Ad fraud management is constantly evolving; given the sophisticated nature of frauds undertaken by fraudsters. However, a website/mobile app can have traffic in multiple facets. If this is the situation, then is there an organized way to categorize the invalid traffic? The answer is, yes. The Media Ratings Council (MRC) has categorized IVT into two categories - General Invalid Traffic (GIVT) and Sophisticated Invalid Traffic (SIVT).
SIVT is an advanced version of GIVT. As the name suggests, this type of traffic is generated through sophisticated programming and complex techniques to defraud the programmatic players.
SIVT is difficult to detect; given the automated nature of bots and scripts which involve human intervention. Such traffic is specifically designed to rob the ad spends. Failure to detect SIVT can lead to excessive amounts being wasted in fake impressions as well as frauds which are committed by such traffic.
- Are your ads getting an unusually high number of clicks?
- Are multiple impressions being generated from the same IP address or the same device?
The above-mentioned scenarios are some basic examples of SIVT infiltrating an advertiser’s campaign. If we look at the definition of SIVT in the MRC guidelines, it says:
“Sophisticated Invalid Traffic” or SIVT, consists of more difficult-to-detect situations that require advanced analytics, multi-point corroboration/coordination, significant human intervention, etc., to analyze and identify.”
The focus is clearly on advanced techniques used for the detection of such traffic and as such, there is a list of potential methods laid out in these guidelines which can be employed by fraudsters to carry out such frauds. Let’s take a look at these in detail.
Types of SIVT
1. Automated browsing from hijacked devices
This involves invalid traffic generated by fraudsters from legitimate devices. In this case, the process begins with malware installed in the device under question when a user clicks an infected link sent through mail or other channels. This malware, when installed, hijacks the device and the fraudster can direct unique sessions from such devices to a specific campaign.
When a pool of traffic from the same device is detected, such devices must be flagged and filtered out.
2. Automated browsing from spoofed devices
In technical terms, this SIVT fraud technique is termed device spoofing. This is an affiliate fraud technique in which invalid traffic is generated from a fake device or a browser created by the fraudster specifically with malicious intent. There can be multiple fake devices with a different OS that a fraudster uses to constantly direct traffic. This helps ensure that their bot click generation efforts go unnoticed due to the involvement of multiple devices and they can waste the ad spending over a period.
3. Incentivized human invalid activity
As the name suggests, this includes invalid activity directed by actual humans and not bots through click farms. Click farms involve fake impressions generated by humans through continuous engagements with a campaign at regular intervals. These farms consist of people who are hired specifically to generate clicks on various campaigns. More the clicks, the better the incentive. This induces greater infiltration of campaigns by impressions that do not have any genuine interest in the ad or the brand.
4. Manipulated activity
This type of activity includes click spam and other types of forced behaviour that induce an impression from the user’s end. A fraudster can employ bots to carry out activities like refreshing the browser page or forcing the opening of a new tab. These activities generate additional impressions that are invalid. Moreover, click spam from competitors or affiliates also falls under this category of SIVT as these clicks are never intended to produce any worthwhile results.
5. Falsified measurement events
These events relate to data points which are purposefully misrepresented or falsified by the fraudster. One example is that of location data. Such data is available through the device’s GPS or the IP address used for logging into the page which can be manipulated to generate additional impressions at different points of time.
Apart from this, the viewability of the ads can also be falsified. In a simple sense, an impression where less than 50% of the ad’s pixel is visible for less than a second, it passes through viewability compliance. Such invalid impressions also contributes to SIVT and must be flagged and filtered.
6. Domain and app misinterpretation
A common technique fraudsters use to tarnish the reputation of the publishers and defraud them is domain spoofing. A fake domain is created which is a replica of an actual publisher site. This fake domain is then used to win auction bids and serve ads to generate fake traffic. Similarly, the ID of an app can be spoofed and any traffic generated through ads on such spoofed apps is counted as a genuine impression. Such a type of misinterpretation contributes heavily to SIVT.
7. Bots and spiders masquerading as legitimate users
As mentioned earlier, there are certain bad bots and spiders that perform irrelevant activities like click spams and web page refreshing on the browser. These bots are considered invalid and their main intent is to defraud an advertiser. These crawlers and spiders may use standard browser identifiers. This clearly states that they are disguised as legitimate users. It’s always a safe bet to eliminate such bots.
8. Hijacked ad tags
An ad tag is a code inserted in a webpage which sends a request to the ad server to show an ad in a specific place. Once hijacked, the real ads can be replaced by fake ones which consist of the attacker’s tag. As a result, the attacker’s fake ad would be shown to the user when requests are made to the server. The more these ads are seen, the more revenue is earned by the fraudster. As a result, impressions arising from hijacked ad tags are invalid and must be flagged.
9. Hidden/stacked ads
Ad stacking involves a fraudster placing multiple ads on each other in a stack in a single ad slot. These are stacked in such a manner that only the top ads are visible to the human eye. When humans see such ads, the fraudsters count impressions for all the ads in the stack even though those are not visible.
10. Invalid proxy traffic
A proxy server acts as a gateway between a browser and the real server. However, there might be some proxies which are constantly carrying out fraudulent activities. These proxies can originate from a separate device that specifically manipulates traffic counts or passes on invalid traffic. As a result, it is important to know the traffic incoming from proxy servers because it may also route the same from data centers to make it seem like their origin is genuine.
