Why do you need fraud prevention?
Adjust, Content Team, Adjust, Feb 18, 2022.
In 2018, a BuzzFeed News investigation uncovered a widespread and malicious ad fraud scheme that affected millions of Android users’ data. The fraud scheme, a devious mixture of SDK spoofing and bot fraud, was used to steal millions of dollars from advertisers and networks. But this scheme wasn’t an outlier — it's a skyrocketing mobile advertising problem.
What is mobile ad fraud?
Mobile ad fraud comes in many forms and is constantly evolving. It impacts every kind of app. Whether you have an e-commerce app or a banking app, fraud detection and prevention are critical to successful growth strategies. Therefore, it’s essential to have a mobile measurement partner committed to fighting fraud and continually developing its measures against it.
Chapter 1: Click Fraud
Types of mobile click fraud
There are four main types of mobile ad fraud—click spamming, click injection, SDK spoofing, and fake installs. We'll cover these ad fraud schemes below.
Click spam is a type of fraud that happens when a fraudster executes clicks for users who haven’t made them and claims credit for random installs the user made.
Click spam begins from the moment a user lands on a mobile web page or operates an app that has an SDK inside that’s being abused to create clicks the user hasn’t initiated. From there, the fraudsters can employ several different methods.
Methods of click spam:
- A mobile web page executes mobile click fraud without the user’s intent or knowledge in the background with ads.
- The spammer can click in the background while the user engages with their app, making it look as though the user has interacted with an advertisement.
- The fraudster app can generate clicks at any time if they use an app that is simply running in the background 24/7 (e.g. launchers, memory cleaners, battery savers, etc.).
- The fraudster could send impressions-as-clicks to make it look as if a view has converted into an engagement.
- The spammer could blatantly send clicks to tracking vendors from made up or collected device IDs.
In the end, they all share the same goal: false engagements.
The impact of click spam
Click spamming is insidious because it captures organic traffic as well as traffic driven by other legitimate sources, which, when not checked by a preventative system, will be falsely attributed to the tracker of a paid channel engaging in this fraudulent activity. Thus, it allows the fraudster to claim credit for these installs. If it isn’t spotted early, the impact of click spam can seriously pollute an entire app’s attribution efforts — leading advertisers astray and causing them to waste a significant amount of time chasing after users they’ve already acquired organically or via other channels.
This trickery has profound effects on an advertiser. The most obvious loss is that they may unknowingly pay for an organic install, costing advertisers their ad spend. Unfortunately, there are other serious consequences for click spam as well:
Miscalculating organic installs
Organic poaching causes a miscalculation of the number of organic users generated by the app, which affects internal cohort analyses. It can also underplay the impact of marketing channels that generate organics — such as branding and press outreach — which have potentially been cannibalized by click spamming.
Misinformed UA strategies
Organics poaching also threatens the certainty of acquisition decisions. For example, if an advertising network claims organic users who perform well within an app, then an advertiser may decide to invest in that channel to acquire more of the same type of users. This creates a circular problem, where the advertiser continues to pay for the users they would have acquired naturally or through other marketing channels.
Neglecting more reliable channels
When click spam goes undetected, campaigns largely unblemished by fraudulent conversions will appear less successful than those with poached organics. The advertiser will then miss the ROI they could earn from the relatively fraud-free channels as they dedicate their budget to fraudulent channels instead.
Click injection is a sophisticated evolution of click-spamming unique to Android devices. Fraudsters use an app to inform them when other apps are downloaded on a device and to trigger engagements before an installation of a new app is completed (before the app is opened). The fraudster will receive the credit for installs, allowing them to not only poach organics but also installs that were driven by genuine advertising through a legit source.
In short, click injection fraudsters use an app to inject a engagement at just the right time to get cost-per-install (CPI) payouts or cost-per-acquisition (CPA) payouts. The data that marketers use to make their decisions now contains systematic inaccuracies. What often happens is that advertisers continue to invest in advertising that is relatively ineffective, potentially diverting money from better-placed and better-designed campaigns.
SDK spoofing, sometimes called traffic spoofing or replay attacks, occurs when fraudsters utilize real device data to create installs or clicks that appear legitimate.
Fraudsters will break into the SSL encryption of communication between a tracking SDK and its backend servers. The fraudsters then uncover the URL calls representing specific app actions and experiment until they get a successful track for an ad click, install, and other in-app engagements. They can then create an indefinite number of fake engagement activities.
This method of mobile ad fraud involves fraudsters creating fake app installs, conversion events, and other types of engagement. Enter device farms and fake installs.
Manual device farms
Imagine a factory with dozens of workers sitting in front of rows and rows of smartphones. These farms previously existed all over the world. However, as technology advances, so had the methods of fraudsters as we’ll dive into below in the other two fake install methods.
Intelligent device farms
There are also intelligent device farms which are pre-programmed with automatic actions that allow fraudsters to fake installs and other in-app user activity.
