defense against such actions, means advertisers can go about their remarketing campaigns with confidence. 

Michel Hayet

A former digital entrepreneur, Michel has experienced all aspects of the mobile marketing ecosystem. Studying the intricacies of the digital advertising space, Michel explores technology innovations surrounding mobile ad fraud, predictive analytics, and various tech-stack solutions that make mobile marketing safer and more efficient.

Follow Michel Hayet

Ohad Sela

Ohad is a fraud analyst in AppsFlyer’s Protect360 anti-fraud solution.Prior to his role at AppsFlyer, Ohad was a business intelligence developer in the health services field.

Follow Ohad Sela

Ready to start making good choices?