Mar 06, 2025
On February 27, The Capitol Forum held a conference call with Dr. Augustine Fou of FouAnalytics to discuss ad fraud in digital marketing, focusing on how companies and regulators can better identify fake customer traffic, clicks, sales attributions and other historical patterns of ad fraud and abuse. The full transcript, which has been modified slightly for accuracy, can be found below.
Ethan Ehrenhaft
Good morning, everyone, and welcome to our conference call today with Dr. Augustine Fou. I’m Ethan Ehrenhaft, a technology and privacy correspondent at The Capitol Forum. Dr. Fou is an independent ad fraud researcher and the founder of FouAnalytics, and today we’ll be discussing ad fraud and digital marketing, a subject Dr. Fou spent nearly three decades investigating.
Dr. Fou, thank you so much for joining us today. And before we get started, I’d like to go over a few housekeeping items. To submit questions, please type them into the questions box of the control panel. We’ll collect questions throughout the call and address them during the Q &A session towards the end of today’s conversation. A disclaimer that we will not be discussing practices by specific companies today outside of past reporting, so please try to keep your questions to general ad fraud practices and potential remedies.
And with that said, let’s dive into our conversation. Dr. Fou, it’s great to be with you. For listeners that are new to your work, I’d love if you could start off by defining a little bit what ad fraud is, generally speaking, and what drew you into investigating it in the first place.
Dr. Augustine Fou
All right, sounds good. Thanks, Ethan. Glad to be here with you. So I’ve talked about ad fraud for many years, going on 15 years. There’s going to be four main types of ad fraud and I’m gonna group them by the revenue model that is widely recognized in the adtech industry.
So the first is called CPM, it’s “cost per thousand.” And that form of fraud is where the bad guys are simply creating these ad impressions out of thin air and every thousand times these ads are loaded, they get paid. So that’s called CPM or cost per thousand fraud.
The second is CPC fraud or “cost per click” fraud and this typically goes with search ads because in this case not only does the ad have to show, you also have to click on the ad in order to earn the ad revenue. So cost per click or CPC fraud is both displaying the ad as well as the bots clicking on the ad so that’s the form of fraud.
The third one is “cost per lead” and there are in industries like financial services like insurance or university marketing where they’ll say we’re only going to pay for the outcome like cost per lead generated. In that case the bots are able to submit the lead forms and get paid that cost per lead and that’s a form of fraud.
Then the fourth one would be “cost per acquisition” or also known as affiliate fraud where the advertisers pay a revenue share after a conversion or a purchase is completed. So again, it’s a form of performance advertising where they only pay when they get the outcome.
But in this case, there’s a form of fraud that we’re going to talk about today, which is attribution fraud.
So basically, the platforms and the fraudsters are claiming credit for sales that would have happened anyway, or that had already happened. So just to recap, there’s four main types of fraud that I’ve been researching. CPM, cost per thousand, CPC, cost per click, CPL, cost per lead, and CPA, which is cost per acquisition or cost per action.
Ethan Ehrenhaft
Got it. Yeah. Thank you so much for giving that overview and I think it’s important to get our definitions out of the way up top.
If you wouldn’t mind next, I would love for you to explain to, again, our listeners, what kind of work you do with FouAnalytics, how that practice came to be, and how you sort of carved out this niche for yourself within the ad fraud researching community.
Dr. Augustine Fou
Of course. So back in 2010, 2011, I was at Omnicom in a group of eight agencies serving pharmaceutical and healthcare and med device clients.
And at the time, pharmaceutical companies, advertisers, were using a lot of paid search to reach their customers.
So when someone’s typing in a word, their ads would come up. But what we were noticing in the reports were very strange things, like higher-than-normal click-through rates and in some cases, even 100% click-through rate, right?
So there’s literally a click for every single ad impression and that didn’t quite make sense. And the other thing that was interesting is that we saw clicks coming after the campaign was over.
So we literally finished the campaign, it was turned off, and we still see clicks coming to the site. So clearly something was wrong, and at the time, 2012, no one could adequately explain to me what that was. Llong story short, it’s bots clicking on the ads.
And in fact, the bots can copy the click-through URL and keep clicking on it, right, or keep replaying those URLs even after the campaign is over. So that’s when I left Omnicom.
So 2013 was when I really got started into researching this and trying to figure out why this was happening. And long story short, the bots have a financial motive to commit CPM fraud and CPC fraud.
For all intents and purposes, we’ll be focusing on the first two of the four that I talked about earlier, CPM and CPC, because those two collectively account for almost 90% of the digital ad spend. Most of the large advertisers are spending on cost per thousand and cost per click.
Of course, there’s fraud in CPL and CPA, but we’re going to basically focus on where the money’s at and where the fraudsters are playing.
So that being said, I started researching that, and then basically we went about auditing the campaigns for clients and when we isolated the sites that were generating 100% click-through rates or 50% click-through rates, like completely irrational click rates, we could basically add those sites back into a block list and help them clean up the campaigns. So that’s kind of how we got started.
But along the way I had to build better tools which is now known as FouAnalytics. Back then it was just tools for auditing the campaigns so we can actually see very simple things like when you see a click coming to your website and then you see zero interaction after they arrive, something’s wrong with that. Because if a human deliberately clicked on an ad they were curious about something so they’re probably going to move the mouse, scroll the page and look around on the page.