A program or device that allows a computer to behave as another device, most often a mobile device, is a device emulator. Device emulators can be utilized by fraudsters to steal marketers’ ad spend with falsified installs and in-app activities.
Device farmers hide their activity by:
- Using different types of devices while enabling limited ad tracking
- Resetting their advertising IDs with each install
- Covering activity behind anonymised IP addresses
The fake activity created by these fake installs appears as legitimate activity and can drain advertising budgets if the fraudulent activity goes undetected.
Chapter 2: Mobile Fraud Prevention
What is mobile fraud prevention?
Mobile ad fraud prevention comes in as many forms as the fraud itself. But, generally speaking, mobile ad fraud detection comprises technologies and reports that allow mobile marketers to identify ad fraud — sometimes before it happens.
It’s critical to identify each method individually. Once we understand that there is a difference between injected clicks, low-frequency and high-frequency click spamming, as well as the difference between fake installs and SDK Spoofing, filtering each method becomes much simpler.
Let’s take a closer look at the ways to identify and address different types of ad fraud.
How to detect click spam?
Advertisers can catch click spamming by looking for a simple pattern. At Adjust, we discovered a clear difference in how genuine advertising clicks timely correlate to subsequent installs versus the fake clicks of the click spammers.
For a genuine traffic source, clicks are tracked with a normal distribution. Of course, the precise shape and size of the distribution will vary per traffic source, but the pattern from a trustworthy source is a large number of installs within hour one after the ad click before a rapid tapering of performance.
Click spamming sources behave differently. Conversion times from a fraudulent source are distributed flatly because the spammer can trigger the click but not the install. Therefore conversion times will follow a random distribution pattern.
This means that it is possible to weed out click spammers before the attribution by refusing to attribute installs to traffic sources that claim traffic with a flat Click-to-Install Time distribution. Advertisers can fight back against spammers.
How is click injection fraud prevented?
Click Injection was first detected when some clicks appeared to be impossibly close to the install attributed to them. This showed up in “Click-To-Install-Time” (CTIT) charts as a huge spike in activity early on when the data was visualized and alerted researchers to the possibility that there might be ‘Spoofed Attributions’ within the data set.
Some in the industry developed an idea to create a filter from the type detection and catch “impossible” CTITs. This meant that the attribution of any install which occurred within a few seconds of a click would be rejected. Simple in its application, unfortunately, this solution didn’t cover the entire problem.
Adjust dug deeper, working backward to find a more foolproof filtering system.
We announced our click injections filter at the end of 2017, available as part of our fraud prevention suite. Adjust utilizes deterministic timestamps to prevent attribution to fraudulent engagements. The filtering process works differently depending on where the install comes from. To learn more about Adjust’s Click Injection filtering, click here. To dive further into monitoring CTIT for click spam and click injection, watch our webinar about a common-sense approach to mobile ad fraud.
How does Adjust uncover SDK spoofing?
Again, SDK spoofing occurs when fraudsters send fake requests to app publishers’ (or attribution companies’) servers. Adjust has created a unique signature to cryptographically sign SDK communication packages, verifying the validity of an install upon receipt. This particular feature is included in all of our packages to our clients.
How to detect fake installs?
So how do you distinguish fake installs originating from device farms and emulators from installs originating from users you actually want to acquire?
Many fraud prevention systems can flag that those installs result in very little app activity, and never lead to any purchases. However, the problem here is that most real users never do either. After all, day one retention for most app verticals is rarely above 30%. So as long as these fake installs are mixed in with real traffic, it’s tough to tell what’s real and what’s fake.
A marker we can look at is the IP address used to send these fake installs. In an attempt to mask the origin of these installs, this traffic is usually routed through proxies or VPNs, often to more profitable markets like the US, and leaves a trace in the form of IP addresses often registered to anonymizing services or data centers. Those IPs are often found on commercially available lists that can be used to deny attribution. That’s why, at Adjust, we make use of an official IP database that doesn’t blacklist and instead, provides daily updates on metadata with IP addresses. We cross-check the IP address of every install with this database, and if the IP address turns out to be associated with an anonymizing service or data center, then the install will be isolated from the rest of your data set.
Chapter 3: Benefits of Fraud Prevention
The five benefits of fraud prevention
Let’s review the five advantages of fraud prevention that make the solution a critical investment.
- Saved budgets
Fraud prevention stops your marketing campaign budget from being spent on traffic that leads to a dead end. With campaign spending reaching the thousands or sometimes millions, it is paramount to make sure your money is safe. Fraud prevention provides that security.
- Clean data
Consider this scenario: Network A has a higher conversion rate than Network B, and users seem to stick around longer. Typically, this would mean that you’d want to invest more in Network A. However, without investing in fraud prevention, you might not know if Network A’s traffic is riddled with fraudulent activity or not.
Getting rid of fraud enables an advertiser to strategize based on accurate data and KPIs.
