As more money pours more into digital advertising the size of the opportunity grows for ad fraudsters, who are continually developing new schemes to evade detection and pilfer the riches from the advertising ecosystem.
The World Federation of Advertisers (WFA) estimates that by 2025, over $50 billion will be wasted annually on ad fraud. While Juniper Research says advertisers’ total loss to fraud will rise to $100 billion by 2023. The money isn’t just wasted, it’s funding crime and incentivising the creation of malware which infections users’ devices.
While ad fraud detection tools are considered vital, marketers have also been warned they must keep up-to-date with changing fraud tactics, particularly as cookies become more scarce and new methods are developed to target digital ads to users.
“People can get a false sense of security if they adopt one particular protection that might solve one area but it will incentivise the bad guys to go elsewhere and create new ways of exploiting fraud,” said James Diamond, Managing Director Australia and New Zealand of verification provider Integral Ad Science.
He used the example of ads.txt which has done a good job of solving the problem of domain spoofing, where a low-quality website masquerades as premium publisher to attract ad bids, but that success means the fraudsters are looking for other ways to monetise the bots they’ve built and acquired.
Diamond described the process as an arms race, with IAS having to constantly build its capability and the broader industry needing to stay abreast of changes.
In particular, the diminishing role of third party cookies, either mandated by regulation like GDPR or enforced by tech platforms owned by the likes of Google and Apple, will have ramifications for fraud.
“A lot of fraud leverages the cookie,” Diamond said.
For example in the case of cookie stuffing, fraudsters try to game attribution models by adding a cookie to a user from an entirely different website from the one that the user originally visited. If the user later converts, the website associated with the stuffed cookie gets credit — and gets paid — for that action.
“One of the things that makes fraud profitable is you can build a very attractive user profile through the cookie, by collecting these really valuable cookies from luxury car websites or browsing content makes you attractive to particular advertisers.”
In markets like Europe where it is getting harder to leverage cookies due to regulation like GDPR, the bot herders can choose to radically change the technology they have built or redirect their efforts to a geography where those restrictions do not yet apply. According to Diamond they are doing a combination of those two things.
As a result, Australia with its less strict privacy legislation becomes a more attractive target for fraudsters. “You’ve got bot herders who have created bots and have been monetising those bots in Europe, where it’s becoming more difficult [to operate] as a result of things like GDPR. As a result, they are switching to less regulated markets.”
The advertising industry is currently working on a replacement for third party cookies. Diamond highlighted two likely outcomes that may stem from this effort; the cookie might be replaced with a similar kind of tracking technology, or the industry reduces its reliance on audience-related data and uses contextual and location-based data as a proxy for audience. Both have implications for ad fraud.
Diamond argued that simply replacing the cookie with another kind of tracking technology would be a mistake, and one malware creators will be able to quickly adapt to.
“It’s not the cookie itself that’s the problem, it’s what it does in terms of its impact on personal information,” he said.
“If you replace that function with just another piece of technology that’s not called a cookie — call it a fingerprint or something else — the problem still exists and the bot herders and the malware creators will just leverage whatever that new piece of technology is that’s used to identify individuals.”
In the latter scenario marketers would use location, where the user is, and context, what kind of content they are viewing, to make an assumption about which ad to show the user.
“If you think about how the market used to leverage cookies to do audience re-targeting, as cookies are becoming harder to come by as a result of GDPR and various other types of legislation, people are using either location or context as a proxy for audience.”
“The shift away from audience-based information and more to contextual and location-based information will be a trend. The impact for malware is people will start to spoof their location.”
Similarly, context can also be exploited. Diamond warned marketers building campaigns targeting a specific subject will need to be careful that the sites are legitimate sites and haven’t been tailor made to capture ads in that subject.