So, you know, you don’t really even need any kind of advanced tools because if you look at your own Google Analytics, I’m sure a lot of the folks on the call would have seen in their Google Analytics something like 100% bounce rate or zero time on site. So you can kind of tell there’s something wrong with the quality of those clicks that came through to your site anyway.
But adding some of these tools that I’ve built over the last 15 years, we could actually see either no mouse movement or clicks without a corresponding touch.
Say, for example, it’s a mobile device. A human has to touch the screen before they can click something. So if we see there’s a click, but there’s the absence of any touch events, that can’t be done by a human.
So there’s certain things like that that we can triangulate together and then figure out that these are clearly faked or somehow the click was sent into the analytics without an actual person touching the screen. So that’s kind of how it’s all evolved and I’ve been now studying the fraud problem, ad fraud problem for almost 15 years.
Ethan Ehrenhaft
Right, and you’re talking about some of these red flags for metrics and things like absurdly high click-through rates that companies can initially identify as the problem.
What generally happens if a company or client detects things like that through your services? What tends to be their reaction or kind of processing and next steps taken in that case?
Dr. Augustine Fou
Yeah, it’s usually very straightforward.
Like I said in the first case, almost 15 years ago when I was doing these audits for the pharmaceutical clients, we would simply add those fake sites to a block list and then their ads would not show on those fake sites and that would help them reduce the waste, right? If the ads are shown on a fake site and the bots are clicking on them it’s a lot of money wasted and they’re not getting the advertising uplift that they’re expecting. So by blocking those sites we can actually help reduce the fraud and reduce the money being wasted on those sites but that said you know fast forward 15 years most of the ad spending or the mobile apps now so it’s not necessarily a web page or fake site.
There’s also plenty of fake mobile apps, casual games, apps that just run a whole bunch of ads in the background throughout the night and stuff like that. Advertisers, hopefully, will be more aware that fraud is not just limited to bots hitting web pages.
Ethan Ehrenhaft
And speaking of clients, we had one audience question already: just curious in terms of who your clients tend to be, not naming specifics but are these small companies, large companies, independent advertisers, everyone in between, who tends to be interested?
Dr. Augustine Fou
Yeah it’s actually the largest of advertisers so the reason that came to be is because the largest advertisers have so much money they want to spend in digital. For example, Procter & Gamble has two billion dollars they spend annually in digital channels So, when you’re trying to spend that amount of money, there’s not enough ad impressions to buy.
For example, when you go to a legitimate publisher site, there’s a finite number of ad impressions because there’s a finite number of human visitors visiting Home & Garden or Food Network or AP or CNN.com, and humans only generate a small number of page views per visit. When you add that all together, there’s just not enough ad impressions to buy.
What made programmatic buying so tempting is that they were offering tens of billions of impressions, more impressions than you could get from buying ads from legitimate publishers. So a lot of the advertisers started shifting dollars into programmatic channels and buying from those ad exchanges, which basically became mainstream in about 2013, 2014 timeframe, and once they did that, they started losing sight of where their ads are going.
So instead of buying direct from a Condé Nast, or a Hearst, or a Meredith, these big publishers, they’re now giving a big chunk of money to an exchange and hoping that they would help them place their ads on hundreds of thousands of sites and apps. And because of that, because of the rise of programmatic exchanges 10 years ago, that’s what also gave rise to a dramatic proliferation of ad fraud.
Because now fraudsters could set up tens of thousands of fake sites using WordPress templates and then just add all of them into ad exchanges and now they can actually start monetizing and taking budget from big advertisers like Procter & Gamble, Unilever, and so on and so forth.
Previously, if they went to a P&G and said, “Oh, do you want to buy ads from us?” The big advertisers will say, “Who the heck are you guys? We’re not going to buy from someone we’ve never heard of before.”
But once it’s all mixed together in a programmatic exchange, it made it a lot easier for the bad guys to commit the fraud and get away with it.
So long story short is my clients are the large advertisers because of the amount of money they’re spending in digital, they’re now finally waking up to the fact that a lot of that is now is lost to fraud.
In years past, they would rely on what I’m going to call legacy fraud verification companies. There are companies that sprang up to detect bots and fraud and the advertisers were relying on them to help them kind of protect those ad dollars from going to fake sites that use bot traffic. But unfortunately, if you look at the publicly published press releases, they all said 1% IVT—invalid traffic—for the last nine years.
So if you’re the advertiser buying services from these legacy fraud verification vendors, and they kept telling you everything’s 1%, you would think, “Oh, there’s not a big fraud problem, so let’s keep pouring more money into it.”
But I think finally they’re starting to realize, okay, the 1% that these vendors are reporting may not be all the fraud there is, it might actually be all the fraud they can catch. So a lot of people understand that there’s way more fraud than the 1%.
So now by looking at it more closely, like I said earlier, they just look at their own Google Analytics and they see that the majority of the clicks they’re getting from these programmatic channels exhibit 100% bounce rates or zero time on site. They already have some evidence there, right? They had a gut feeling over many years that the fraud was probably way more than the 1% they were being told and now it’s finally coming around.
There’s been scandal after scandal after scandal where these verification companies have not caught the stuff that they should have caught and finally, the advertisers are waking up and saying, “Okay, let’s take a closer look, let’s use analytics, let’s use log level data.”
And when they do that, they can see far more fake sites, piracy sites, porn sites, and just other generally bad places they don’t want their ads to be going. And when they can see that, they can add those sites and apps to a block list and basically clean up their campaigns.
