Programmatic Media Fraud is Overwhelming

Let’s do some thought exercises around the programmatic media that you’re buying. The following thought-starters are going to be mind-bending and thought-provoking. Hopefully you will keep an open mind, as you try to wrap your head around what may be mind-blowing, head scratchers.

Advertisers are addicted, agencies are conflicted

Advertisers have been addicted to programmatic media for the last ten years, because of the enormous scale, cost efficiency, and high performance. The large quantities of ads comes from bot activity, fake sites, and fake mobile apps. The low CPMs are due to fake sites selling ads at low prices because they have no costs for making content. The high clicks are from bots, programmed to click on the ads to create the appearance of performance.

Agencies have steered advertisers towards programmatic media because it remains the highest margin line item on the books. The agency hold co’s (“holding companies”) have been documented to give kickbacks to themselves via foreign subsidiaries. They take possession of ad inventory not yet created and sell that to their own clients. This is called principal trading, which is contrary to their fiduciary duty as agents acting on behalf of their own clients. Undisclosed markups through principal trading and other accounting gymnastics have been documented to go as high as 99% of the media CPM paid by their own clients, unknowingly of course. This is how the hold-co’s propped up bottom lines for years. This was the reason hold co’s forced member agencies to run all programmatic trading through the hold co trading desks and pushed their own customers to buy more programmatic media.

The agency hold co’s continue to take kickbacks from ad tech vendors; fraud verification vendors incentivize them by giving cash rebates for forcing their clients to buy fraud verification to “protect themselves” and locking them into multi-year contracts. Advertisers wouldn’t need to “protect themselves” if they avoided programmatic media entirely, and just bought from real publishers that had real human audiences. Further, agencies continue to keep unspent programmatic media budgets by altering the eCPMs (“effective CPMs”) in billing reports; By manually altering the eCPMs higher, they make it appear that all the budgets were spent, even when they were not. The agency books this unspent media budget as “other revenue.” The client didn’t want the money back anyway; so everyone looks the other way.

Bots are programmed to click, humans click accidentally

The bots that create fake ad impressions also click on them. By having bots click on ads at higher rates than humans do, fraudsters trick advertisers who use clicks as a KPI (“key performance indicator”) into shifting more money to programmatic media, away from real publishers with real human audiences. Humans accidentally click on ads — including 1) “fat thumb” while scrolling on mobile, 2) trying to close the ad, instead of click it, and 3) clicking on the ad on the way to the purchase they intended to make anyway. These clicks are like a “self-fulfilling prophecy” which makes performance look awesome; but the costs were entirely unnecessary because the person would have purchased anyway.

Humans block ads, bots don’t

The latest figures on ad blocking put it at between 43% globally [1]. “Globally, the most commonly reported reasons for using ad blockers include excessive amounts of ads (22.3%), the irrelevance of ad messages (22.3%), and the intrusion factor (19.9%).” Ad blocking on desktops and laptops is far higher than in mobile because ad blocking plugins and extensions are available for desktop browsers, not mobile. Brave browser reports 50 million monthly active users across both desktop and mobile. Bots DON’T block ads because it’s their job to cause them to load. So programmatic ads that are delivered are shown disproportionally to bots, not humans. Nearly half of humans online are “not addressable.”

Retargeting by advertisers, audience extension by publishers

Advertisers believe that if a user visited their site, they must be “intenders” so they must be cookied and shown ads wherever else they go — i.e. retargeted. Humans think of this as the “creepy ads following me around the internet.” Bots, however, deliberately visit an advertiser’s site first, and then go to cash-out sites to cause ads to load; by doing so, bots make more money for the fake sites because retargeting CPMs are higher than regular CPMs.

Publishers have also bought into this idea of retargeting, except they call it audience extension. The logic goes something like this — if a user visited WSJ.com once, they can be counted as a member of the WSJ audience so more ads can be shown to them wherever else they go. Bots deliberately visit WSJ.com first, and then get shown ads when they go to cash-out sites — i.e. audience extension. This causes ad budgets to flow to fraudsters, even if the advertiser bought ads from WSJ directly, but forgot to insist they turn off “audience extension.” Audience extension is a way for publishers to make more money because there’s seemingly much larger scale in the audience extension (bots) than in the audience that actually visits WSJ.com directly (humans).

