This article was first published in CPO Magazine.
A shady digital syndicate just stole more than $100 million from advertisers who probably didn’t notice a thing.
Hydra — an alarmingly effective ad fraud scheme that redirects high volumes of fake ad traffic through mobile residential IPs to make it look like legitimate mobile traffic — is estimated to have stolen $130 million worth of ad spend already. That dwarfs previous hauls from other bad actors, like the $29 million 3ve managed to siphon before advertisers got wise to the scheme. But while the damage seems enormous, it’s impossible to identify on a business-by-business level without the right tools.
The truth is most cybersecurity strategies have been built with a blind spot to the kind of vulnerabilities these bad actors exploit. What’s worse, this type of fraud has short- and long-term consequences that go beyond wasted ad dollars. To put an end to the loss of valuable ad dollars, not just advertising and marketing, but also cybersecurity and risk management professionals must understand the scope of this threat and realize these tactics are not caught with traditional cybersecurity tools.
Understanding ad fraud
Over the last 20 years, ad fraud has evolved from basic tactics like cookie-stuffing and click flooding that are now detected easily, to major schemes that cleverly obfuscate traffic and evolve to avoid detection. These get flashy names and make headlines. As budgets for online advertising have grown, so has the payout for ad fraud as a business opportunity, attracting more sophisticated players to the arena.
Estimates of the global scale of ad fraud are astounding:
- In 2023, the cost of ad fraud will balloon to $100 million per day – just under the amount Hydra is estimated to have attracted in 12 months.
- About 18% of all ad impressions are never viewed by real people
Why ad fraud goes unchecked
When a business sees fraudulent traffic in their ad results for the first time, it’s akin to putting on a pair of glasses you didn’t know you needed. Once you see clearly with the glasses, you realize how large the problem has been for a long time — there was just no mode of comparison.
Let’s take a deeper dive into why this theft often goes unnoticed.
- The baseline is an illusion. No digital advertising channel or campaign type is immune to ad fraud. As soon as you start advertising, there is likely to be some proportion of invalid traffic. That means campaign metrics, benchmarks and KPIs are also skewed by the presence of ad fraud – making comparisons against these benchmarks an unreliable indicator.
- Ad fraud perpetrators are a step ahead. In fact, bad actors in ad fraud depend on their ability to exploit vulnerabilities quietly. Often, they use “zero day” tactics to do the most damage with the least amount of red flags. In cybersecurity, a zero-day vulnerability is a weakness that is unknown by developers and security vendors and for which no patch exists. In ad fraud, the novelty is usually in the tactic than in the vulnerability, where new tactics are designed to evade common ad fraud defences. It can take years — three in the case of 3ve — to spot, and by then, millions of dollars could have been skimmed.
- Ad fraud isn’t a traditional cybersecurity problem. Despite being a form of cybercrime, the burden of ad fraud typically sits with marketing teams rather than security professionals. But just as you need to protect other systems from external threats that could damage the business or impact productivity, digital advertising requires similar protection. Marketing teams could certainly benefit from the insight and experience that cybersecurity and risk management could bring to the table in solving this problem, if not already being tackled by the company’s marketing team.
Left unchecked, fraud leads to skewed baselines and wasted spend for as long as your business has a budget for digital advertising.
The case for fighting ad fraud now
COVID-19 has every ad budget under scrutiny. However, the need to squeeze pennies out of every dollar spent presents a unique opportunity to take a closer look at your ad traffic and metrics. Especially for organizations using new channels and methods to attract customers in a vastly different world, knowing what’s real and what isn’t is more important than ever.
The demands of a disrupted economy make it imperative to consider how ad fraud comes into play, especially because:
- Bad actors need prey. While there’s no direct data to show a spike in ad fraud during the first few months of the pandemic, potential victims have certainly increased. New and unaware businesses are wading into digital advertising by the day, increasing the pool of easy targets for fraud.
- KPIs are more volatile. We’ve already established that many baselines are skewed because of invalid traffic. Now, add in the disruption and radically different customer behaviour since the beginning of the pandemic and determining what success looks like becomes very difficult. Businesses need tools in place to proactively monitor ad fraud, as opposed to waiting for anomalies to show up in benchmarks.
- Cheaper is not better. When budgets shrink, it’s a natural impulse to try to find cheaper ways to advertise. However, this invites more risk. Marketers that choose to chase lower cost-per-thousand-impressions (CPMs) to stretch their budgets make themselves a bigger target for ad fraud. Now is also not the time to reduce existing efforts to combat fraud — in fact, if these efforts exist, it’s a perfect opportunity to evaluate them. The right fraud strategy or tool should help to reduce costs by minimizing spend wasted on invalid traffic, not just reporting on ad fraud.
Ad fraud is a pervasive threat, increasing in sophistication and continuously compromising the effectiveness of multiple aspects of a business. When ad fraud is allowed to persist in advertising, its impacts on data quality infect multiple areas of the business including advertising optimisation, website user experience optimisation, content strategy and product user experience for cloud products.
If all of this user data is skewed because advertising is delivering invalid traffic, then all of the decisions that rely on that data are compromised, hamstringing business performance. But with better tools and a sharper understanding of the damage fraudulent traffic can bring, there’s no better opportunity than right now to fold ad fraud prevention into a company’s larger advertising and even cybersecurity strategies.