Ethan Ehrenhaft
Right, I mean, when we’re dealing with such massive programmatic advertising budgets, as you said, there’s almost an incentive built in to not know the extent of fraud that may be being committed, based on those budgets?
Dr. Augustine Fou
Because if you know, there’s not that much to buy, right? In years past, they would simply be asking for larger and larger quantities. I have this chart I published years ago where you just look at the saturation of internet usage, social media usage, and mobile. I mean, it’s all completely plateaued, right? Every human is maximally using the internet, their mobile devices and on social media, X number of hours per day and X days out of the year.
The amount of human activity can’t account for the number of dramatic growth in the number of ads being bought and sold. So one line is shooting upward like a hockey stick, whereas the actual human usage of any of these forms of media and social media have all plateaued since 2013. So, that gap, that increasing gap, has to be accounted for by some other reason and if you understand that there’s bot activity and some of these bots are quite advanced, you can understand where all that volume is coming from, right?
It’s really just made up out of thin air.
The other thing is, if you just think about basic economics. If there was so much demand, right, all these advertisers wanting to buy the ads, and there’s a finite supply of humans visiting legitimate publisher sites, the laws of supply and demand would dictate that the prices should go up.
But in fact, most of the prices have come down for the last 10 years, because the creation of fake ad impression tonnage has far outstripped even the dramatic rise in demand, because all these advertisers are shifting billions of dollars into digital, but the supply grew even faster than that.
We’ve seen a decrease in the pricing, right? So all of that at a macroeconomic level should kind of raise some red flags to people and I think it’s finally coming around.
Ethan Ehrenhaft
You talked about increasing popularity and ad inventory in places like mobile and apps. Can you talk about these new digital marketing channels like mobile and CTV now being another big one, and how this same kind of fraud ecosystem is adapting and moving forward into those channels as well?
Dr. Augustine Fou
Yeah, same exact playbook as early days.Let me kind of play through the history of the last 15 years. In the early days of programmatic advertising, there were a bunch of websites and the vast majority of the ads were display ads running on those websites.
What the bad guys did is they set up a whole bunch of fake websites using WordPress templates, added them all into the exchanges, and started selling ad impressions. Now, most of those ad impressions were generated by bot traffic because all of these fake sites were simply unknown to humans, right?
Humans don’t visit sites that they don’t know about, so if they don’t have traffic, how do they sell the ads? How do they generate the ad impressions?
They simply bought the bot traffic, where when the bot loads a page, the ad impressions load, and that’s how they can generate that ad inventory to sell. That was 15 years ago.
Then we moved into video ads, which were just a more expensive version of display ads and the bad guys went there, because it’s a much higher CPM and they could make more money by creating fake video ads to sell instead of just display ads.
Then we moved into mobile, so instead of just creating fake websites, the bad guys would now create fake mobile apps and there’s been a huge genre of what we call these “casual games,” some of which you know you humans do play but there’s not going to be tens of thousands of these apps.
There’s a there’s a very simple experiment I run in the marketing classes I teach yeah. I ask my students can you name off 10 apps that you use every day. Most of them can rattle off five or six but when they get to seven or eight they start slowing down. They can’t even name 10 apps that they use every day and most of those apps they do use every day are the usual suspects like Gmail, Google Maps, Facebook, Instagram, that kind of stuff.
When you get into the long tail of apps, there’s not that many people who use that that often. There are some that you can remember, like Candy Crush, Subway Surfers, whatever, but there are tens of millions of mobile apps that humans have never even heard of before.
So who’s actually using those apps and why are there tens of billions of impressions being sold by those? That’s kind of the next evolution of fraud and when a lot of the advertisers focus on blocking websites, they’re kind of ignoring the mobile apps.
A recent stat shows that two thirds of the ad dollars are actually going into mobile apps, whether it’s a mobile website or mobile app itself. If you’re only focusing on blocking sites, you’re ignoring the fraud or you’re under accounting for the fraud that’s happening in mobile apps as well.
I think hopefully after this webinar, more and more advertisers will start thinking about, “Okay, we got to look at the mobile apps and where our dollars are going,” because the bad guys can not only make the mobile apps very quickly, they can also clone them by the dozens.
Now we have so many mobile apps out there just chomping through ad budgets by loading ads in the background, continuously overnight and things like that, so there’s other forms of fraud that have occurred.
Then finally, just to kind of close this out, CTV—or Connected TV—is the latest frontier. Because CTV prices are ten times higher than display ads or video ads, again, that’s where the bad guys are focusing their attention because in CTV, the theory is that you have this big ad running on your big screen TV in your living room.
But if you think about your own habits, how many streams can a human stream at the same time? It’s one.
If you’re watching YouTube or Netflix, you’re not watching any of these other long-tail apps that, again, nobody has ever heard of before. In this case, all the bad guys have to do is make it look like the ads are running on a CTV, just by tricking some of the reporting, the attribution, And they’re already getting away with it and getting paid a much, much higher CPM for basically CTV ads that didn’t run anywhere.
You can see how as the money shifted into different forms, right? To video ads, to mobile apps, to now CTV, bad guys just go where the money is. There’s this big, huge pot of gold that they can steal from and every year it’s being refilled by annual budgets that are designated for digital ad spending.
