How to stand up to mobile fraud
Welcome to the nineteenth edition of MAMA Boards, an AppsFlyer video project featuring leading mobile marketing experts on camera.
Perhaps the most notorious of challenges faced in the mobile industry, marketers continue to struggle against the constant evolution of fraud attacks on their apps, losing billions of dollars a year. But wait no more to take a stand. Matt discusses the main types of fraud currently plaguing the industry, then offers two powerful approaches stopping fraudsters and keeping your data clean and performance high.
Real experts, real growth. That’s our motto.
Hi, I’m Matt Sadofsky and welcome to another edition of MAMA Boards by AppsFlyer.
I’m the Senior Director of Growth Marketing at TIDAL, which is a celebrity-owned international music streaming service similar to that of Spotify or Apple Music. Our differentiator is high-fidelity music, live streams, exclusive content, and original content as well. I’m here to talk to you about How to Stand Up to Mobile Fraud, a topic that I am super passionate about because I’ve seen hundreds of advertisers get burned over the last few years.
Now, mobile fraud is a huge problem and it’s been transforming over time. It costs advertisers in the mobile industry billions of dollars every year, and many advertisers who don’t realize that they’re buying it are actually buying large amounts of it. Today, I’m super excited to give you some advice on how to combat ad fraud on your side.
What are some of the different current fraud threats?
To jump right in, I want to talk about some of the different threats that exist in mobile marketing.
First, at the very surface level, we have what’s called click fraud. This is real traffic that’s actually coming to your app organically, but is being misattributed due to a couple of different ways that fraudulent actors can kind of misattribute your traffic. There are two main types here, one is click flooding and one is click hijacking.
Click flooding is when a farm somewhere generates a high volume of clicks, that’s meant to capture device IDs of people that are installing your app organically and tricking your attribution platform such as AppsFlyer into thinking that the traffic actually came from a source that doesn’t exist.
Click hijacking is when – this is typically just on Google Play – a fake click is generated right before an install is attributed by the public API that’s available on Google. Fraudulent actors can inject that click at the last second, and again, trick your attribution platform into thinking the install came from somewhere else.
Now, most of the time, your MMP, or other fraud solution, should catch this, but if you’re not using a fraud prevention tool, there are a couple of key signals used to identify this.
The first one is a really high click volume. In some cases, you might see hundreds of thousands, millions, or even billions of clicks for spend that doesn’t really match up to that. So that’s going to be a huge red flag.
Second, because this is trying to capture a large amount of organic traffic, you’re either going to see a very low click-to-install rate when it comes to click flooding or a very high click-to-install rate when it comes to click injection fraud.
Third, you’re also going to see an unusual effective cost per click. This is one that I’ve been really into looking at recently. It’s great when you’re talking to publishers about this as well, where you say, “Hey, you drove four billion clicks last month, and we only paid you $100,000.” The effective cost per click is less than a quarter of a penny. At the end of the day, that’s just not feasible. I could put my ads up on Google AdSense and make much more money off of that. Something just doesn’t feel right and you should definitely look into a little bit further.
Lastly, we have the click-to-install time. Now, this is going to come into play for both click flooding and click injection. For click flooding, you’re going to see that the average click to install time is actually very long. Most of your installs should happen within the first hour, if not the first couple of hours, of a click. With click flooding, you might see installs coming in 10, 12, 15, 30 days later, depending how long your attribution window is, and that might be a big indication that that’s not true organic traffic.
Now, for click hijacking, you’re going to see the inverse. You’re going to see your click-to-install time is very narrow. Within the first 5 seconds, 10 seconds, you might see very high install volume, which just doesn’t really make sense when you think about the fact that there are thousands of clicks that occurred on devices that require a lot of time waiting for the internet, going to the store, reviewing the store, and, finally, installing the app. Realistically, it’s going to take at least 20 or 30 seconds for someone to really open up an app and start engaging with it from when they first click on your ad.
Again, so this is real traffic. This isn’t fake traffic. This is traffic that you shouldn’t be paying for, this is organic. But these fraudsters are actually tricking your attribution system into thinking that it’s something that you should be paying for and it’s a pretty basic attack. It’s still pretty common because many people aren’t fully protected when it comes to ad fraud, and if you don’t know what those key indicators are and you don’t have a protection solution in place, this is the easiest and cheapest way for fraudsters to really dive in and steal your traffic.
