$200bn target: Why ad fraud still won't go away; criminal syndicates bigger than brands want to know
Ad fraud is “the ultimate white collar crime” and is woefully underreported, according to NY-based digital marketer Augustine Fou, who thinks verification firms and industry associations are only picking up a fraction by focusing on narrow targets like invalid traffic but missing the true picture. With $200bn of programmatic spend in scammers' sites, Fou advises marketers to emulate the likes of P&G, Uber and Airbnb: Pause some digital campaigns and measure not “vanity metrics”, but the resulting business impacts – if any.
What you need to know:
- Former brand marketer and agency exec Augustine Fou now audits ad campaigns for fraud.
- His experience suggests that ad fraud is woefully underestimated, and that the bigger the brand, the greater the likelihood of fraud.
- Fou thinks verification firms can miss the true picture by focusing on narrow metrics, such as invalid traffic (IVT) and that transparency investigations by peak advertising bodies are asking the wrong questions.
- Citing P&G, Uber, Airbnb, Chase bank, Fou advises marketers to pause at least some digital campaigns and measure whether it has any impact or otherwise on business outcomes.
From my experience and from my research, typically the larger the marketer, the more subject to fraud they are.
“The ultimate white collar crime,” ad fraud is woefully underestimated and reported, according to NY-based digital marketer Augustine Fou.
He thinks the near $200bn programmatic ad market presents a more lucrative stomping ground for criminals than even international drugs rackets: There is no product to move, hardly any risk of getting caught, and little punishment for the few that do.
Yet marketers don’t seem overly concerned that they are overseeing such losses – and as advertiser peak bodies like the ANA prepare to dive back in to supply chain transparency, Fou suggests they will struggle to make progress, because they are once more asking the wrong questions.
By focusing primarily on invalid traffic, he thinks verification firms are similarly looking in the wrong places, masking the extent of the problem.
Fou advises brands who genuinely care where their money is going to emulate the likes of P&G, Uber and Airbnb: Pause digital campaigns and measure not “vanity metrics” of clicks and impressions, but business impacts.
One way or another, he says, it will prove whether marketers are doing the right thing – and perhaps enable brands to stop themselves falling foul of their own corporate social responsibilities, and those of financial markets
I've seen campaigns that are one per cent fraud and I've seen campaigns that are one hundred per cent fraud. It depends entirely on how vigilant the marketer is.
Fou has worked in digital marketing for 25 years: brand-side for American Express, and within agencies at both Omnicom and McCann. He started his career in New York City with McKinsey & Company.
Today, Fou makes a living helping marketers audit their digital campaigns for ad fraud, based on his own proprietary analytics engine.
He’s not popular with ad industry trade bodies in the US, hardly surprising as he accuses them of “willful ignorance”. Fou also suggests the trade press may be fearful of losing ad dollars by giving too much airtime to his claims (though Forbes appears to have few qualms).
Speaking to Mi3 on this week’s podcast, Fou says it is impossible to quantify digital ad fraud in absolute terms. But his audits over many years suggest a far greater percentage of ad dollars are being skimmed off than implied by industry’s conventional wisdom.
The fraud in digital is so convenient, so easy. Do you think it's going to be less than the drug trade or more than the drug trade?
As botnet operators pivoted from distributed denial of service attacks to clicks-for-hire scams, Fou thinks ad fraud may ultimately dwarf even top end estimates: There is no ransom, no negotiation, just easy money from day one. And the pot is growing year on year – thanks in no small part to all those clicks.
Perpetrators can rent out botnets to hit targets, with ‘ad fraud-as-a-service’ now controlled by a few big players, Fou suggests.
“That’s how traffic selling works. You are renting time on a vast botnet to hit your page exactly the number of times you paid them to hit it.”
Whereas it can be hard work – and expensive – to drive people to sites within a timeframe, “botnets are super reliable.”
As such, while the Word Federation of Advertisers has suggested ad fraud is set to overtake the drugs racket to net fraudsters $50bn a year by 2025, Fou suggests it probably already represents a bigger enterprise.
“The fraud in digital is so convenient, so easy. Do you think it's going to be less than the drug trade or more than the drug trade?” he asks.