Ethan Ehrenhaft
Certainly, and before we move on to some more specific case studies, I got another audience question that I think would be good to ask here, which is another example with a prospective client.
If they’re confronted by evidence that they’re getting screwed by an ad platform, whether that’s an app or CTV, they’re wondering, would the advertiser pull the spend from that ad platform (knowing they might look stupid for holding spend if they’re getting a metric that there’s a lot of traffic), risk getting fired or risk losing their programmatic budget, would they look the other way or actually do something about it?
So that’s kind of trying to put you in the shoes of an advertiser that’s confronted by what is being done.
Dr. Augustine Fou
Let me kind of play this through, and I’ve seen this over the years, but I think advertisers are finally having the courage to actually do something about it.
But in years past, just imagine a marketer. They’ve been given say a $10 million budget to spend and they go to their agency and say, “Oh we have this budget can you make some digital ads and then can you help us place the ads and spend our budget.”
They would get back reports at the end of the month or maybe at the end of the year that say this is how many billions of ad impressions you bought and this is the price you got and, “Oh, by the way, we got you 10% extra in terms of the tonnage and we got you a better price for it.”
So once you get those kind of reports and then you send that up and you show that to your boss, it’s going to be very difficult for a marketer to go back and say, “Whoops we made a mistake. We actually wasted 90% of that.”
They’re going to double down and basically say, “Look, this is what we got we got even more reach and frequency we even got a better price for it.” When people ask about the fraud it was highly convenient for them to have paid for these legacy fraud verification companies that reported 1% fraud, so when their bosses ask, “Oh, wasn’t there any kind of fraud in your campaigns?” they’ll say, “No, these vendors said it was all fine, it was only 1% so that’s why we kept spending.”
You can see how there’s layers of justification that have happened in the years past. But now I think they start to realize, okay, we’re probably not getting any incremental outcomes, we’re not getting any more sales, so we really need to look at reducing costs and reducing waste. I think a lot of this came about after the pandemic.
Before the pandemic, everyone was just spending happily. They were happy to get the reports from legacy fraud verification companies that said, “There’s no fraud problem, don’t worry about it, just keep spending.”
After the pandemic hit, this external shock, again, caused these advertisers to say, “We have to be a little bit more careful with our spending. We have to take a closer look to see where we can identify fraud and waste and therefore reduce that and try to find places we can cut.” It was really only because of this external shock that people started having to do something differently.
They were very used to sticking with the status quo before that and no one wanted to be the person to raise their hand and say, “Okay we think something’s wrong. We think fraud is more than 1%.”
After the pandemic more and more advertisers are actually doing that so we do see a big uptick in advertisers asking for more details, being much more vigilant about their spending, and that’s actually a good thing because previously, there was so much of those ad dollars going to criminals and bad guys and just somewhere else. It wasn’t actually driving their marketing outcomes.
Ethan Ehrenhaft
Without diving too deep into a marketing theory here, since we have limited time span…Reaching that kind of next step as an advertiser, it can take a bit of a leap of faith to go against that system and how things have historically, right?
Especially if you’re still seeing increases in sales, you might be in your head attributing that to the programmatic advertising and not wanting to turn off the advertising for fear of affecting the sales. But at the same time, you won’t see a correlation or lack of correlation without taking leaps too.
Dr. Augustine Fou
Yeah, and that’s a great segue into the second part of what we’re going to talk about today, which is attribution fraud. To put it very simply, the platforms have to show the advertisers that the ads that they’re running are actually working, so that’s where we get into the concept of attribution fraud.
If the advertiser were not seeing any sales or they’re not getting any reports that say the digital advertising were working, they’re not going to keep pouring more money into it. A long time ago, it was something very basic, like click-through rates. All the bad guys had to do was increase the number of clicks, so then you say, “Oh, we got more clicks, it must be working.”
But I think as more and more advertisers got more sophisticated in their digital marketing, they started asking about, well, did it drive any sales?
Then we started seeing what we call the ROAS—return on ad spend—and a lot of that has to do with attributing the sales to the digital advertising that caused it.
Let me take a step back and talk about the former model. There would be something called last-click attribution.
Typically when a person sees an ad on TV, they might Google something and then click on a search ad and then ultimately go to the site and buy something. The “last click” would have been from that search ad.
When a lot of these ad tech companies came about and they were selling display ads, they were saying, “Oh, it’s so unfair that search would get the credit for the sale just because it happened to be the last click before the sale occurred.”
So Google came up with a new methodology called “view-through conversions” or VTC, which basically said, “Oh, a display ad obviously contributes to something to that customer journey and ultimately should get some credit for helping to drive that sale.”
The way they set that up was that if that person or device were exposed to a display ad or video ad, but didn’t immediately click on it, they would still set the cookie so that if that person ended up buying something 30, 60 or 90 days later, that display ad would still get credit for it, not just the search ad that happened right before or the last click before the purchase.
That’s how this new method of tracking conversions came about. VTC conversions is very popular, has been used by a lot of advertisers and that’s the point where the bad guys are able to game the attribution further because they wanted to show that advertising on their platform drove a lot of sales.
The difference is a single display ad or single video ad would not have caused that person to go buy something. Think of whether you’ve ever done that before. You see a single banner ad and then you end up buying something. That doesn’t really occur, right? It may contribute to the ultimate purchase, but a single ad impression doesn’t cause a single conversion, okay?
In this case, the way the bad guys are gaming the system and making it look like their platforms and their ads are driving a lot of sales is by tricking the attribution.