Now, the scarier part is the second part here, which is bot fraud. Bot fraud is traffic that is generally fake. It does not actually exist, but you’re paying for it just like you would with the click fraud as well.
Now, there are a couple of main types of bot fraud. There is SDK spoofing, emulators, and device ID reset.
SDK spoofing is when a bot will simulate the signatures within your attribution platform’s SDK, making it appear that events are firing which aren’t actually happening. These can be anything from an install to a post-install event.
Emulators are devices that simulate mobile devices, but don’t actually exist within a mobile environment. This allows people to generate large amounts of fraud without actually having to have a large amount of mobile devices.
Device ID reset is when somebody uses the same device over and over and over again, but resets their device ID to trick the attribution platform into thinking that a separate device was actually generating those installs.
In none of these cases is this legitimate traffic that you should be paying for, but sometimes it could be really hard to catch and look very legitimate, especially in the case of SDK spoofing.
I’ve seen a case where it looked like we had this great source of traffic, really strong click-to-install rate, really strong day one retention, really high early engagement, that made it seem like this was going to be a high-quality cohort. However, when we looked back at it about 30 days later, we realized not a single person had completed a purchase, and that this was actually SDK spoofing.
So you have to be super careful when it comes to these things.
What are some of the ways to catch fraud?
Now, let’s say you do have some ad fraud and now you need to think, how do I clean this up? Well, there are a few different ways that we can do that. That’s how we catch ad fraud.
The first thing that you could do is implement an MMP or an attribution platform, which has a really strong ad fraud solution. Your MMP has more data than anybody else that’s relevant to ad fraud. They have the click timestamp, they have the install time stamp, they are the owner of the SDK that is often spoofed, and they can really let you know if there is fraud that’s occurring here.
Second, you can also implement a third-party solution. There’s plenty out there, such as Scalarr or Forensiq, that do very similar analyses and have large data sets that can sometimes supplement what you’re seeing from an MMP. That is not necessarily the case, though; you may also have some internal tech resources, which is fantastic.
As a third option, if you have a data scientist that’s well-versed in mobile, it couldn’t hurt to add on an additional layer of analysis that’s maybe more bespoke to your app. You might know things that would be indicative of fraud, that may be an MMP wouldn’t catch because they’re more focused on upper funnel app fraud, but maybe somebody in-house could capture some of those down-funnel or in-app metrics that seem a little bit off.
So you really could go full throttle here with an MMP, third-party solution, and in-house data scientist, but more often than not, you’ll catch a good amount of fraud with just having a good MMP with a fraud solution in place.
However, no tech is perfect. Even if they catch 95% of the fraud and all three of these solutions are 99%, that remaining 1% of fraud you have can quickly become a hundred percent of your budget if you’re not smart. If you’re still just buying from those one or two publishers that are sneaking through, you’re going to catch yourself in a really rough situation.
This happens because as smart as everybody is on this side about stopping fraud, the fraudsters are just as smart as well. So it’s a constant battle of trying to sneak through.
Now, for the more advanced types of fraud, such as your bots, your SDKs, your emulators, and your device ID fraud, you’re probably not going to be able to catch too much of that manually. However, you can catch a lot of the more upper-funnel, basic fraud, which is your click fraud.
2. Manual analysis
The second thing you could do yourself as an advertiser is going to your MMP, downloading a bunch of data, and doing some manual analysis. We talked about a few of these before, but one thing that you can take a look at is your click to install time.
You can download all that data, build out a graph, and take a look at your clicks over time; you may see things that are bit unusual. Typical click to install time is going to look like a very steep rise and then a very sharp decline with a light drop off over time. You’ll see most of your installs occurring within 1 minute and 15 minutes of click; anything outside of that of significant volume might be questionable.
You can also take a look at the effective clicks per second that you’re getting. Now, I see this all the time with some click flooding. You’ll see that you have, what looks like over the course of a day, ten thousand clicks from a single publisher. However, when you dive into it on an hourly basis or a minute basis, you’ll see that those ten thousand clicks were actually generated within one hour or even 30 minutes. When you look at the math, there’s no way that that publisher could have generated that many clicks in that amount of time.
You could also take a look at the click-to-install rate. There’s a lot of debate over what the proper click to install rate should be. Personally, I typically look at a click to install rate which is above point one percent. That’s my bare minimum; I typically like to go higher, but anything that’s below 0.1% means that less than 1 at every one thousand clicks are installing.
