Ben Young
Ben Young
June 1, 2020

We hear a lot about bot fraud and fake traffic. There are astounding numbers and when the money is being paid for a brand budget but being lost to these bad actors, you can be sure there’s no significant business growth coming from it.

It is essential to take this beyond the headlines, from abstraction and dive into what is happening here. Following is a vivid example of a bot campaign in action, with one of our clients. All names have been changed for confidentiality.
 

Background

A recent content-centric campaign was anchored around a major cultural event, whereby our client (a major tech brand) partnered with a publisher to create custom content. Our role at Nudge was to measure the material and provide insight into it. Insurance and learnings on the buy, if you will. We do this by measuring up to 48 data points when people read or watch content to understand how it’s being consumed and provide insight from that. A happy accident from this was that we captured bot (or non-human traffic) as this traffic’s behavior stood out from the rest.

The campaign started with some red flags. Despite our industry’s ego and the creative pride that comes with making things, the fact is: people do not often re-read or re-watch content. Some do, but most don’t. Over a population of users, we typically expect 1.2 to 1.4 impressions per person. In this campaign, we saw magnitudes times that people were coming in, over and over again.

So we started digging and saw that the traffic was coming from a third-party source. The publisher had gone out and bought traffic from another firm. This firm then had a subsidiary that provided ‘incentivized traffic’. In other words, end-users signup to earn points for clicking on content, which they then can redeem for cash or gift cards.

So, instead of Client -> Agency -> Publisher -> End user. i.e. our brand in a premium environment.

It was Client -> Agency -> Publisher -> Undisclosed third party -> Subsidiary -> End user

This meant that the brand wasn’t buying an engaged user in a premium environment. They were getting users who didn’t care about the content, just about the incentive, which was of course completely irrelevant to the brand.

The economics here is terrible, the end-user was being incentivized at 1 or 2 cents and passed to the brand at a primarily inflated price. With up to 98% of that value evaporating into the value chain.

These facts would have been egregious enough. But it gets worse.

We continued to dig into the data, and most of it was the same few people (UUIDS) or IPS. So 95% *appeared* to be bot-generated. We stopped analyzing at that point. We notified all involved.

Now, typically at this point, the publisher would go, hold on, a junior pressed a button, our bad, we fess up. Let’s do ‘a make good’. They came out and said, yup, we bought the traffic (we shouldn’t have) but it’s not a bot, it’s human.

We investigated further.
 

What we found

We came back and found things like:

    – For a population of users like this, we would expect tens of thousands of different browser versions, in this use case we saw less than 10. Very odd. Despite you/I both using the same browser, for many reasons it’s likely we’d have a slightly different version.

    – A significant portion of users registered no attention or scroll. Which is very, very odd.

    – Some users visited the content every minute or every few minutes, 24 hours a day, for up to 12 days.

    – Some users were looking at the same piece of content, multiple times, in parallel at once. A human impossibility.

For Nudge to capture the impression, you had to be active in each of multiple browser windows, all at once. That’s like having four mice on screen, in four different windows, scrolling through content on each of them at once. Surely at this point, the publisher goes, you’re right, a human couldn’t create this. But instead, they went, it passes the ad verification companies (companies like DoubleVerify, IAS, Moat ) — Ben you don’t understand incentivized traffic. Thus, it must be human.

So then we did more digging and liaised with the traffic provider. Now they’re four steps removed from the brand. Their job isn’t to manage bots. They go, the verification didn’t detect it, it can’t be bots.

We then looked on YouTube and Google and find forums and instructional videos for setting up bots to generate points on the sites. DIY bots that you load up to browse the content for you.

One of these DIY bots even has a premium subscription.

We shared this and inquired about controls to limit these tools. Nothing. Looks like, if nobody complains they look the other way. So then, we shared our findings with another third-party ad verification provider who dug through it, and they pointed out that this was in fact illegitimate traffic — but not bots. Otherwise, they would have detected as such. So we liaised further, and now there was a general agreement that this behavior crosses the threshold for what could be considered human activity. So they decided to dig deeper.

This episode opened up many new cans of worms.
 

What brands need to know

How do you define human activity? For us, we have a data profile of real people consuming content. It is easy to spot. For others, not so much. Even then, it is a battle of definitions. What is a bot? What isn’t? Or at least that’s the defence used.

It’s also supply chain transparency. A more convoluted supply chain reduces accountability and improves deniability. Everyone pointed to each other in this use case.

Agency/Brand is mad. Publisher pointed to the third-party traffic supplier. Third-party traffic supplier pointed to ad verification.

Both are grumpy with us because we found evidence of fraud. The brand is grateful for the notification and even more so knowing that we’ve just saved them from paying 7-figures for fraudulent traffic. We believe this impacts hundreds of brands based on our research, and we are building out a data model that can help others identify these new types of malicious activity.

    1. Measure everything, even if it’s one piece of content. Without it, you have zero independence nor scorecard to point to.

    2. In contracts, require explicit sign off on external traffic sources. And consider explicitly calling out no incentivized traffic.

This kind of outcome is like a robbery; when it happens, they take everything. And whatever the brand’s stated goals are to create content, the misallocation of capital and energy is disastrous.

When we extrapolate this idea out widely across markets and industries, the dent it puts on growth and progress is astounding.

 
 


“Join