The way that’s done is when they load the landing page of the advertiser, there’s a lot of these trackers or conversion pixels on that landing page, and when those fire, that device gets marked as exposed, meaning exposed to the ad.
Then when that person eventually or subsequently completes a purchase 30, 60, or 90 days later, that ad gets the credit for it. So now there’s a lot of these vendors that are just trying to load those landing pages so that all those trackers fire so that they get the credit for drivers that conversion.
That’s why to a lot of advertisers they’ll say, “Wow, this is working so well, we’re getting so many sales from this,” not realizing that that’s actually just a figment of the reporting, not that they’re actually getting a lot of incremental sales.
And the key word here is incremental—those sales that would not have occurred in the absence of the advertising. That’s really where the advertisers really need to focus on.
Are these digital marketing activities actually driving incremental sales, or is it just a figment of the reporting where the adtech platforms are claiming credit for sales that would have happened anyway?
If you’re interested, we can kind of use the examples of affiliate fraud going back to eBay in 2013 or Honey more recently. There’s a lot of that’s the same kind of attribution fraud where the reporting looks really great. It looks like you got a lot of sales, but it’s really just a figment of the attribution reporting.
Ethan Ehrenhaft
Sure, I think it’d be helpful for listeners to have those two illustrative examples of the eBay super affiliate case back over 10 years ago now, and then how those strategies sort of evolved into what we saw Honey accused of this past fall.
Dr. Augustine Fou
Sure, so this would be kind of like the fourth form of fraud that I talked about, the CPA form of fraud.
Maybe let me take one step back in terms of what affiliates are and what the advertisers are.
So in the eBay case, eBay is the advertiser and they were running affiliate programs to kind of get more people to their site, drive more sales. The affiliate platforms basically track who drove that sale by setting a cookie on the person’s browser and that’s the way it’s normally supposed to happen.
Let me use a parallel example that people might have seen this before so they can better understand this.
If you’re on a recipe site and then say you use this particular cookie sheet or this baking pan or whatever in the recipe, when you click on that link and then you go through to Amazon and then you buy that cookie sheet or baking pan, that website, that recipe website, that helped drive that sale gets a tiny affiliate revenue share, typically in the 1% to 5% range. That’s the way affiliate platforms and affiliate revenue shares are supposed to work.
The eBay fraud case was where two of their super affiliates, the largest affiliates which helped them drive the most sales, actually became super affiliates not because they were driving so many sales, but because they were doing it fraudulently.
All they had to do was get the affiliate cookie stuffed on a whole bunch of human’s browsers, right? They don’t need to stuff those cookies on bots because bots don’t buy stuff eventually, it’s really the human’s.
What they were doing is using redirects and other techniques to stuff cookies—affiliate cookies—on humans browsers, on millions and millions of human browsers. Whenever those humans end up buying something from eBay, they would get that affiliate revenue share and they were getting tens of millions of dollars of these affiliate rev shares.
That means it’s many, many times that, in terms of the actual sales, that were recorded as having been driven by them. Later, eBay found out that it was all done through these fraudulent means, cookie stuffing. That’s how that 2013 case was solved by the FBI.
The more recent example you mentioned was the Honey browser extension. When you install something in your browser, it can literally do anything and see everything that you do in your browser and in the particular case of the Honey browser extension, the cover story was that they would go check for the best coupons for whatever merchant you’re interested in.
That way they did that is they would load all those affiliate pages of all these different advertisers, whether it’s Macy’s.com, Bed Bath & Beyond, whatever. They would load tens of thousands of these affiliate pages in the background without the person knowing about it without the user knowing that that was happening in the background.
It was just a game of probability. If you stuffed the cookies from 10,000 different advertisers on that person’s browser, the probability of that person eventually buying something from any one of those advertisers, booking something through Hilton.com, buying something from Macy’s.com, any of those purchases will now generate an affiliate rev share for Honey.
This case basically was the largest affiliate scam around at the time and that’s what inflated their valuation to the point where they sold for $4 billion to PayPal.
All of this was really about just falsifying the attribution to claim credit for driving the sale even though they didn’t actually drive the sale. So you can see how that’s all parallel.
Ethan Ehrenhaft
Right and definitely just one evolution from one channel to the next. The tricky thing with attribution fraud, like you mentioned, is that we’re ultimately dealing with real sales and real humans, but as you said, it’s kind of this probability game.
I guess it works both on the side of the fraudsters and the ad spenders, where if all you’re valuing at the end of the day is eyeballs, at least measurements of eyeballs and impressions, then both parties are just incentivized to just be pumping out these ads onto as many devices as humanly possible.
Dr. Augustine Fou
Here’s an interesting story along those lines. Let me ask you a question. How do you actually falsify footfall?
So footfall means someone actually walking into a store like a Dunkin’ Donuts or a Taco Bell or something.
Can you believe that the bad guys can actually falsify that as well? Let me explain how they do that.
What you just said about buying tons and tons of display ads, these ads can actually be very low cost, and they can even be loaded in a hidden window, a one-by-one pixel window that no human can see.
But once the ad is loaded into that device, that device gets marked by all the trackers as exposed. What this clever kind of shady location platform did is they basically bought enough low cost display ads so that all 380 million smartphones in the US were all marked as exposed.
