Each week in July, were taking one of the four biggest issues in mobile advertising right now – ad blocking, viewability, ad fraud and brand safety – and examining it close up. This week, were explaining everything you ever wanted to know about fraud but were too afraid to ask.

The issues weve examined in this series so far – ad blockers and viewability problems – are certainly bad news for advertisers, but they dont involve any malicious intent. Ad fraud is different. It is, as the name suggests, a deliberately criminal act, designed to separate advertisers from their money.

“It is remarkably difficult to commit fraud accidentally,” says Erol Soyer, international managing director at fraud detection and prevention firm Forensiq. “You have to invest and set up technology to propagate it.”

Fraudulent traffic on ads doesnt come from real people – at least, not with their knowledge – hence its other name, non-human traffic. It can come from botnets, collections of bot programs installed on hacked devices, which are designed to mimic human behaviour online; from the devices of real users, through adware, browser hijacks or ad injectors; or direct from illegitimate publishers, which inflate their traffic figures by stacking ads on top of one another or stuffing them into a 1×1 pixel.

Fraud can also include human traffic, most commonly from click farms. Often located in developing countries where pay is much lower, these farms hire workers to repeatedly click on ads in order to boost results. But some people argue that, as the traffic is still sourced from humans, this farming shouldnt be included in the definition of fraud. “While these advertisements are unlikely to be effective,” according to an Integral Ad Science whitepaper, “they can still be seen by humans and, therefore, cannot be classified as non-human traffic.”

However, Forensiqs Soyer disagrees: “If I dont know what Im buying and youve got a warehouse full of people in the Philippines sat there clicking away all day, what good is that to me from a campaign perspective? It adds no value, but Im paying for it as if it did,” he says. “If theres a malicious and deliberate attempt to take money for something that youre not entitled to, I dont see the difference between that and credit card fraud, or any other criminal activity.”

Computers dont buy tennis shoes
Theres no questioning the scale of ad fraud online. In May 2014, the FT reported that bot traffic accounted for 57 per cent of the 365,000 impressions on a Mercedes-Benz campaign. At the end of 2013, security firm Incapsula released a study based on 20,000 sites in its network showing that as much as 61.5 per cent of global web traffic was bot-generated. Its worth noting that not all bot traffic is malicious – there are also good bots, like the Googlebot which crawls web pages for inclusion in the search engine – but Incapsula found that nearly half of that bot traffic (30.5 per cent) came from scrapers, impersonators and other malicious sources.

It should be fairly obvious why these figures represent such a huge problem for advertisers. Any money spent on impressions or engagements from bot traffic is entirely wasted, going straight into the pockets of fraudsters without any chance of real ROI. Last year, an Association of National Advertisers study estimated that advertisers will lose $6.3bn (£4bn) globally to bots in 2015.

As the JICWEBS guidelines issued last month put it: “While more sophisticated bots can simulate conversions such as clicking through to sites they dont generate real conversions by buying goods and services, and they certainly dont engage with brands.”

But its not just advertisers which stand to lose out. At first glance, fraud might not appear to be a huge problem for the supply side – after all, publishers still see the revenues from fraudulent traffic, and in some cases may actually be the root of the problem, whether indirectly, by buying in traffic that turns out to be fraudulent, or deliberately, by actually hiring fraudsters to boost their numbers and revenues – but in the long term, ad fraud risks devaluing legitimate inventory across the entire industry.

“Sometimes you get the feeling that one side of the market is telling the other that its their fault, and their responsibility to fix this, but really you need to have both the supply and the demand side working together,” says BuzzCity UK manager Matt Keating.

Is it a problem on mobile?
As with all the issues weve examined so far in this series, the conversation around ad fraud began on desktop and, for the most part, it has stayed there.

“Mobile fraud is not as big of an issue as online fraud, largely in part based on how much money is being transacted,” says Andrew Bradway, VP of business development at Millennial Media. “Because theres not as much as money there, the fraudsters have not fully come into mobile yet.”

But fraud has always been part of the mobile ecosystem, if less so than desktop. Back in 2012, a Trademob study found that 18 per cent of mobile clicks were fraudulent. And with mobile making up 25 per cent of US online ad spend, according to the IABs 2014 figures, that only looks set to grow.

Theres not much difference between desktop and the mobile web in how fraud is achieved – “mobile click fraudsters havent reinvented the wheel,” says Trademobs report – but when it comes to in-app ads, thats potentially a very different story.

“The nice thing about in-app ads is that theres a filtering process,” says Fiksu chief strategy officer Craig Palli. “An app has to make it through the evaluation process of somebody like Apple. Theres an almost crowsourced nature to apps which have a lot of inventory volume – they have to be downloaded millions of times, which means there has to be a compelling app there to begin with – so theres less likely to be a big fraud component going on.”

Forensiqs Soyer dismisses this idea as “nonsense”, however. “The problem with fraud in-app is exactly as far-reaching and pernicious as it is in any other environment,” he argues.

