We hear a lot about bot fraud and fake traffic. There are astounding numbers and when the money is being paid for a brand budget but being lost to these bad actors, you can be sure there’s no significant business growth coming from it.It is essential to take this beyond the headlines, from abstraction and dive into what is happening here. Following is a vivid example of a bot campaign in action, with one of our clients. All names have been changed for confidentiality.
BackgroundA recent content-centric campaign was anchored around a major cultural event, whereby our client (a major tech brand) partnered with a publisher to create custom content. Our role at Nudge was to measure the material and provide insight into it. Insurance and learnings on the buy, if you will. We do this by measuring up to 48 data points when people read or watch content to understand how it’s being consumed and provide insight from that. A happy accident from this was that we captured bot (or non-human traffic) as this traffic’s behavior stood out from the rest.The campaign started with some red flags. Despite our industry’s ego and the creative pride that comes with making things, the fact is: people do not often re-read or re-watch content. Some do, but most don’t. Over a population of users, we typically expect 1.2 to 1.4 impressions per person. In this campaign, we saw magnitudes times that people were coming in, over and over again.So we started digging and saw that the traffic was coming from a third-party source. The publisher had gone out and bought traffic from another firm. This firm then had a subsidiary that provided ‘incentivized traffic’. In other words, end-users signup to earn points for clicking on content, which they then can redeem for cash or gift cards.So, instead of Client -> Agency -> Publisher -> End user. i.e. our brand in a premium environment.It was Client -> Agency -> Publisher -> Undisclosed third party -> Subsidiary -> End userThis meant that the brand wasn’t buying an engaged user in a premium environment. They were getting users who didn’t care about the content, just about the incentive, which was of course completely irrelevant to the brand.The economics here is terrible, the end-user was being incentivized at 1 or 2 cents and passed to the brand at a primarily inflated price. With up to 98% of that value evaporating into the value chain.These facts would have been egregious enough. But it gets worse.We continued to dig into the data, and most of it was the same few people (UUIDS) or IPS. So 95% *appeared* to be bot-generated. We stopped analyzing at that point. We notified all involved.Now, typically at this point, the publisher would go, hold on, a junior pressed a button, our bad, we fess up. Let’s do ‘a make good’. They came out and said, yup, we bought the traffic (we shouldn’t have) but it’s not a bot, it’s human.We investigated further.
What we foundWe came back and found things like:
- – For a population of users like this, we would expect tens of thousands of different browser versions, in this use case we saw less than 10. Very odd. Despite you/I both using the same browser, for many reasons it’s likely we’d have a slightly different version.– A significant portion of users registered no attention or scroll. Which is very, very odd.– Some users visited the content every minute or every few minutes, 24 hours a day, for up to 12 days.– Some users were looking at the same piece of content, multiple times, in parallel at once. A human impossibility.
What brands need to knowHow do you define human activity? For us, we have a data profile of real people consuming content. It is easy to spot. For others, not so much. Even then, it is a battle of definitions. What is a bot? What isn’t? Or at least that’s the defence used.It’s also supply chain transparency. A more convoluted supply chain reduces accountability and improves deniability. Everyone pointed to each other in this use case.Agency/Brand is mad. Publisher pointed to the third-party traffic supplier. Third-party traffic supplier pointed to ad verification.Both are grumpy with us because we found evidence of fraud. The brand is grateful for the notification and even more so knowing that we’ve just saved them from paying 7-figures for fraudulent traffic. We believe this impacts hundreds of brands based on our research, and we are building out a data model that can help others identify these new types of malicious activity.
- 1. Measure everything, even if it’s one piece of content. Without it, you have zero independence nor scorecard to point to.2. In contracts, require explicit sign off on external traffic sources. And consider explicitly calling out no incentivized traffic.