Fraud creates a downward spiral of poor decision-making, encouraging advertisers to spend on dubious sources that seem to perform better. Fraud prevention exposes these traffic sources, helping lower the number of risky decisions in ad spend.
- Better options
Fraud prevention not only filters fraud, but it helps identify bad traffic sources, allowing you to identify preferred partners that are right for you. This allows you to determine the partners that will empower your success. Marketers must remain vigilant to emerging methods of fraud and work with MMPs to do so.
- Secure brand equity
The World FinTech Report 2019 surveyed banks and fintech providers to find the biggest issues facing the financial services sector. Significantly, security tops the list. Since the introduction of the CCPA and GDPR, brands have been more vigilant regarding user data. Now a brand’s equity is at stake when security is mishandled. Therefore, it’s critical to combat fraud in all its forms to secure brand equity and user data.
- Boosting your competitive advantage
These advantages of fraud prevention are available to all. However, if your competition deploys fraud prevention and you don’t, know that they’re acquiring better users and more of them.
The app that filters fraud is guaranteed to be more effective in its acquisition by reaching real users to drive up its’ share of voice. Additionally, any party benefiting from fraud prevention will be spending more efficiently, saving a budget that would otherwise be consumed by fraud.
Your competitors can be very on-point in mitigating risk. But more to the point, so can you.
Chapter 4: Ad Fraud Prevention Provider
Why must an attribution provider fight mobile ad fraud?
Mobile measurement providers (MMPs) are necessary to mediate attribution between networks and app companies (described in detail here). Similarly, fraud prevention also requires an intermediary to moderate the ecosystem. There are a few key reasons why that role falls on MMPs like Adjust.
A few networks that knowingly sell fraudulent traffic in the App Economy will tarnish the group. Many partners actively engage with anti-fraud solutions, but not all networks can be trusted to police their traffic or focus on delivering anti-fraud technology. Therefore, it becomes the job of an MMP to analyze the traffic that flows through the system and determine whether each engagement and install is valid or not.
Networks don’t have access to the same data as MMPs. Even if a network focused entirely on preventing fraud from their sources, other methods could work their way into the system. For example, SDK Spoofing is a way for fraudsters to avoid detection by triggering real-looking installs, bypassing checks that only MMPs can create based on the data they have.
MMPs-as-middlemen help create trust between networks and advertisers. MMPs have nothing to gain from fraud because fraud affects first-party data, effectively harming MMPs’ reputations as well. Therefore, the default stance for all MMPs should be to fight fraud in earnest.
Note that there are providers outside the mobile measurement ecosystem who offer fraud prevention solutions, known as ‘fraud detection vendors’. Our network partners CrossInstall (now part of Twitter) wrote a detailed comparison of such companies versus the value of MMP’s here.
What sets Adjust apart in fraud prevention
Our approach is significantly different from other solutions in one fundamental way: real-time prevention.
Real-time rejection is the only way to prevent fraud. Many other solutions only offer “after-the-fact” detection, which works on the premise of letting you know when they’ve detected fraud. But this process means it’s up to you to speak to networks and argue over what wasn’t legitimate traffic. Not only is this process full of conflict, but it also takes time away from user acquisition. “It’s a big-time sink to go backwards”, says Cyrus Lee, ex-Senior User Acquisition Manager at Playstudios, in a previous blog post. “The more fraud you buy, the more conversations you’ll have at the end of each month that go to a chargeback.”
Even if the traffic is legitimate, vendors who don’t provide real-time solutions can often create more false positives. With some methodologies hidden under ‘black-box’ technologies, challenging each install becomes impossible. To help you better understand what you’ll need, we wrote this article: Detection, prevention, and what makes a good fraud-fighting filter.
As a company, Adjust also thinks about fraud differently. Fraud prevention is at the center of Adjust’s approach and informs much of our decision-making, and has been since the beginning. We utilize real-time prevention to ensure data accuracy and to provide clients with a clean, actionable data set from which they can make competitive marketing decisions.
Adjust Co-founder on fraud prevention
Our Co-founder and former CTO, Paul Müller, wrote a blog series on fraud prevention, which you can read here. Ultimately, taking on fraud is a big responsibility for an attribution provider, and we take on this responsibility wholeheartedly.
As Müller says, “Since we reject ad fraud, we have to be willing to assume the responsibility for any attribution stopped by our system, and defend each and every one to our partners. We assume the burden that we have to get it right, every time.”
“Fraud prevention should not just be a marketing ploy or a means to muddy the water—it’s a serious responsibility. If done correctly, anti-fraud solutions will advance the entire mobile ad ecosystem. If done poorly, it will end up as the snake oil of our industry and not address the core issue.”
Our commitment to developing anti-fraud solutions will always be a core part of Adjust’s mission. If you would like to learn more about Adjust’s fight against ad fraud, check out our Guide to mobile ad fraud. However, If you're ready to use a mobile analytics platform that offers state-of-the-art fraud prevention, talk to us!