FouAnalytics Case Study: future-proof ad fraud that even outlasts cookies

When you've studied ad fraud as long as I have, you'd appreciate a fraud scheme so clever, and hidden in plain sight, that it is future-proof and will even outlast cookies. It's also so convincing that its victims, the advertisers and the agencies that buy media for them don't want to stop buying it. That's what makes it a great con, the vics want to keep paying for it.

Here's how it works.

When cookies are used for attribution

I wrote about this previously, so I will just highlight the key points here. When an ad is loaded on a device, a cookie is set, which marks the device as "exposed" (i.e. exposed to the ad). Then when the user of that same device completes a purchase, that conversion is attributed back to the ad exposure. The concept of view-through conversions (VTC) uses a variable time window of 30, 60, or even 90 days. If any conversion happens in that view-through conversion window, it is attributed back to that ad impression. Smart marketers are beginning to realize that a single display or video ad impression doesn't cause an individual conversion, even if it DID contribute to the purchase consideration process. But this kind of attribution has been done and accepted for the last decade.

So how does this fraud scheme work, technically? There's two ways.

1) mark all devices as "exposed" -- the fraudulent adtech vendor buys a large quantity of very low cost display impressions. The moment such a display ad gets loaded into the device the cookie is set and the device is marked "exposed." If all 350 million devices in the U.S. are all marked as "exposed" then when any of these devices completes a purchase (a "conversion") that conversion is attributed back to that ad exposure (when the display ad loaded). Note that many of these low-cost display ads can be loaded in the background when someone is playing a mobile game like Candy Crush, Subway Surfers, etc. The user didn't see the ad or click on it, but their device was marked as "exposed" anyway.

This is a particularly clever scheme because it uses Google's platform to do the attribution reporting and ROAS calculations. When the ad is loaded from the ad server DCM/CM360, the platform sets a cookie and records that device as exposed to the ad. If that same device later converts, the platform assigns the view-through attribution credit to that display ad. Google sets the cookie when the ad loads and can read the same cookie when the conversion happens because the cookie is set from a Google-controlled domain -- doubleclick.net.

2) load the landing page which contains a conversion tracking pixel -- the other way the fraudster can claim credit for sales/conversions they didn't actually cause is by loading the landing pages of their customers, the advertisers, which contain a conversion tracking pixel. Again in this fraud scheme a Doubleclick Floodlight conversion pixel is already installed on the landing page. By loading the landing page with a hidden browser, the fraudster tricks Google's platform into recording that specific device as having visited the landing page. Google sets a cookie that it can later read to attribute credit for conversions back to the fraudster.

Again, the device (mobile phone or laptop computer) is a real device. The user is a real human. That human later actually buys something or completes a booking. The sales/conversions did happen. But they were not caused by the adtech fraudster's ads. The adtech fraudster just claimed credit for having caused the sale, by manipulating the attribution. In this scheme, they are taking advantage of Google's tracking and reporting and they know exactly how to trick Google into giving them credit for the conversions. This is how they can tune the ROAS to be so high that the advertiser/customer WANTS to continuing paying for the vendor's magical tech.

When cookies are no longer available

This is where the "future-proof" part comes in. Because the fraudster is using Google's CM360 platform to track and report on conversions and ROAS, this scheme works even when cookies go away. Google can still set their own cookies upon ad exposure and upon a device visiting the landing page, so it can still attribute conversions back to the fraudster. And even when cookies go away completely, Google still knows who the user/device is because human users are logged into the Android devices at all times, they are logged into Gmail, Google Maps, YouTube, and other Google services all day long. Google has their device IDs and can still do the same view-though conversion attribution without needing cookies set in browsers.

This means the fraudster's scheme can continue even after cookies finally go away, because it relies on tricking Google's reporting to give them credit for the conversions. That's why ROAS is super-high, abnormally high. And that's why advertisers thought that the adtech fraudster's campaigns were working SO well, they increased budget and they wanted to keep paying for it. But alas, once the advertiser realized that the super high ROAS was due to falsification of the conversion reporting in Google's CM360, they took a closer look at their actual sales.

When they turned off ad spending with this adtech fraudster, the number of conversions in CM360 dropped off. That's because it was over-attributing those conversions to this vendor's campaigns. But the actual conversions, in the company's ledger (NOT CM360) remained steady. This is almost like the Uber case study from 2016 where they found that app installs continued after they paused the cost-per-install (CPI) campaigns. That's because those installs of the Uber app were organic (the user wanted to install the Uber app) not because they saw an ad and clicked on it. The mobile networks selling the CPI campaigns were simply falsifying the attribution to make it look like they caused the app installs, when the installs had already occurred.

Not new fraud, hidden in plain sight for years

And this has been a form of fraud for many years, committed by many adtech vendors. Remember the Criteo vs Steelhouse lawsuits from 2016? It was all about who was the "last click" and therefore who would get the credit for the sale, even if they didn't actually cause it.

This is closely related to affiliate fraud, where fraudsters "cookie bomb" as many human users as possible. So when these humans complete purchases, the cookies assign credit, falsely, to the fraudster so they earn the affiliate commission. And adtech fraudsters also write false data into their own customers' Google Analytics, to make conversions appear to be driven by campaigns run with the particular vendor.

So what?

Trust your gut. If the ROAS reports look too good to be true and if the number of conversions the vendor claims to be driving is too absurd to be true, it probably is (too absurd to be true). Try turning off the campaign to see if any real sales drop off (in your own ledger, not in the easily falsified reporting platforms like CM360). You may not want to turn off national campaigns, but you certainly can turn off the spending in a state, or city. And see if the conversions actually drop off. Again, you have to look at your own books, not at CM360. If the sales continue unabated, that means the adtech scheme wasn't actually driving those sales, even if the reporting made it look like they were driving tons of conversions and super high ROAS.

Happy Saving Money Y'all (less of your budget being paid to adtech fraudster).