“Even script kiddies, the junior programmers, can get in on this and start generating bot traffic to make money through advertising.”
Literally anyone and everyone can do it, says Fou – and most big brands are easy pickings.
Asking for trouble
“From my experience and from my research, typically the larger the marketer, the more subject to fraud they are,” says Fou.
Agency incentives are often misaligned, given they are frequently awarded contracts on price. Meanwhile, under-pressure marketers are hungry for quick, demonstrable results – clicks and impressions – at scale.
That creates a perfect storm, suggests Fou.
“All of a sudden you have super large quantities and much lower prices. And [because] bots are the ones loading the ads, not humans, the bots can be easily programmed to click on stuff,” he says.
“So now your average click through rate also goes up, so it appears to be performing better. It's almost like a perfect trifecta of things that marketers want: large quantities, low prices and high performance.
“Obviously, it’s not from real humans. But marketers love those three things and that's why they're so addicted to it. They will ignore everything else that’s telling them that it's fraud. They choose to buy it anyway.”
If they are tuned purely for looking for IVT, then they are underestimating all of the fraud that is going on.
How big is ad fraud?
Fou doesn’t give clients an absolute figure on fraud levels – because it is not uniform. Also, he says, “Fraud hides in averages”.
“I've seen campaigns that are one per cent fraud and I've seen campaigns that are one hundred per cent fraud. It depends entirely on how vigilant the marketer is,” says Fou.
But no campaign is ever fraud free.
“There should never be a scenario where I can see zero per cent fraud. If that's the case, then I think my measurement is missing something,” says Fou.
“But as long as the marketer is paying attention, being vigilant and having the analytics in place to monitor it, it's going to be on the lower end of that range, close to one per cent.”
The problem, he believes, is that most marketers are not paying attention: “For the last eight years, most brands have ignored it.” Fou thinks part of the problem is that peak bodies can inadvertently mislead advertisers even when attempting to take progressive countermeasures.
By way of example, he cites the Trustworthy Accountability Group or TAG, set up by the American Association of Advertising Agencies (4A's), Association of National Advertisers (ANA), and Interactive Advertising Bureau (IAB).
Fou thinks the group’s annual reports, which highlight how its certifications are helping to stamp out fraud, can mask reality and lead to complacency.
These reports state fraud rates within TAG certified channels are between 0.5 and 1.5 per cent, depending on geography.
“When big advertisers see that [low figure]… it just gives them a convenient excuse to keep buying,” suggests Fou. “They are refusing to look into it more carefully, and that’s the problem.”
Fou thinks TAG’s figures – and those published by validation companies – are misleading because they primarily focus on a single metric, invalid traffic (IVT). But he argues ad fraud is much broader.
IVT means bots, says Fou – but the game has changed.
“Those technologies grew up [on] and were tuned to look for bots invalid traffic coming to web pages. But over time, we’ve evolved into mobile marketing. There are many sites or apps in the mobile space running programmatic ads, and we are also moving into connected TV,” he says.
“In those environments, the measurement [tech] is less capable of catching the fraud, they are not tuned for those environments.”
For example, “if you have a flashlight app or keyboard app that's loading ads in the background, that's not technically bots hitting a webpage,” says Fou.
“So technology tuned to look for bots hitting a web page may not see those [bad actors],” he adds, although industry is now starting to find and counter precisely that type of fraud.
Meanwhile, sites themselves can be cheating, stacking ads and buying traffic to maximise takings.
“Why just have one ad in the slot; why not have one hundred stacked on top of each other so that ninety nine additional ones are generating volume for you, even though only the top one can be seen?” says Fou.
“So ad stacking, pixel stuffing, pop ups, pop unders – all of those things may or may not be caught by the current crop of fraud detection tech companies. In that case, they're underestimating all of the fraud that's going on, if they're tuned [purely] for looking for IVT.”
Defendants were paid tens of millions of dollars to place mobile ads for Uber, but instead, defendants purchased nonexistent, nonviewable, or fraudulent advertising. Defendants knew that they were squandering Uber’s money, and concealed the true facts from Uber.
If big brands are effectively fuelling criminal networks to the tune of tens of billions of dollars a year, how is it not a major corporate governance issue?