Okay, so all of them were exposed to their ads. Then when any of those phones walked into a Dunkin Donuts. They could say, “Oh, that’s an exposed device. We get credit for that footfall.”
Like you said, it’s just about tonnage. So now if they exposed every single mobile device in North America or in the US they can now claim credit for any footfall, right?
That person walked into a Taco Bell. They walked into a Dunkin Donuts. They could claim that they drove that. That’s an example of where even footfall can be falsified in the reporting. But you remember the Uber case from 2016?
Uber finally figured out that all the app installs that they were told they were getting were actually not driven by the paid programs. They were paying 100 mobile exchanges for cost per install. They would pay every time the Uber app got installed.
What ended up being discovered was that the mobile exchanges were basically falsifying all that. They were just claiming credit for driving the install when the app was already installed on the phone and the way they found that out was not by using any kind of sophisticated tech.
It was the analytics person, Kevin Frisch, who decided to turn off the cost per install digital campaigns for a week to see what would happen. All the app installs continued. Then he left it off for another week.
All the app installs continued because humans installed the Uber app because they wanted to, not because they saw an ad from any one of these mobile exchanges and clicked on it. In that case, he ended up turning off that entire campaign because Uber was still getting the app installs.
It was not being driven by any of these mobile exchanges. So that’s kind of how a lot of the advertisers just look at the reporting. It says you’re getting this many app installs. It says you’re getting such incredible ROAS return on ad spend.
There’s a recent example where a national hotel chain said, we’re looking at the reporting. The ROAS is so awesome, we should keep pouring more and more money into this.
What they didn’t realize at the time was that what they were seeing in the reporting, which is falsified attribution, so these platforms claiming credit for bookings that would have happened anyway, because a lot of humans already know that hotel chain, they’re just going to type in the domain and go make a booking. It shouldn’t be credited to that platform.
So in essence, they were overpaying, whether it’s a revenue share or over-crediting those platforms for driving the booking, even though they weren’t.
I think once they figured that out, the attribution fraud, they were able to save a ton of money and redeploy it to other digital tactics that were actually driving more incremental sales, those bookings or those sales that would not have happened in the absence of advertising.
Ethan Ehrenhaft
Right, from the fraudster’s perspective, it’s almost working backwards from an app you know is going to get downloaded or a product you know is going to get bought, footfall that you know is going to occur in a Starbucks or Dunkin’ Donuts, and just ensuring that device has been earmarked, whether or not that ad has occurred.
All right, before we get into some more audience Q&A here, I did want to make sure we had the chance to talk about cybercrime because I know this is an issue you’ve written about a lot before and about how bots and some of these other ad fraud methods we’ve discussed have been used to steal from massive digital advertising budgets.
So I was wondering if you could talk a bit more and discuss the nexus of cybercrime and digital marketing and why ad fraud specifically has become such a lucrative practice for cybercrime.
Dr. Augustine Fou
Perfect question. Let me use a very simple thing that I think a lot of people have heard about and kind of understand.
You hear about malware getting onto your mobile devices, right? So that’s one aspect of it. You accidentally click a link and then the malware gets set in your mobile device. The malware is a form of cybercrime, right?
It’s computer intrusion and the malware and the malicious code that sits on your phone is basically sitting there laying in wait. When you type in your Citibank password or your banking password or whatever, they can record the password, steal your passwords and steal your money. That is one form of cybercrime.
But while the malware is sitting on your mobile phone, it might as well also make money from running digital ads. It’s a very lucrative way of using or making money using the malware that’s already on the phone because most people don’t turn off their phones at night and because most phones have some kind of internet connection throughout, 24-7, that becomes a very easy way for the bad guys to just continuously run ad impressions.
Again, they can spoof, or they can pretend to be any kind of app, any app you want to see, and generate as many ad impressions as they want. That’s kind of how we tie the two things together.
Malware or malicious code on your device is a cybercrime, right, most people understand that is a form of cybercrime.
But the connection to digital advertising is while you have this malicious code on that person’s phone, you might as well run a whole bunch of ads and make high margin ad revenue from doing digital ad fraud and that’s actually been done.
Some of these apps you don’t actually want on your phone, but in other cases, some people voluntarily download the brightest flashlight app or this emoji keyboard or these alarm clock apps, even though you have a clock on your own iPhone, you don’t need to download a separate app for that.
But once it’s on your phone, a lot of people simply forget to uninstall it.
That’s where these apps that might look legit on the surface, they have malicious code in them that will commit the ad fraud. Does that make sense in terms of kind of the nexus of cybercrime and digital ad fraud, right? It’s just so much money here, it’s like, why not steal from this?
And once you make that amount of money, you can fund further cybercrimes, you go pay more hackers to get more malware on additional devices. But that’s kind of how these two things intersect.
Ethan Ehrenhaft
Yeah, when there’s so much money at stake. And on this front and with ad fraud getting caught up in some other types of criminal activities…Senators Marsha Blackburn and Richard Blumenthal launched an investigation this month into the practices of four adtech leaders in response to a report from a research firm that showed that global brands might inadvertently be funding child sexual abuse material online.
I know your report covered that as well and I wanted to get thoughts on that.
Dr. Augustine Fou
Yeah, that’s yet another example of the of the string of failures from the legacy fraud verification companies, right? They were supposed to keep the ads off of bad places. It doesn’t get any worse than CSAM—child sexual abuse materials.
