The short answer is “Yes.” Some of it. The harder question is what portion of it is real—that is, humans reading real content and viewing your digital ads. In the last five years, digital fraud rose dramatically alongside the rapid growth of programmatic “ad tech.”
The intersection of digital ad fraud and the pharmaceutical and medical device industries is not coincidental. In fact, these industries are under the heaviest attack by cybercriminals because of the greatly expanding ad budgets, especially in DTC, and because of the very high CPCs (cost per clicks) and CPMs (cost per thousand impressions). Pharma companies often pay 10 to 100 times higher CPCs and CPMs compared with other industry verticals, such as consumer packaged goods, entertainment, and retail, making it an extremely lucrative target for the bad guys.
Because of this, it should also be an area of concern and intense focus for marketers in these industries. In this article I will start with the basics: What is ad fraud and how is it committed? Then I will discuss specific examples of how it impacts pharmaceutical advertisers, across all digital channels including display, video, mobile, and search marketing, and finally, techniques to detect and reduce ad fraud, most of which do not require advanced analytics or advanced technology solutions.
Ad Fraud’s Background
Normally advertisers expect their ads to load when webpages load, when humans visit websites. But in the case of ad fraud, the ads are not shown on good websites and they are not shown to humans. These two ingredients—fake websites and fake users—are the key ingredients to the two largest forms of ad fraud: 1) impression fraud (also known as CPM fraud) and 2) click fraud (also known as CPC fraud). When bots go to these fake websites and cause the ad impressions to load, these fraud sites earn the ad revenue. With the rise of programmatic ad buying, millions upon millions of these fake sites were created and added into ad exchanges in order to sell ad impression “inventory.” In this way, as digital media became more automated, the bad guy’s fraud operations also became more automated and scalable, i.e., easier to commit fraud.
1. Why do cybercriminals commit ad fraud?
There is a ton of money in it. With digital ad spend estimated to exceed $70 billion in the U.S. and $170 billion globally, a large treasure trove of cash is available that the bad guys can steal from. Ad fraud is also very profitable. The bad guys are not creating real content that real humans want to read. They are not trying to attract real humans to their sites, because they know they can just buy all the traffic (“sourced traffic”). And their operating costs are low. Further, in this day and age of cloud services, bad guys don’t even need to buy server hardware or set up hosting facilities. They literally “pay as they go” as they use resources in the cloud to commit ad fraud, and these margins could be as high as 99%.
The tools to commit fraud are easy to make. Bots are automated browser tools that developers use to test their websites or mobile apps before launch. But now these legitimate tools are being used for illegitimate purpose—to commit ad fraud. These tools can be programmed to do tasks repetitively, such as hitting webpages over and over again (to make fake ad impressions). They are also advanced enough to create fake mouse movements, page scrolling, and clicks, and can therefore bypass more fraud detection platforms.
2. How do they rip off pharma advertisers?
First and foremost, it is obvious that ads shown to bots represent wasted ad dollars; bots will never convert into real customers. But another even scarier consideration is how the fraud messes up analytics. When bots create fake traffic, fake impressions, and fake clicks, these actions are faithfully recorded by analytics platforms used by advertisers and their agencies. These fraudulent actions thus impact the key performance indicators (KPIs) that are used to judge the effectiveness of marketing campaigns and to optimize spend allocations. If bots can create higher click through rates, lower bounce rates, more time on site, etc., they may cause the advertiser to inadvertently allocate more budget to those fraud sites, thinking they were optimizing their campaigns.
The bad guys also cover their tracks to hide the fraud. This can be done as simply as passing fake parameters in the click through URLs. For example “utm_source=webmd.com.” Even though it was a fraud site that loaded the ad or sent the click, it would still appear to be from WebMD in the marketer’s analytics. These variables, which are declared as opposed to detected, can be so easily faked that they should not be trusted. Advertisers should look for other ways to verify the true origin of the clicks and also look for other corroborating evidence to determine if the visit was actually valuable. For example, if all those clicks from WebMD yielded visits that had 100% bounce rate and zero time on site, then those are not valuable and should be inspected more carefully. Real humans who click through from WebMD would likely stick around to read more or take some sort of action.
Ad fraud impacts all forms of CPM and CPC ads. In mobile, there are mobile display and mobile search ads. These tend to have higher CPMs because of the additional geolocation and targeting capabilities and because of the much higher demand. But that makes it more lucrative and attractive for bots. Also, mobile is less measurable because mobile apps cannot be measured by any fraud detection technology that is based on javascript detection methods. Mobile apps can only be measured by analytics software development kits (SDKs), but obviously bad guys won’t add SDKs to their apps because they don’t want to be measured. So mobile, conveniently, is more lucrative and less measurable and hence—a hotbed of fraudulent activity. When published reports show lower fraud in mobile, it’s not actually lower fraud in mobile; instead, it’s simply because less fraud is measured.
Finally, video ads that carry 5 to 20 times higher CPMs are also much more prone to bots because they can make more money causing video ad impressions.
What Can Pharma Advertisers Do to Fight Ad Fraud?
Let’s start by saying expensive, advanced technology is NOT needed to detect and mitigate ad fraud. There are many forms of “low hanging fruit” that can be taken care of first, before more advanced technology solutions are brought to bear.
Some no-tech techniques marketers and analytics professionals alike can start to use right away to see if fraud is impacting their campaigns:
First, look for data center traffic, for example, from Amazon Web Services. Bots are created by the millions in data centers—humans don’t access the Internet through data centers. So if your ad impressions are loaded by visitors from data centers, or if your site has traffic from users coming from data centers, they are not human. Second, look for “outliers”—that is, anything that is too high and anything that is too low should be treated as highly suspicious, for example, 100% viewability, or 0% bots, or 0% bounce rates, etc.
For a sense of what is normal human behavior, look at your organic traffic (coming from organic search). When humans do searches, and they click through on organic search results and arrive at your site, they actually want to be there. And they would look around for the information they are seeking. Use those metrics as a benchmark for what humans typically do on your site. Then compare the traffic coming from your other paid advertising sources and see how those metrics compare with your organic data. Anything that is significantly higher or significantly lower than these “norms” should be further investigated.
Also, insist on online item details—because fraud hides easily in averages. If your paid advertising platforms or vendors just report back a single rolled-up number for the month, you are missing the details you need to determine if any fraud is occurring. But if you have line item details, such as the exact placements of your ads (domain by domain), you can see crazy things like 100% click through rates (CTRs). Those sites are fraudulent and can be immediately added to a blacklist so your ads are no longer served there. If marketers do this systematically the amount of fraud will be driven downward systematically.
After employing these methods, then we can deploy some additional technology to help detect more bots and fraud. There are good fraud detection companies that do detection at various parts of the digital media supply chain. In-network detection uses two pieces of information—the site and the user—to decide whether to serve the ad. On-site detection uses code installed on websites (e.g., landing pages for paid digital ads) to verify whether the users arriving on the site are human or bot, so the advertiser can turn off the sources that are sending a lot of invalid traffic. And finally, in-ad detection technologies are used to measure the users that caused the ad to load and look for telltale signs of human versus bot behavior. This tech can also help to prevent the ad from being served.
In conclusion, vigilance and detailed data will help to illuminate fraud and reduce its negative impact.