Fou says brands will “get on top of it very quickly,” should activist investors get involved. But he sees some signals that the Covid pandemic has opened marketers eyes.
After pausing digital ad spending entirely in 2020, brands such as Airbnb, found that it made no difference. Fou highlights earlier findings by the likes of P&G, which in 2017 cut spend by $200m and reported little negative impact.
“Similarly, Chase, a large bank here, reduced their programmatic reach from four hundred thousand websites showing their ads to just five thousand websites showing their ads. That’s a 99 per cent decrease in the number of websites showing their ads – and they saw no change in business outcomes.”
Fou points to legal cases Uber is now pursuing. The tech platform spent upwards of hundred million dollars hoping to drive app installs. But in an ongoing court case now alleges up to 100 mobile ad networks “were feasting on their dollars fraudulently [by] claiming credit for app installs that had already happened”, per Fou.
In Uber’s lawyers’ words, according to the filing:
“Defendants were paid tens of millions of dollars to place mobile ads for Uber, but instead, defendants purchased nonexistent, nonviewable, or fraudulent advertising. Defendants knew that they were squandering Uber’s money, and concealed the true facts from Uber,” it alleges.
It is telling, says Fou, that in those court filings, Uber has only been able to identify five of the one hundred mobile exchanges by name.
“Ninety five of them were John Does,” he points out. “So even if Uber wins that lawsuit in one, two, three years from now, most of the exchanges took the money and left. They don’t exist any more, so there is no way for Uber to get the money back.”
[Mi3 wishes to make clear that it is not proven that the five mobile ad networks named in the suit have acted unlawfully.]
The ISBA and PwC did the best job they could. But the problem is, as you've seen happen since they published that report, everyone thinks the issue is only 15 per cent, whereas it's way, way larger.
While its main case is ongoing, Uber was last year successful in a smaller multimillion dollar ad fraud suit against publicly-listed firm Phunware to drive app installs.
The mobile ad network had tried to sue Uber for unpaid invoices. But Uber countersued and through a whistleblower was able to determine that Phunware had engaged in click flooding, autoredirects, advertising on porn sites, and had completely fabricating reports. Or as one employee put it via email: “Guys it’s… time to spin some more BS to Uber to keep the lights on.”
According to Fou, “these are pretty regular practices among fraudsters. Why even generate the traffic if you can just generate the report that says there was this much traffic – and the client is not even going to ask, they just pay the invoices anyway?”
ANA versus UK ISBA study
Six years from its last transparency report, US peak advertiser body the ANA is diving back in, last month issuing an RFP to industry.
While the ANA is undoubtedly trying to o the right thing, Fou says he won’t “formally” respond to the call in its current format, “because the ANA … is asking the wrong questions”.
While he says the RFP has progressed since its 2015 iteration, Fou believes there is no way the ANA’s 2021 waterfall chart can “capture all the different forms of fraud and the hidden arbitrage and the other forms of waste”.
Elsewhere, Fou thinks the equivalent UK supply chain transparency study, conducted by the ISBA and PwC, saw the firms “do the best jobs they could”.
But he suggests its findings inadvertently ‘hid fraud rates within averages’, with the now infamous “15 per cent missing delta” becoming the universally accepted figure for unaccounted spend.
“They [PwC’s forensic accountants] were basically painstakingly tracing the ad dollars going from advertiser to publisher. The 15 per cent number was the average, but the range was from 0 per cent to 86 per cent. So in one campaign [notably via ‘premium’ exchanges and publishers] 86 per cent of the money went missing,” says Fou.
“So the ISBA and PwC did the best job they could. But the problem is, as you've seen happen since they published that report, everyone thinks the issue is only 15 per cent, whereas it's way, way larger than that,” he adds.
“That’s what I mean – if you have to plot it in a waterfall chart [like the ANA is attempting] you're going to have to make assumptions and trade-offs.
“So in essence, you're publishing a number that's going to be misleading no matter what.”
Is IAB’s ads.txt part of the problem?
The IAB also comes under fire. Fou thinks its ads.txt standard, which is supposed to counter ad fraud – specifically domain spoofing – arguably ends up enabling it.