But there’s another report that came out around the same time from a company called Deep Sea and they were showing billions of impressions going to piracy sites. Very few people talk about this, but in 2014 the Digital Citizens Alliance published report showing the piracy sites, which are free to the users that go there. So how do they make money?
Especially given the expense of hosting pirated videos, they basically make money from digital advertising and it was so simple and so lucrative that it’s been done continuously for 10 years. We have this another report in 2025 saying piracy sites are still monetizing via digital ads and again, the legacy fraud verification companies didn’t successfully prevent those ad dollars and ad impressions from going to piracy sites.
What you mentioned, the two senators writing a letter is like, “Okay, you know, we’ve seen the worst of the worst. The ads are still going to these bad places.”
When I was working at the big agency, we could see the U.S. government branches, Air Force, Army, Marines, they’re all doing digital ads. A lot of those ads were going to fake sites, fake mobile apps.
So these are literally taxpayer funded dollars, ad dollars, being spent by the government entities to market or recruit for the Marines over the Air Force, for the Army, all those dollars going into the pockets of bad guys and foreign actors.
I think it’s really a wake up call. This is just the latest example of that, where now the senators are aware of the issue, right?
It’s not just a porn or piracy or CSAM issue. There’s a ton of fake sites out there. There’s a ton of sites that are being run by foreign actors. And they’re all just taking money out of that digital ecosystem because of the lack of transparency.
Because most of the advertisers don’t get enough detail and probably don’t ask for enough detail to know where their ads are actually going.
So the CSAM issue was just the latest and it’s very vile and it caused enough people to kind of open their eyes. “Okay, we can’t ignore this problem anymore and we can’t just assume that the legacy fraud verification companies are actually doing their job.”
And in fact, as a result of that, and after the senators wrote them letters, they finally say, “Oh, now we’re going to offer page URL level reporting.”
Why the heck didn’t they offer that 10 years ago when they should have? When you just get a report at the end of the month, it just has rounded numbers. At the end of this month, you bought this many billions of impressions, you got this many clicks.
That’s not enough detail to know that your ads are going to piracy sites, porn sites or funding fake news and going to foreign actors. I think more and more advertisers are waking up to that, and that’s actually a good thing for the entire industry.
Ethan Ehrenhaft
Yeah and we’ll see if we’re at another turning point perhaps here with Congress and regulators like we were after the pandemic when you said digital advertisers were waking up to some of these issues.
In the 10 minutes or so we have left, I want to get into more audience questions and then make sure we can talk about some potential solutions too.
But one question we got was, “Can cookie stuffing like the types you were talking about occur when playing things like mobile games. How would that work on a mobile device?”
Dr. Augustine Fou
Yeah, very simple. So if the mobile game has a hidden browser built in, it can load as many pages in the background while you’re playing the game.
Think about this using a little bit of common sense. If you’re playing Subway Surfers or Candy Crush, and you see an ad come up, what’s the likelihood of someone actually clicking on that ad, going to an e-commerce site and then buying something while they’re trying to play Candy Crush?
It just doesn’t happen in real life. They get super annoyed at that ad that was covering up their gameplay and they’re trying desperately to close it, right? Click the little X to close it.
What I’ve seen and documented some of these app companies doing is they’re actually hijacking that click. When the human is trying to close the ad, that click is now being routed through as it clicks through on the ad to the landing page and that’s the most innocuous form of fraud that we’ve seen.
What more and more of the mobile apps are doing is they’re actually loading the ads using a hidden browser behind the scenes. So you don’t even need to load the ad in a way that the person sees it and clicks it, that’s too annoying, it takes them away from their gameplay.
As long as they’re playing the game, or even when they’re not playing the game, once the mobile app is on your phone, they can do whatever the hell they want to using your phone.
It’s been a great way for the fraudsters to hide because all of these are different IP addresses. And the reason I bring that up is in the early days of fraud detection, when the bot makers made bots and they came from Amazon data centers.
If we see a whole bunch of bots or visits coming from Amazon data center IP addresses, we know those are bots because most humans don’t access the internet through Amazon data centers. But now when it’s a mobile app running on a real person’s mobile device, the IP address looks like your residential, your household IP address, right?
So it’s now distributed across millions and millions of different IP addresses. So that makes it look less obvious to bot detection. And on top of that, it’s a real mobile app that you can download from Google Play or the Apple Play Store.
So that checks out and it’s on a real iPhone or an Android device, so all those things check out. That’s how they are able to easily defeat the fraud detection or the bot detection of the legacy fraud verification companies.
Now when that mobile app is running, when it loads the landing page of the advertiser, say for example, a direct to consumer advertiser, DTC advertiser, all the trackers from that page fire, and now they mark that device as exposed.
Remember my footfall example from before? If they mark 380 million smartphones as all exposed, then whenever any of those devices end up making a purchase subsequently in the next 30, 60 or 90 days, they get credit for that.
Again, that’s how it ties together. We talked about attribution fraud. It’s trivial to do in the mobile apps as well because they can run hidden browsers and do anything else they want in your phone.
Ethan Ehrenhaft
Right and there seems to be kind of this almost diffusion of responsibility. If an app has cleared the bar of being on the App Store or the Google Play Store and stuff, a consumer might reasonably assume it’s safe to play or they assume that Google did its job.
Dr. Augustine Fou
But I mean, it wasn’t until relatively recently that Google even scanned the code of the app itself. Apple has been historically much, much more strict about what apps they let in, but again, the malicious code can still be active inside the app.