The same slight-of-hand happens when you buy direct from Samsung; you think a direct buy means no fraud; you think your ads go on Samsung TVs. Eighty percent (80%) of the large volumes of impressions are from your ads being shown on fake sites and mobile apps due to the practice of “audience extension.” Clever bots also just change their name to Samsung TVs, LG TVs, Vizio TVs, etc. and earn higher video and CTV prices. Grindr, the mobile app, was caught fabricating bid requests to appear to be coming from CTV devices and CTV apps, so they could earn much higher CTV CPMs than display ads. Every one of the CTV fraud cases found so far consisted of bid requests faked by algorithms randomly rotating TV models, CTV app names, millions of household IP addresses, to appear to be ad calls from streaming, when there was no device, no app, and no streaming at all.

Audience segments and cohorts of bots, not humans

It’s quaint to believe there’s 300 million “auto-intenders” in the U.S. when there are only 350 million people in the U.S. This is the kind of hilarity that ensues when advertisers buy audience segments from DMPs (“data management platforms”) for targeting their ads. Those audience segments are derived from the website visitation patterns of anonymous users, otherwise known as cookies and cookie pools. While the original idea of audience segments might have been a good idea, it is no longer. Bots deliberately visit a collection of websites, like medical journal sites, to collect cookies and make themselves appear to be doctors. Then when they visit cash-out sites they make more money because advertisers are desperate to show ads to doctors, so they pay far higher CPMs to target those audience segments of bots.

Ad tech companies even purport to target individual doctors by NPI number (“National Provider Identifier”). Advertisers believe their ads are being shown to specific cookies that correspond to doctors with NPI numbers. But it’s no more than loose cohorts the ad tech companies approximated to be doctors; in other words a pool of 10 – 20 cookies are approximated to belong to a doctor because the device or IP address relate to their place of work or household. But, if you think about it, you can target that same cohort of doctors just just placing ads on New England Journal of Medicine; you can target the cohort of all oncologists when they visit Journal of Clinical Oncologists. No privacy-invasive, highly inaccurate cookie-based audience segments required. Oh, P.S. those third party cookies are going away anyway in 2023. Boom.

Brand safety defunds real news, and funds fake news

Current brand safety tech blocks ads on the front pages of NYTimes, WSJ, and Washington Post because the pages contain keywords like “covid-19.” When this was exposed in March 2020, these vendors blamed their own customers for the tech failure, by saying the customers should have created whitelists of real news publishers, so their ads wont be blocked on those sites. The brand safety craptech also blocked ads on New England Journal of Medicine because pages contain the word “blood” or Sports Illustrated because pages contained the word “shooting” (as in “shooting pool”). Crappy keyword lists, not advanced AI and NLP (“artificial intelligence” and “natural language processing”).

Brand safety tech defunds real news sites, but fail to do what they promised and sold to their own customers. Large brand advertisers’ ads are still appearing on sanctioned Russian propaganda websites, coronavirus disinformation sites, hate speech, and piracy sites. By blocking ads on real news sites, and failing to detect fake news sites, brand safety tech is causing more harm than if they were not used at all. The ad budgets still have to be spent; so if ads are blocked on real news sites, the dollars flow to fraud sites and fake news sites.

“No data” does not mean “no fraud” or “no bots”

Fraud verification companies have reported fraud in the single digits for years. Is that all the fraud there is? Or is that all the fraud they can catch? It’s the latter. Not only are bots good at tricking their detection, bots are great at evading their detection altogether. Just like humans block ads and trackers; bots simply block the detection tags so they can’t be measured. This is called “tag evasion” or “verification stripping” where the verification pixels are stripped out deliberately. When the fraud detection tags are blocked, these vendors have no data; so they cannot mark the bot as IVT. But “no data” does not mean “no fraud” or “not a bot.” When these vendors show 99.998% “fraud free” in their reporting, it actually does not mean there was no fraud. It just means they failed to detect the fraud or they had no data at all, because their tag was stripped out. That’s right, the other 99% means “they don’t know what the hell it is.”