That is highly suspect to me. It’s as if you’re going to say one out of every 50 thousand clicks is installing, or even one out of every million. Probably not real traffic.
As I mentioned before, if your effective cost per click on what you’re paying a publisher is less than a penny, it’s probably not real traffic that publisher is selling. They could get much better rates elsewhere just by selling their ads through Google AdSense, for example.
Lastly, revenue per user or lifetime value can really let you know if you’re actually driving value from that cohort of users and that’s really where we’ll come in for helping you identify some bot fraud.
Now, this doesn’t always work because I have seen cases where bots are actually creating real purchases and arbitraging the cost that they’re incurring on those purchases to the payout that you give them. But what you typically should see is that these sources are not going to be profitable for you at the end of the day. For that reason, make sure that you’re always taking a look at the most finite level of publisher that you can and that you’re actually driving profit from those users.
How do I work with media partners to combat fraud?
Let’s say that you have a case where you’ve identified fraud. Well, now you need to work with the publisher that generated that fraud in the first place, and figure out a) how we can stop this in the future and b) what that publisher can do for me to make up for it.
Now, there are a couple of different ways to work with a media partner, mainly the proactive approach and then the reactive approach.
First, on the proactive side, you want to demand transparency up front. Often, you’ll see with an affiliate network or with a DSP that you’ll get publisher names from random numbers and letters. For example, publisher 147E62 doesn’t really tell you much about where that traffic is coming from. However, if you could see that the source was enews.com, it might give you a lot more comfort in knowing that, okay, this was legitimate traffic, versus if it was from a random site that you’ve never heard of. You might question it a little bit more and do some investigations of your own.
You also want to sometimes do spot checks on the actual ad placements. Wherever possible, get the network or the publisher to share screen shot of, “Hey, here’s where your ad was actually running.” Realistically, it isn’t always possible when you’re buying on an exchange and the traffic is bought in real time. You’re not going to know where your ads appear ahead of time, but where it is possible, it’s great to get these types of things under contract and to verify them.
You also want to set really strong KPIs with your partners. Typically, you will want to set things like return on ad spend goals or retention goals, but you could also set things like click to install time, clicks per second, and effective cost per click to make sure that, beyond just your ROI goals, you’re also hitting your ad fraud goals, as in not buying ad fraud.
My one piece of advice there is not to share all of your ad fraud KPIs with the networks. The reasoning behind this is that these people are incredibly smart, meaning the fraudsters, and they will figure out how to get around the KPIs that you set.
For example, if you set a really strong click-to-install threshold, you’re going to see that many people will generate a bunch of fake traffic, but also put in some real traffic – that’s called blending. They’ll blend in this mix, make it look like it’s legitimate traffic because it’s hitting your KPIs.
That’s why I always recommend to withhold one key KPI that you don’t share with the network and that won’t later be passed down to the people that potentially generate fraud. You can later take a look at that on the backend and say, “Okay, well if they’re hitting every other KPI that I have but missing that one KPI I kept for myself, maybe there’s something up there.” So always keep that in your back pocket.
Now, let’s say you do all of that and there is still fraud. First, you can still be reactive and negotiate with those networks, affiliate partners, and publishers on actually clawing back money or making a make good. A make good is when they buy additional media to make up for the fraud that occurred or any other mishaps that happened in the case.
In one of my roles, I actually had an experience where we uncovered a massive amount of fraud and were able to get a claw back of over half a million dollars based on what we uncovered. By the way, this was fraud that was missed by fraud identification systems, but was actually caught through some of the manual analysis – that’s why that can actually go a really long way.
Second, when you go to have this conversation with your network or the publisher, make sure that you come with data because their first instinct is not going to want to be to give you back half a million dollars. Make sure that you’ve done your manual analysis, you have your analysis from your MMPs or your third-party solution, and you could present this in a way which is sound and make sense.
Also, check your contract when it comes to these publishers and networks because most of them do have fraud reporting windows. Therefore, if you do identify it, bring it to the network as soon as you can.
Really, at the end of the day, just don’t let the fraud get away with it. It’s a massive problem in the industry and we as advertisers have just as much responsibility as the MMPs (such as AppsFlyer), the networks, the DSPs, and the affiliate channels to clean it up. That’s why I’m really excited to share these insights with you. Hopefully we can all clean up the industry together.
So that’s it for today. If you have any comments, feel free to leave them below and if you want to see more MAMA Boards, make sure you click here. Thanks for watching!