So what can we do?
Fraud isnt something the industry has always been comfortable talking about, especially to clients, which means that there is still some education to be done on the topic so that people on both sides of the buy/sell divide have a better understanding of fraud. This will help them ask the right questions of their partners, and know who to trust.

“The demand side need to be asking more questions of their agencies and suppliers,” says BuzzCitys Keating. “They have the budgets and therefore the power to actually shape the market, ultimately, and the more you are able to make fraud a difficult thing to achieve and the less lucrative it becomes, the less its going to happen. There are some agencies and brands who are quite far down this road, and theyre really on top of it, and there are others that have barely begun that journey.”

JICWEBSs ad fraud guidelines feature a list of questions to begin these conversations, including how a company determines what is human traffic and whether these results are verified by a third party. You can find the full list, along with best practice for ad networks to spot botnet actors among their inventory, here.

This is general best practice, but when it comes to tackling fraud head-on, there are a number of vendors offering fraud detection tools, including Forensiq, Integral Ad Science and many more. These companies spot suspicious traffic patterns, based on hundreds of signals. These can include irregular peaks in traffic volume, impressions with demographic or location data that doesnt match up to the campaign settings, multiple IP addresses coming from the same device, or attempts to hide the time of day.

Vendors are reluctant to share the exact details of how they detect fraudulent traffic – partly because of competition, partly because it might help out the fraudsters themselves – but transparency is vitally important.

“If you put a vendor under the microscope, we should be able to justify every single penny that we take out of a budget, and show a clear return on that investment,” says Forensiqs Soyer. “If a vendor turns round and says thats suspicious but I cant tell you why, youre perfectly entitled to put their feet to the fire and say, sorry, I am paying for this, I dont want any of this proprietary black box nonsense. I dont need to know exactly how your algorithm works, but I do need to know how youve arrived at the theory that this is a suspicious click or impression.”

Once this supicious traffic has been identified – ideally backed up with transparent reporting – there are a number of options on how to deal with it, each of which comes with its own drawbacks.

The information collected could be used to guide future buying decisions, for the specific client or as part of historical data for all advertisers, though this doesnt actually stop the fraud encountered this time. Alternatively, this process can be done in real-time to terminate any suspicious transactions before they take place, but this isnt available for all buying methods, including programmatic, according to Integral Ad Science.

The information could also be used to outright blacklist any websites with a high threshold of fraud, which is something of a sledgehammer approach, or to demand compensation from publishers or ad networks for any fraudulent traffic sold, which requires time-consuming negotiation.

Before any of this even takes place, though, theres one simple piece of best practice which seems to be universally approved. JICWEBSs guidelines recommends advertisers to “set clear objectives for [their] media campaigns that focus on the measurement of real ROI, which is difficult for fraudsters to falsify. Measures such as click-through rate, completion rate, and last-touch attribution are easy to game.”

BuzzCitys Keating agrees: “The closer you are to measuring your campaigns and paying suppliers based on actual business results, the less likely you are to be vulnerable to fraud.” These metrics are based on complex user actions which are harder – or at least less lucrative – for bots to imitate.

“The most obvious example would be CPA,” Keating says. “If that involves a purchase, then of course the fraud isnt going to happen, because no fraudster is going to pay actual money.”

According to Forensiqs Soyer, though, this isnt as impossible as it might sound. “It used to be the belief that bots were fairly harmless because they never converted, never paid for anything,” he says. “But actually thats no longer true, because you can tie a bot into lists of cloned or stolen credit cards, and have bots that now convert and actually buy stuff.

The arms race
This is a symptom of frauds ongoing evolution. While it began as click farms of real people – something that is now relatively easy to detect but “has never really gone away,” Soyer says – bots quickly developed, and have become more and more sophisticated over time.

“The ability of a bot to mimic a human is getting better and better, so that its harder to spot a bots signature at scale,” says Soyer. “These guys are very very smart people. So our challenge is to keep abreast of those different approaches and technologies – we have to keep evolving as well.”

Its not dissimilar to the way viruses develop and become resistant to medicines – or, to pick another digital example, the constant battle between the developers of malware and anti-virus software. And, like those examples, it seems fraud is never going to disappear completely.

“Ad fraud is a part of the ecosystem that unfortunately will always be there,” says Millennials Bradway.

“Its always going to be an arms race against fraudsters,” agrees BuzzCitys Keating. “You just have to keep up with them and fight back.”

But while we may never be able to fully eradicate ad fraud, the industry can work together to improve how we inoculate against it.

“There is no guarantee that youll ever remove 100 per cent of fraud, and I think anyone who tells you that is basically lying,” says Forensiqs Soyer. “What you can do is get it to acceptable levels.

“For us, anything below 10 per cent fraud is a reasonable target to try and get to. That way, we can work from a fairly well-understood baseline – and from there, hopefully well get it down to five or six per cent. If we can show you that at least 90-95 per cent of what youre buying is clean, and real, and has a proper chance to convert, then were happy with that.”