There’s a false sense of security when advertisers repeatedly hear IVT is 1%, as the Association of National Advertisers (“ANA”) and their subsidiary Trustworthy Accountability Group (“TAG”) has parroted in press releases for the last five years. Advertisers have been misled by the ANA and TAG; fraud is not 1%. The 1% only pertains to the bots that verification vendors’ tech is tuned to look for; it doesn’t take into account ANY other form of fraud like publishers loading 2,500 ads on the page, refreshing ad slots at exactly 1 second because that technically meets the definition of a “viewable impression” according to the MRC standard.

Humans don’t give consent; bots just fake consent

When faced with an onerous consent popup, humans just leave; it’s not worth their time checking 120 checkboxes one at a time to give specific consent to 120 ad tech trackers on the page. The consent popups that have “check all” don’t comply with GDPR properly because the consents given must be explicit and specific. So few humans have given proper consent; but bots do give consent by passing fake GDPR consent strings. How do we know they are faked? Every single field is set to “true” — i.e. consent given; and the same consent string is replayed by (fake) users hopping from country to country. Real GDPR consent is specific to the device, browser, person, site, and vendors. A real human does not teleport between a dozen countries, passing the same consent string to dozens of sites.

Double paid, not double verified

Advertisers think they are protected when they pay for fraud detection. For the reasons stated above, they are not protected. The fraud verification tech can only catch 1% of the bots and fraud, and that’s assuming their detection tag actually fires. In most cases, their tag is blocked or stripped out, so they have no data. That’s why they don’t report anything wrong with 99% of your ads; not that there’s no fraud there. So advertisers are paying for tech that works only 1% of the time (using round numbers). But that’s not all.

I have long said that verification vendors are quadruple-dipping. They make money from advertisers, exchanges, agencies, and publishers, often for the very same campaigns touched by all of those parties at once. Recently I discovered how they did it, without advertisers realizing. When an exchange or publisher is forced to pay for verification, they pass along the costs by hiding it in the media CPM. For example, if you’re paying $3.00 CPMs, you’re actually getting no more than $2.80 CPM inventory. That’s because the $3.00 media CPM hides the 20 cent pass along for verification. Advertisers also pay the vendor under a separate line item called “verification.” They double paid for verification on the same ad and campaign without realizing it because one of the fees was hidden in the “media costs” line and the other was “verification costs.”

So What?

Hopefully your eyes are opened after these thought-provoking exercises. Don’t worry, it’s not the end of the world. But it IS the beginning of you doing something about it. You didn’t know before. Now you know. Once you know, you can act. Prior assumptions and beliefs (“we believe the programmatic media is working really well”) are the ankle-weights that have now been removed by clarity and reality. Time to act.

Augustine Fou
Augustine Fou
Dr Augustine Fou is an independent cybersecurity and ad fraud researcher who helps clients identify and remove fraud impacting their marketing campaigns. He is an industry-recognized thought leader in digital strategy and integrated marketing.

Similar Articles

Comments

  1. Yes, yes and YES!
    as someone who was the 1st to utilize programmatic media and was at the 1st talks @ OMMA this in 2010. I saw first hand the rise and fall of both PMB & intergrity. There was a point that there were numerous anti-fraud companies. Didnt matter. Customers didnt want to know about it and pay the extra cost. Ad networks didnt want to do anything about it. Because they were making money. In the end. Closed shop and walked away. Wall St. is more honest.

What's your opinion?

Advertisment

Most Popular

Three Common Pitfalls of Social Media Marketing

There can be no doubt that social media marketing is now an essential part of any successful marketing strategy. With over 2.3...

WTF is “Multi-Touch Attribution?”

Multi-touch attribution is a method of marketing measurement that allows marketers to see the value that each touchpoint has on driving a...

WTF is “First-Party Data? And why is it so Important?

First party data is defined as data that your company has collected directly from your audience -- made up of customers, site...