That’s because, says Fou, fraudsters can simply alter a line in the ads.txt standard to claim they are, or represent, ‘direct’ sources of inventory, rather than resellers.
“It's as simple as changing the text in the ads.txt file to lie and commit more fraud,” says Fou. “So, in fact, instead of helping to reduce fraud, ads.txt has provided the cover for fraudsters to commit more fraud and make it appear to be fine,” he adds.
“It’s the opposite of what the IAB thought it was going to do.”
Cookies: Don’t fear the reaper
Fou accepts his prognosis appears grim at face value. But he says fundamental changes to the ad ecosystem and incoming regulation provide reason for cheer. The end of third party cookies, for example, could reset marketing.
“Marketers don't need to know who bought their soap or soda. They don't need to know the individual person or the device that ended up buying. They just need to know that someone who was shown an ad ended up doing the desired action – the business outcome.”
The end of cookies, therefore, may encourage better fundamental practices, according to Fou.
“Marketers should continue doing brand lift studies; they should continue doing incremental sales studies that are not dependent on ad tech services to tell them how well it worked – because attribution systems can easily be tricked by fraudsters,” says Fou.
“As long as the marketer refocuses incrementally: Did their digital marketing drive incremental sales that would not have happened in the absence of the digital marketing? Then they are on the right track.”
Not everyone can turn off $200m [like P&G]. But they can turn off $200k and see if that makes a change. If it doesn’t, ask why – and then leave it off for another week, and then another month.
Marketers: go granular...
Marketers and brands serious about tackling ad fraud and wastage should first measure and then manage, says Fou.
Once they have “much more granular reports, for example, detailed placing reports and even hourly reports,” outlining precisely when and how they are spending, marketers should experiment by turning off the taps, he suggests.
That’s what Uber’s then head of performance marketing and CRM, Kevin Frisch did – and ended up uncovering a nine figure hole:
“Until you do that, if you’re just relying on the higher-level reporting, you just don’t catch it,” per Frisch in this enlightening podcast.
... and pull levers
Fou says pausing digital spend can be eye opening for marketers: While few brands have Airbnb’s dynamics, the bookings platform’s CEO said on its last earnings call that an $800m marketing cut in 2020 barely made any difference to business outcomes – and the platform will cut back permanently as a result.
“Run your own experiments,” says Fou. “Marketers don’t have to take my word for it. The only thing I hope they take away from this is that they will take a closer look, get more detailed reports and start to run some experiments – like turn off a portion of your media and see if that impacts any business outcomes.
“Not everyone can turn off $200m [like P&G]. But they can turn off $200k and see if that makes a change. If it doesn’t, ask why – and then leave it off for another week, and then another month,” suggests Fou.
“That is the best way to determine whether your digital marketing is having an effect for you in terms of business outcomes and therefore, whether due to fraud or simply due to suboptimal digital marketing [strategy].”
If performance dollars aren’t performing, says Fou, other than providing pointless “vanity metrics” that can be easily faked, “Why keep spending it? There's a better way to deploy those dollars to help you get more business outcomes.”
Mi3 Special Report: Australia Post-Cookies, Post-Privacy
- How brands including ANZ, CommBank, Adore Beauty, Little Birdie, Menulog and Westpac are racing for new privacy-compliant ways to market to customers as platform and regulatory changes bite.
- Report covers all of Australia‘s major publishers, their strategies.
- All major alternative IDs covered.
- Plus marketing consultancies, tech provider and agency insights.
- Independent Mi3 report, based on 35-plus interviews, supported by MiQ and Resolution Digital.
How brands including CommBank, Adore Beauty, Little Birdie, Menulog and more are racing for new privacy-compliant ways to market to customers as platform and regulatory changes bite.Get ahead of the curve. DOWNLOAD THE REPORT HERE DOWNLOAD your 67-page report here.
Personalisation smashed Christmas sales records. But the average retailer uses 44 systems to manage CX: Why you need a digital HQ in 2022
Personalised comms helped retailers drive the holiday shopping surge in 2021, per Salesforce data. The problem is, retailers are using dozens of systems to manage their customer experience (CX) data, losing huge opportunities between the cracks. Jo Gaines says a digital HQ – with staff that know how to use it – must be retailers’ top priority.