So some of those flashlight apps that you might download from Apple Play, once it’s on your iPhone, then it can actually do a whole bunch of bad stuff behind the scenes because you voluntarily installed it on your phone.
So yeah, I mean, there’s a lot of these gaps that still exist, and hopefully the platforms like Google and Apple will continue clamping down and just making it harder for bad guys to get malicious apps into the Play Store.
Ethan Ehrenhaft
And I know you work predominantly with companies, but certainly from a consumer perspective, if an app like a flashlight app is asking to share your location on the backend settings, that’s probably for red flags.
Dr. Augustine Fou
Some of these are just obvious red flags, but as you also know, a lot of people, when they get presented with a whole list of permissions, they just give all the permissions. They don’t even really read it. That’s been a problem in the past.
Hopefully more consumers are increasingly aware of their own privacy. You should be looking at, okay, what exactly are these apps asking for? What permissions are they asking for? Does it make any sense for me to give this app location permissions or the ability to turn on your microphone at any time they want?
All right, yeah, sometimes those are not good things.
Ethan Ehrenhaft
Yeah, definitely.
We had one listener who was curious about just general ways to prevent or cut down on bot-generated leads. And maybe we can use this too as opportunity for you to just talk about more solutions and remedies, and ways you see turning the tide on some of these issues.
Dr. Augustine Fou
Of course, great segue to the last part. So there are bot generated leads.
I remember going back to 2013, we were working with some university marketers, and they would get all these lead forms completed online. So they would pay for the lead, the bots would do exactly the thing they get paid for, they would fill out the lead form, complete with high schooler’s name, address, phone number, school mascot, everything.
So all of that’s complete and then when the university called them up, they said, “Oh, well, we never heard of your university, we never applied, or even filled out that lead form.”
So even in 2013, the university markers would have to routinely discard 50% to 70% of the leads that they were buying, because when they followed up with the lead, the high schoolers said they never completed that form.
That’s back then and more recently, Taylor Swift’s tickets were all purchased by scalper bots so that they could sell it for five times the money on the aftermarket, right? The bots can do all of those things.
The way to start cutting down on that, again, you don’t have to use any sophisticated technology. Some of it’s going to be just common sense.
If you look at your website and you have basic tracking on the lead form, a human can’t complete the lead form in one second. It’s probably going to take them a few minutes to go through all of the form fields and complete it. So if you see form fills or form completes in a few seconds, something’s wrong with that.
A human also can’t type something without a key down, touching the screen or pressing a key. If you see those kinds of things, again, the bots can submit all of that without touching the screen or pressing a key on your keyboard.
Those are some telltale signs that you can look for. Our platform can help you with that and we do that for large ticket sellers and things like that. That’s how you can start to cut down on the lead fraud and also be very, very skeptical of the companies that sell you leads, even though they say, “We guarantee these are real.”
It goes back to the university example. Okay, these are real high schoolers information, not because the high schooler filled it in, but because of all the data breaches that everyone’s heard about.
Everyone’s data is already out there, and especially the high schoolers who volunteer everything on Instagram. So even their mascot, their mother’s maiden name, everything is already in the hands of the cyber criminals. So they can actually complete a form with real information, even though that person never intended to contact that university.
Okay, so that’s one.
Then the other thing to kind of close this out and getting back to the ad fraud and other forms of fraud and the attribution fraud, one of the best ways to solve that is to kind of figure out whether the attribution is being done in just the reporting, meaning you’re seeing the sales, but it’s because of the attribution falsification.
The best way to solve that is by running what I’m going to call turn-off experiments. If you turn your digital campaign off for a week, right?
I understand that most advertisers can’t turn it off for a very long time, because they still have to make their numbers and that kind of stuff. But if you turn it off for a week, if the sales continue, that means that whatever ad tech vendor you were paying to drive those sales, we’re not actually causing those sales, right?
The sales continued even though the digital campaign was off for a week, right? This is exactly parallel to what the analytics person at Uber did in 2016. He turned it off and the app installs continue.
In your case, if you turn off your digital campaign for a week and your sales continue, that means they weren’t caused by the digital marketing. It’s a little bit more nuanced than that, but in general, turnoff experiments are great to run.
Going back to the eBay example, they actually ran some turnoff experiments in 2011, where they turned off the West Coast campaign. They continued advertising in the rest of the country, but they turned off the West Coast digital spending.
And they saw that the traffic and the search terms and everything kept going on the West Coast. That told them that the search ads that they were buying were not causing those visits, so similarly advertisers can do that.
They can turn it off in a state, in a region like the Western part of the US or Eastern or whatever. That’s how you can start to get at whether any of those sales being reported to you are incremental. Did those sales occur due to the advertising or were those sales that would have just happened organically would have happened anyway? That’s how some advertisers can really get at that problem.
Ethan Ehrenhaft
Absolutely, and I think that that might be a great place to end on—eBay deciding to take that jump in 2013 to actually see what was driving the sales, but of course, discovering this super affiliate fraud in the process.
Well, I know we’ve covered a lot of ground, but I’m so grateful, Dr. Fou, for your time, expertise, and walking us through what FouAnalytics does and all these examples.
Dr. Augustine Fou
Great, great to be here with you. Hopefully it inspired more advertisers to take some action.
Ethan Ehrenhaft
Awesome, thanks everyone for joining us today.
