Why fighting mobile click fraud is a waste of time
Fraud prevention is heating up in mobile. But trying to fight fraudulent clicks from mobile apps is a losing battle. Instead, try these three tips.
Every week, a new industry expert or solution enters the fray to solve the billion-dollar fraud market. That’s great. Collectively, we can only combat fraud if as many parts of the mobile marketing stack embrace the techniques and implementations available.
All the same, advertisers frequently want detection and reporting on fraudulent clicks.
We refuse.
Fighting clicks from mobile apps is not only foolish, but an utter waste of focus. Permanently out-fooling such fraud prevention filters is a trivial task for the average fraudster. At best, fraud detection for cost-per-click (CPC) campaigns would be a stopgap and an ersatz pacifier for concerned marketers. At worst, it’s counterproductive snake oil.
Here’s why.
The types of fraud occurring on websites only partially matches the types of fraud in apps. They work roughly the same: some software simulates the click and the conversion or install. However, on the web, this happens in a consistent environment where ad delivery is easily monitored inside the browser.
In fact, the whole journey from impression to conversion on the target website can be seen transparently and tracked with JavaScript and cookies. This allows you to check if a website is producing background clicks for cookie dropping. On the web, we have an array of tools for interacting deeper in the value chain.
In the app world, none of this works.
Cookies and JavaScript are extremely limited, if at all available. There are no insights into ad clicks beyond the pure HTTP requests and the data attached to them. Individual networks can perform spot checks, but the type of coverage required by effective fraud prevention cannot be achieved.
The reason HTTP requests and the data attached to them are completely unreliable is because they can easily be modified by fraudsters. A fraudster can make the HTTP request look like it comes from an iPhone when it’s actually from a connected toaster, or vice versa.
The only reason why fraudsters would hijack real devices on real networks is because they can’t fake the IP address. Server-to-server clicks even skirt that need.
Therefore, a background click from a device running a malicious app looks exactly the same as a legit click. Ever wonder why there are so many battery saver and flashlight apps?
An individual click will show up from a legit IP with real headers from actual devices, often with a legit device ID of a real user, making it even possible for one device to “click” for hundreds of other real devices. Individually, this click cannot be filtered out.
Clicks should still be placed under scrutiny in aggregate in order to prevent poaching of organic conversions via click spam. This approach, called “distribution modeling,” is a very promising approach to fix attribution rules and post-install datasets, but is not useful to detect and prevent false clicks and charges on CPC campaigns.
So what does that mean for your CPC campaigns?
Here are three pieces of advice, beyond the general recommendation not to run CPC on mobile:
1. Don’t keep CPC campaigns running forever
Turn off CPC campaigns as soon as they convert significantly lower than average, at sub-percentile click to install rates. Hundreds of people don’t decide to click your ad only to turn away at the sight of your app store page.
It’s much more likely that someone is faking a large amount of clicks, and those few conversions you are seeing are actually organic conversions that are being falsely claimed by the ad network.
2. If it sounds too good to be true, it probably is
A very typical symptom of organic conversions being poached is that while the CPC certainly is expensive, the retention and downstream conversion rates look good.
This is again because the retention is being generated by organic users, that typically retain better than many paid users.
3. Place very high demands on the quality of incoming traffic
Write your quality demands into your IO precisely what platforms and countries you are targeting, if you are filtering anything like anonymous IPs, or any other measures you’re taking. Explicitly stating it in your IO places you in a much stronger position, should you ever need to return to your partners with bad news.
The oft-repeated adage is that mobile is very different from the desktop web. The techniques, methods and campaigns we can run on the desktop web don’t translate well to mobile. As a space, we have to progress from those ideas.
___
by Paul Muller