Our industry is plagued with fraud. Global industry bodies are now involved, with the IAB releasing Ads.txt guidelines and Trustworthy Accountability Group (TAG) developing focused programs. Many platforms rely on specialized third parties like Integral Ad Science (IAS), Forensiq, and others to keep the ecosystem safe. However, working predominantly with external partners carries risks and reduces control. One classic outsourcing rule states that business-critical processes shouldn’t be outsourced unless they’re a commodity. Is fraud detection a highly-standardized service? Clearly not.
One major risk stems from setups not featuring real-time detection and adaptation to fraudulent patterns. Real-time is not today’s standard. Even TheTradeDesk only just recently announced a real-time approach with an external partner, which indicates that some platforms still work in batches. It is clear that working with batched updates enables fraudsters to game your system:
As soon as information on batch update schedules is leaked or derived via testing, the bad guys can trick such a system by starting with a fresh set of cookies or a new set of IPs in perfect sync with the batch updates. Thus, the fraud is undetectable to the algorithm. As a result, all the hype around Machine Learning and AI don’t help if you are too slow.
Even if everything is updated and integrated into real-time, using third-party platforms and not investing in proprietary algorithms puts you at risk. Why? Specialized and widely spread fraud-detection approaches are attractive targets for fraudsters. If they attack such a player successfully, they hit a lot of birds with one stone as the solution was supposed to protect many systems simultaneously.
You only need access to the fraud classification service of the specialist provider, for instance by signing up as a paying client, et voilà: You’re capable of training your bots to go under the radar. Initially, your bots will be classified as fraud but only in “your” artificial environment. Then, in the next iterations you train, test, and learn until the bots are good enough. Then, they are released into the wild where the same detection mechanisms are used on big advertising platforms.
Thus, the bad guys reverse-engineer the detection algorithm and easily trick it. Tricking a solution only running proprietarily and integrated into a single DSP is less attractive than attacking a third-party solution used by many. Aiming at widely deployed third-party approaches scales better, generates more money, and is far easier. Attacking a proprietary solution can only be done by actually ingesting fraudulent traffic, buying significant traffic on the platform in order to see if it gets through the gates. The more information, services, and APIs on fraud prevention that are public, the easier it is for con artists to game the system.
Don’t believe the hype around pure AI and automated approaches. Fraud detection is a cooperative discipline. Any solution should combine AI / Machine Learning with business rules and human inspection. Domain-specific knowledge is critical to success. Many suspicious signals aren’t binary classifiable as fraud/non-fraud. Often suspicious traffic is still 100% legit and should not be cut-off. In some cases, the human experts need to make the final call.
Most notable, quality and diversity of data defines whether algorithms reach the necessary level of excellence. Rich data, derived from different sources, such as combining SSP / DSP bid request data with actual delivery data from the ad server, and even onsite engagement and conversion data, is more vital to success than re-tweaking algorithms. High-quality data and visibility into each step of the delivery chain is the ground truth that drives all those algorithms, it doesn’t matter if AI / ML or business rules are used, poor data will ruin your performance in all scenarios.
For me, it is obvious that all adtech platforms should have dedicated, cross-functional teams working on owned, proprietary algorithms for fraud detection. Additionally, human experts should constantly monitor suspicious traffic and do deeper, specialized analysis in ambiguous cases. Ultimately, all of this can and should run in sync with third-party solutions, especially if a client requires such a partner explicitly.
If someone sees this differently, what will you tell advertising clients if something goes seriously wrong: “Sorry, our partners messed up and we can’t give you details because we have no clue what they are doing?” Not an enviable position to be in…
Recommended Read: The Fight Against Fraud: Are You Throwing Good Traffic Out with the Bad?